驗(yàn)證OSPF鄰居認(rèn)證的過程

作者：佚名 2009-06-09 11:03:15

鄰居認(rèn)證使得路由器確認(rèn)每次所收到的路由更新的源。如果關(guān)鍵字不匹配，就會(huì)拒絕路由更新。

Cisco使用兩種類型的鄰居認(rèn)證：純文本和MD5。

純文本認(rèn)證發(fā)一個(gè)關(guān)鍵字，這個(gè)關(guān)鍵字是明文傳輸，可被非法用戶所竊取，所以不推薦使用。

MD5認(rèn)證發(fā)一個(gè)報(bào)文摘要，而不是關(guān)鍵字。MD5被用來生成一個(gè)關(guān)鍵字的散列。這個(gè)散列是被發(fā)送的對(duì)象。MD5方式不易被非法用戶所竊取。

這個(gè)案例中，我們?cè)赗1與R2之間使用明文認(rèn)證，在R2與R3之間使用MD5認(rèn)證。

// R1 //

int e0/0
ip ad 192.1.1.1 255.255.255.0
ip ospf authentication-key cisco//明文認(rèn)證，關(guān)鍵字為cisco

router os 1
network 192.1.1.1 0.0.0.0 area 0
area 0 authentication

// R2 //

int e0/0
ip ad 192.1.1.2 255.255.255.0
ip ospf authentication-key cisco//明文認(rèn)證，關(guān)鍵字為cisco

int e1/0
ip ad 193.1.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cracker

router os 1
network 192.1.1.2 0.0.0.0 area 0
network 193.1.1.2 0.0.0.0 area 1
area 0 authentication
area 1 authentication message-digest

// R3 //

int e1/0
ip ad 193.1.1.3 255.255.255.0
ip ospf message-digest-key 1 md5 cracker

router os 1
network 193.1.1.3 0.0.0.0 a 1
area 1 authentication message-digest

驗(yàn)證過程：

r1#sh ip os int e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 192.1.1.1/24, Area 0
Process ID 1, Router ID 192.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 192.1.1.2
Backup Designated router (ID) 192.1.1.1, Interface address 192.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.2(Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

r2#sh ip os int e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 192.1.1.2/24, Area 0
Process ID 1, Router ID 193.1.1.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 192.1.1.2
Backup Designated router (ID) 192.1.1.1, Interface address 192.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.1.1.1(Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

r2#sh ip os int e1/0
Ethernet1/0 is up, line protocol is up
Internet Address 193.1.1.2/24, Area 1
Process ID 1, Router ID 193.1.1.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 193.1.1.2
Backup Designated router (ID) 193.1.1.3, Interface address 193.1.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Index 1/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.3(Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

r3#sh ip os int e1/0
Ethernet1/0 is up, line protocol is up
Internet Address 193.1.1.3/24, Area 1
Process ID 1, Router ID 193.1.1.3, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 193.1.1.2
Backup Designated router (ID) 193.1.1.3, Interface address 193.1.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.2(Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

為了更進(jìn)一步理解認(rèn)證過程，我們可以打開DEBUG，并將R3的MD5認(rèn)證key改為5：
// R3 //

debug ip ospf adj

int e1/0
ip ospf message-digest-key 5 md5 cracker

r3#
01:16:03: OSPF: Rcv pkt from 193.1.1.2, Ethernet1/0 : Mismatch Authentication Key - No message digest key 1 on interface
01:16:09: OSPF: Send with youngest Key 5

r3#show ip ospf neighbor//觀察結(jié)果無法發(fā)現(xiàn)鄰居。

//認(rèn)證未通過，無法與R2建立起鄰居關(guān)系。

當(dāng)我們把MD5認(rèn)證KEY改回1后，認(rèn)證通過。

第二步實(shí)驗(yàn)，我們把關(guān)鍵字進(jìn)行修改：
// R3 //

debug ip ospf adj

int e1/0
ip ospf message-digest-key 1 md5 cuijian

01:21:33: OSPF: Rcv pkt from 193.1.1.2, Ethernet1/0 : Mismatch Authentication Key - Message Digest Key 1
01:21:40: OSPF: Send with youngest Key 1

我們要在實(shí)際工作中學(xué)會(huì)使用debug這個(gè)思科排錯(cuò)的利器。

【編輯推薦】

基于OSPF路由協(xié)議，組建全國(guó)互連項(xiàng)目
目前CCNA考試中switch與OSPF實(shí)驗(yàn)題的解答方法
雙nat路由試驗(yàn)，走ospf動(dòng)態(tài)路由

責(zé)任編輯：夏雨來源： 56CTO

OSPF 鄰居認(rèn)證路由器

成人免费xxxxx在线视频软件_久久精品久久久_亚洲国产精品久久久_天天色天天色_亚洲人成一区_欧美一级欧美三级在线观看

驗(yàn)證OSPF鄰居認(rèn)證的過程