本文介绍了OSPF区域认证的实战操作,包括简单口令和MD5认证的配置步骤及实验调试,通过路由器R1和R2的配置示例,解析了认证过程中可能出现的问题和解决方案。
一、实战拓扑
二、步骤
(1)步骤 1:配置路由器 R1
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 192.168.12.0 255.255.255.0 area 0
R1(config-router)# network 1.1.1.0 255.255.255.0 area 0
R1(config-router)# area 0 authentication //区域 0 启用简单口令认证
R1(config)# interface s0/0/0
R1(config-if)# ip ospf authentication-key cisco //配置认证密码
(2)步骤 2:配置路由器 R2
R2(config)# router ospf 1
R2(config-router)# router-id 2.2.2.2
R2(config-router)# network 2.2.2.0 255.255.255.0 area 0
R2(config-router)# network 192.168.12.0 255.255.255.0 area 0
R2(config-router)# area 0 authentication
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication-key cisco
4.实验调试
(1) show ip ospf interface
R1# show ip ospf interface s0/0/0
Serial0/0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 781
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
以上输出最后一行信息表明该接口启用了简单口令认证。
(2) show ip ospf
R1# show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS(TOS0) routes
......
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has simple password authentication
SPF algorithm last executed 00:00:01.916 ago
SPF algorithm executed 5 times
Area ranges are
Number of LSA 2. Checksum Sum 0x010117
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
以上输出表明区域 0 采用简单口令认证。
(3)如果 R1 区域 0 没有启动认证,而 R2 区域 0 启动简单口令认证,则 R2 上出现下面
的信息:
*Feb 10 11:03:03.071: OSPF: Rcv pkt from 192.168.12.1, Serial0/0/0 : Mismatch
Authentication type. Input packet specified type 0 0, we use type 1 1
(4)如果 R1 和 R2 的区域 0 都启动简单口令认证,但是 R2 的接口下没有配置密码或密
码错误,则 R2 上出现下面的信息:
*Feb 10 10:55:53.071: OSPF: Rcv pkt from 192.168.12.1, Serial0/0/0 : Mismatch
Authentication Key - Clear Text
三、基于区域的 OSPF MD5 认证
1、步骤
(1)步骤 1:配置路由器 R1
R1(config)# router ospf 1
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 192.168.12.0 255.255.255.0 area 0
R1(config-router)# network 1.1.1.0 255.255.255.0 area 0
R1(config-router)# area 0 authentication message-digest //区域 0 启用 MD5 认证
R1(config)#interface s0/0/0
R1(config-if)# ip ospf message-digest-key 1 md5 cisco//配置认证 key ID 及密匙
(2)步骤 2:配置路由器 R2
R2(config)# router ospf 1
R2(config-router)# router-id 2.2.2.2
R2(config-router)# network 2.2.2.0 255.255.255.0 area 0
R2(config-router)# network 192.168.12.0 255.255.255.0 area 0
R2(config-router)# area 0 authentication message-digest
R2(config)# interface s0/0/0
R2(config-if)# ip ospf message-digest-key 1 md5 cisco
2.实验调试
(1) show ip ospf interface
R1# show ip ospf interface s0/0/0
Serial0/0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 781
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Message digest authentication enabled
Youngest key id is 1
输出最后两行信息表明该接口启用了 MD5 认证,而且密钥 ID 为 1。
(2) show ip ospf
R1# show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS(TOS0) routes
......
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has message digest authentication
SPF algorithm last executed 00:01:50.096 ago
SPF algorithm executed 5 times
Area ranges are
Number of LSA 2. Checksum Sum 0x010117
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
以上输出表明区域 0 采用 MD5 认证。
(3)如果 R1 区域 0 启动 MD5 认证,而 R2 区域 0 启动简单口令认证,则 R2 上出现下面
的信息:
*Feb 10 11:08:13.075: OSPF: Rcv pkt from 192.168.12.1, Serial0/0/0 : Mismatch
Authentication type. Input packet specified type 2, we use type 1 1
(4)如果 R1 和 R2 的区域 0 都启动 MD5 认证,但是 R2 的接口下没有配置 key ID 和密
码或密码错误,则 R2 上出现下面的信息:
*Feb 10 11:08:43.075: OSPF: Rcv pkt from 192.168.12.1, Serial0/0/0 : Mismatch
Authentication Key - No message digest key 1
Mismatch
Authentication Key - No message digest key 1 on interface
以下是华为数通路由交换方向相关技术分享,欢迎对华为网络技术感兴趣的小伙伴们订阅。
华为新版HCIA数通路由交换
华为新版HCIP数通路由交换
华为新版HCIE数通路由交换
扫一扫
411
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
