实验25: 基于链路的OSPF MD5 认证
1.
实验目的
通过本实验可以掌握:
(1)OSPF 认证的类型和意义
(2)基于链路的OSPF MD5 认证的配置和调试
2.
实验拓扑
本实验的拓扑结构如图所示。
3.
实验步骤
注:
1. OSPF
链路认证优于区域认证;
2. OSPF
定义3 种认证类型:0-表示不进行认证,是缺省的类型;1-表示采用简单口令
认证;2-表示采用MD5 认证。
配置如下
:
r0(config-if)#int lo 1
*Mar 1 00:02:25.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r0(config-if)#ip add 1.1.1 .1 255.255.255.0
r0(config-if)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.1.1 YES manual administratively down down
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback1 1.1.1 .1 YES manual up up
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:04:56.159: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:04:57.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router ospf 1
r0(config-router)#net 1.1.1 .0 0.0.0.255 area 0
r0(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r0(config)#int s0/0
r0(config-if)#ip ospf aut
r0(config-if)#ip ospf authentication message-d
r0(config-if)#ip ospf authentication message-digest
r0(config-if)#ip ospf mes
r0(config-if)#ip ospf message-digest-key 1 md5 cisco
r0(config-if)#
*Mar 1 00:23:53.851: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2 .2 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
r0(config-if)#
*Mar 1 00:24:47.851: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2 .2 on Serial0/0 from LOADING to FULL, Loading Done
r0(config-if)#do sh ip ospf int
Serial0/0 is up, line protocol is up
Internet Address 172.16.1.1/24, Area 0
Process ID 1, Router ID 1.1.1 .1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2 .2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
输出最后两行信息表明该接口启用了
MD5
认证,而且密钥
ID
为
1
。
Loopback1 is up, line protocol is up
Internet Address 1.1.1 .1/24, Area 0
Process ID 1, Router ID 1.1.1 .1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
r0(config-if)#do sh ip ospf
Routing Process "ospf 1" with ID 1.1.1 .1
Start time: 00:05:18.352, Time elapsed: 00:19:53.612
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 00:00:22.428 ago
SPF algorithm executed 7 times
Area ranges are
Number of LSA 2. Checksum Sum 0x00E40C
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
r0(config-if)#
r1(config)#int loo 1
r1(config-if)#ip add 2.2.2 .2 255.255.255.0
r1(config-if)#int s0/0
r1(config-if)#ip add 172.16.1.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.1.2 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback1 2.2.2 .2 YES manual up up
r1(config)#router ospf 1
r1(config-router)#net 2.2.2 .0 0.0.0.255 area 0
r1(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r1(config)#int s0/0
r1(config-if)#ip ospf authentication message-digest
//
接口
s0/0
启用MD5 认证
r1(config-if)#ip ospf message-digest-key 1 md5 cisco
//
配置key ID 及密匙
r1(config-if)#exit
r1(config)#d
*Mar 1 00:24:47.351: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1 .1 on Serial0/0 from LOADING to FULL, Loading Done
r1(config)#do ping 1.1.1 .1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1 .1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/34/68 ms
r1(config)#do
本文出自 “柯浩坚” 博客,转载请与作者联系!