BSCI—3:配置EIGRP-MD5认证
|
一、概述:
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
EIGRP
启用认证,用于防止恶意路由进入
EIGRP
自治系统导致路由***。
EIGRP
认证原理采用“密码比对”的形式,在接口受到
EIGRP
数据包后,检查认证类型、认证密码等字段,如果与本地接口定义的密码串匹配,那么接收该数据包,否则丢弃。
二:认证方式:
EIGRP
有两种认证方式:
明文认证与
MD5
认证,这里我们不推荐使用明文,明文是直接发送字符串给对方之后对比,容易被人通过抓包截获
,
而
MD5
是通过计算之后得出的值发送给对方对比
,
这次为大家做的为
MD5
实验
.
实验:在实验的过程当中会为大家演示一些故障,使大家能够更好的理解.
拓扑如下:
<?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" />
步骤一:配置接口信息及启用 EIGRP 发布网段 , 并且建立邻居关系 .
注:由于字数限制8万,EIGRP的基本配置没有写上来.
R2 查看EIGRP邻居表:
r2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 192.168.1.1 Et0/0 10 00:02:28 3 200 0 2 r2#
步骤二:两边启用MD5认证,但是KEY-ID不一样,邻居是否能建立,为什么? (注:故障)
R1:
r1# r1#conf t r1(config)#key chain eigrp //定义钥匙链eigrp(名字任意取) r1(config-keychain)#key 1 //KEY ID为1 r1(config-keychain-key)#key-string cisco //密码为cisco r1(config-keychain-key)#exit r1(config-keychain)#exit r1(config)#interface e0/0 r1(config-if)#ip authentication key-chain eigrp 1 eigrp //启用EIGRP认证 r1(config-if)#ip authentication mode eigrp 1 md5 //认证模式MD5 r1(config-if)#end r1#
R2:
r2# r2#conf t r2(config)#key chain eigrp r2(config-keychain)#key 2 //KEY ID为2 r2(config-keychain-key)#key-string cisco r2(config-keychain-key)#exit r2(config-keychain)#exit r2(config)#interface e0/0 r2(config-if)#ip authentication key-chain eigrp 1 eigrp r2(config-if)#ip authentication mode eigrp 1 md5 r2(config-if)#end r2#
查看邻居表:
r2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 r2# //说明没有建立邻居关系,为什么?
查看Debug:
r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Mar 1 22:31:40.962: EIGRP: Sending HELLO on Ethernet0/0 *Mar 1 22:31:40.962: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 22:31:41.187: EIGRP: pkt authentication key id = 1, key not defined or not live //这里清楚的看到,收到的KEY ID = 1 ,key没有定义或不存在,因为们的KEY ID为2 *Mar 1 22:31:41.187: EIGRP: Ethernet0/0: ignored packet from 192.168.1.1, opcode = 5 (invalid authentication)
步骤三:双方KEY ID一致,但密码不一致,邻居关系是否能建立,为什么? (注:故障)
R2:
r2# r2#conf t r2(config)#key chain eigrp r2(config-keychain)#key 1 r2(config-keychain-key)#key-string cisco1 //这里密码是cisco1,与r1不一致 r2(config-keychain-key)#end r2#
查看邻居表:
r2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 r2# //还是一样没有建立,为什么?
查看Debug:
r2#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) r2# *Mar 1 22:46:14.094: EIGRP: pkt key id = 1, authentication mismatch //这里没有显示KEY ID不正确,而是认证不匹配,说明密码不一致. *Mar 1 22:46:14.094: EIGRP: Ethernet0/0: ignored packet from 192.168.1.1, opcode = 5 (invalid authentication)
步骤四:双方KEY ID一样,密码也一样,可以正常建立邻居关系.
R1:
r1(config)# r1(config)#key chain eigrp r1(config-keychain)#key 1 r1(config-keychain-key)#key-string cisco r1(config)#interface e0/0 r1(config-if)#ip authentication key-chain eigrp 1 eigrp r1(config-if)#ip authentication mode eigrp 1 md5 r1(config-keychain-key)#end r2#
R2:
r2(config)# r2(config)#key chain eigrp r2(config-keychain)#key 1 r2(config-keychain-key)# key-string cisco r2(config)#interface e0/0 r2(config-if)#ip authentication key-chain eigrp 1 eigrp r2(config-if)#ip authentication mode eigrp 1 md5 *Mar 1 22:51:33.037: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Ethernet0/0) is up: new adjacency //正常建立,OK!! r2(config-keychain-key)#end r2#
步骤五:分别在R1与R2上验证
R1: 查看邻居表:
r1#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 192.168.1.2 Et0/0 13 00:03:00 1321 5000 0 9 r1#
查看路由表:
r1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 2.0.0.0/24 is subnetted, 1 subnets D 2.2.2.0 [90/409600] via 192.168.1.2, 00:03:23, Ethernet0/0 C 192.168.1.0/24 is directly connected, Ethernet0/0 r1#
------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------
R2:
查看邻居表:
r2#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 192.168.1.1 Et0/0 12 00:01:17 20 200 0 8 r2#
查看路由表:
r2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/409600] via 192.168.1.1, 00:01:41, Ethernet0/0 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 C 192.168.1.0/24 is directly connected, Ethernet0/0 r2#
|
转载于:https://blog.51cto.com/pzs688/248451