一、认证的作用
1.增加网络安全性(推荐使用MD5)
2.对OSPF重新配置时,不同口令可以配置在新口令和旧口令的路由器上,防止它们在一个共享的公共广播网络的情况下互相通信
二、认证的种类
OSPF路由方式有三种:0 Null (也就是不认证), 1 (明文认证), 2 (MD5加密校验和)
三、实验拓扑,各种信息如拓扑所示:
1. 明文认证:
R1:
Router>
Router>en
Router#conf t
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#router ospf 1 //启用OSPF路由协议
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 192.168.1.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#interface f0/0
R1(config-if)#ip ospf authentication //启用认证,不打这个命令的话,密码不起作用
R1(config-if)#ip ospf authentication-key cisco
//配置密码(
两边需一样
)
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#area 0 authentication //区域0采用明文认证
R1(config-router)#end
R1#
R2:
Router>
Router>en
Router#conf t
Router(config)#hostname R2
R2(config)#interface f0/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 192.168.1.2 0.0.0.0 area 0
R2(config-router)#exit
R2(config)#interface f0/0
R2(config-if)#ip ospf authentication //启用认证,不打这个命令的话,密码不起作用
R2(config-if)#ip ospf authentication-key cisco
//配置密码
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#area 0 authentication //区域0采用明文认证
R2(config-router)#end
R2#
查看R1接口信息:
R1#show ip ospf interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 192.168.1.1
Backup Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
//明文密码认证启用
R1#
查看R1邻居表:
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:31 192.168.1.2 FastEthernet0/0
R1#
2.MD5认证
MD5算法用在类型2 的认证方式中,将OSPF数据包内容与一个口令计算一个散列值,与密钥ID一起发送,有了密钥ID可以让路由器指定多个口令,口令最大长度16字节,密钥ID在1-255之间,一对邻居路由器密钥ID与口令必须相同.
R1:
R1(config)#interface f0/0
R1(config-if)#no ip ospf authentication //NO掉明文认证
R1(config-if)#ip ospf message-digest-key 1 md5 cisco
//使用Key-id为1,密码为cisco的MD5认证方式(Key-id与密码两边都需一样)
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest //区域0采用MD5认证
R1(config-router)#end
R1#
R2:
R2(config)#interface f0/0
R2(config-if)#no ip ospf authentication //同上
R2(config-if)#ip ospf message-digest-key 1 md5 cisco //同上
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#end
R2#
查看R1接口信息:
R1#show ip ospf interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 192.168.1.1
Backup Designated Router (ID) 1.1.1.1, Interface address 192.168.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:09
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled //启用MD5认证
Youngest key id is 1
R1#
注意:在一个区域只能使用一种认证方式,在不同链路之间口令可以不同。