突然间发现自己很傻,原来由另一条命令专门针对virtual-link的区域认证命令。仅仅希望了解如何配置虚链路认证的可直接点击一下链接(没有经过作者统一的,请勿见怪),下文完全是个人排错的过程而已,呵呵
参考文章: [url]http://hi.baidu.com/allens21/blog/item/0243521b0d0b3af9af5133aa.html[/url]里面有详细的认证配置。
拓扑为
R1(S1/1)--(S1/0)R2(S1/1)--(S1/0)R3(S1/1)--(S1/0)R4
R1#show run
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Serial1/1
description DCE,OSPF area 0,connected to R2's S1/0,ip 10.0.0.2/30
ip address 10.0.0.1 255.255.255.252
ip ospf message-digest-key 1 md5 a0_key
serial restart-delay 0
clock rate 9600
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
area 0 authentication message-digest
network 10.0.0.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
//////
R2#show run
interface Serial1/0
description DTE,OSPF area 0,connected to R1's S1/1,ip 10.0.0.1/30
ip address 10.0.0.2 255.255.255.252
ip ospf message-digest-key 1 md5 a0_key
serial restart-delay 0
!
interface Serial1/1
description DCE,OSPF area 1,connected to R3's S1/0,ip 10.0.0.6/30
ip address 10.0.0.5 255.255.255.252
ip ospf message-digest-key 2 md5 a1_key
serial restart-delay 0
clock rate 9600
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
area 0 authentication message-digest
area 1 authentication message-digest
area 1 virtual-link 3.3.3.3
network 10.0.0.0 0.0.0.3 area 0
network 10.0.0.4 0.0.0.3 area 1
!
/////
R3#show run
interface Serial1/0
description DTE,OSPF area 1,connected to R2's S1/1,ip 10.0.0.5/30
ip address 10.0.0.6 255.255.255.252
ip ospf message-digest-key 2 md5 a1_key
serial restart-delay 0
!
interface Serial1/1
description DCE,OSPF area 2,connected to R4's S1/0,ip 10.0.0.10/30
ip address 10.0.0.9 255.255.255.252
ip ospf message-digest-key 3 md5 a2_key
serial restart-delay 0
clock rate 9600
!
router ospf 100
router-id 3.3.3.3
log-adjacency-changes
area 1 authentication message-digest
area 1 virtual-link 2.2.2.2
area 2 authentication message-digest
network 10.0.0.4 0.0.0.3 area 1
network 10.0.0.8 0.0.0.3 area 2
!
/////
R4#show run
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Serial1/0
description DTE,OSPF area 2,connected to R3's S1/1,ip 10.0.0.9/30
ip address 10.0.0.10 255.255.255.252
ip ospf message-digest-key 3 md5 a2_key
serial restart-delay 0
!
router ospf 100
router-id 4.4.4.4
log-adjacency-changes
area 2 authentication message-digest
network 10.0.0.8 0.0.0.3 area 2
network 172.16.1.0 0.0.0.255 area 2
!
/////
每个区域的key id改为不同值,area 0的key-id为1,area 1的key-id为2,area 2的key-id为3,配置后进行debug,得出下面结果。
R2#debug ip ospf events
OSPF: Send with youngest Key 1
OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 10.0.0.2
OSPF: Send with youngest Key 2
OSPF: Send hello to 224.0.0.5 area 1 on Serial1/1 from 10.0.0.5
OSPF: Rcv hello from 3.3.3.3 area 1 from Serial1/1 10.0.0.6
OSPF: End of hello processing
OSPF: Send with youngest Key 0
OSPF: Send hello to 10.0.0.6 area 0 on OSPF_VL0 from 10.0.0.5
OSPF: Rcv hello from 1.1.1.1 area 0 from Serial1/0 10.0.0.1
OSPF: End of hello processing
OSPF: Rcv pkt from 10.0.0.6, OSPF_VL0 : Mismatch Authentication type. Input packet specified type 0, we use type 2
R3#debug ip ospf events
OSPF: Send hello to 10.0.0.5 area 0 on OSPF_VL0 from 10.0.0.6
OSPF: Rcv hello from 4.4.4.4 area 2 from Serial1/1 10.0.0.10
OSPF: End of hello processing
OSPF: Rcv hello from 2.2.2.2 area 1 from Serial1/0 10.0.0.5
OSPF: End of hello processing
OSPF: Send with youngest Key 2
OSPF: Send hello to 224.0.0.5 area 1 on Serial1/0 from 10.0.0.6
OSPF: Send with youngest Key 3
OSPF: Send hello to 224.0.0.5 area 2 on Serial1/1 from 10.0.0.9
OSPF: Rcv pkt from 10.0.0.5, OSPF_VL0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
///////////////////////////////////////////////////////////////////////////////////////////
ospf的authentication type应该有两种模式:type 1为plain text,type 2为message-digest,type 0应该是没有认证(即为NULL)。
分析绿色的提示,可以发现,R2使用的是type 2的认证方式(MD5)处理OSPF_VL0的数据包,而R3使用的是type 0的认证方式(NULL)处理OSPF_VL0的数据包。这里OSPF_VL0猜都猜得出来是我们的Virtual-Link了。
问题比较简单了,就是R3一直认为AREA0没有使用认证,而R2认为AREA0使用MD5认证。因此应该在R3里面加上一条命令,告诉R3:“area0使用MD5认证。”
R3(config-router)#area 0 authentication message-digest
其实我也是看了其它高手的blog才知道要在非骨干abr上指名area 0的认证方式,只是刚好看到了ospf events的debug,加上以前学习的残留记忆,才分析出以上结果的。有点马后炮的味道,呵呵