验证OSPF邻居认证的过程

企业动态
邻居认证使得路由器确认每次所收到的路由更新的源。如果关键字不匹配,就会拒绝路由更新。

邻居认证使得路由器确认每次所收到的路由更新的源。如果关键字不匹配,就会拒绝路由更新。

Cisco使用两种类型的邻居认证:纯文本和MD5。

纯文本认证发一个关键字,这个关键字是明文传输,可被非法用户所窃取,所以不推荐使用。

MD5认证 发一个报文摘要,而不是关键字。MD5被用来生成一个关键字的散列。这个散列是被发送的对象。MD5方式不易被非法用户所窃取。

这个案例中,我们在R1与R2之间使用明文认证,在R2与R3之间使用MD5认证。

// R1 //

int e0/0
ip ad 192.1.1.1 255.255.255.0
ip ospf authentication-key cisco//明文认证,关键字为cisco
router os 1
network 192.1.1.1 0.0.0.0 area 0
area 0 authentication

// R2 //
int e0/0
ip ad 192.1.1.2 255.255.255.0
ip ospf authentication-key cisco//明文认证,关键字为cisco

int e1/0
ip ad 193.1.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cracker

router os 1
network 192.1.1.2 0.0.0.0 area 0
network 193.1.1.2 0.0.0.0 area 1
area 0 authentication
area 1 authentication message-digest


// R3 //
int e1/0
ip ad 193.1.1.3 255.255.255.0
ip ospf message-digest-key 1 md5 cracker

router os 1
network 193.1.1.3 0.0.0.0 a 1
area 1 authentication message-digest


验证过程:
r1#sh ip os int e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 192.1.1.1/24, Area 0
Process ID 1, Router ID 192.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 192.1.1.2
Backup Designated router (ID) 192.1.1.1, Interface address 192.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.2(Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

r2#sh ip os int e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 192.1.1.2/24, Area 0
Process ID 1, Router ID 193.1.1.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 192.1.1.2
Backup Designated router (ID) 192.1.1.1, Interface address 192.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.1.1.1(Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled

r2#sh ip os int e1/0
Ethernet1/0 is up, line protocol is up
Internet Address 193.1.1.2/24, Area 1
Process ID 1, Router ID 193.1.1.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 193.1.1.2
Backup Designated router (ID) 193.1.1.3, Interface address 193.1.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Index 1/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.3(Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

r3#sh ip os int e1/0
Ethernet1/0 is up, line protocol is up
Internet Address 193.1.1.3/24, Area 1
Process ID 1, Router ID 193.1.1.3, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 193.1.1.2, Interface address 193.1.1.2
Backup Designated router (ID) 193.1.1.3, Interface address 193.1.1.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 193.1.1.2(Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1


为了更进一步理解认证过程,我们可以打开DEBUG,并将R3的MD5认证key改为5:
// R3 //
debug ip ospf adj
int e1/0
ip ospf message-digest-key 5 md5 cracker

r3#
01:16:03: OSPF: Rcv pkt from 193.1.1.2, Ethernet1/0 : Mismatch Authentication Key - No message digest key 1 on interface
01:16:09: OSPF: Send with youngest Key 5


r3#show ip ospf neighbor//观察结果无法发现邻居。

//认证未通过,无法与R2建立起邻居关系。

当我们把MD5认证KEY改回1后,认证通过。


第二步实验,我们把关键字进行修改:
// R3 //

debug ip ospf adj
int e1/0
ip ospf message-digest-key 1 md5 cuijian
01:21:33: OSPF: Rcv pkt from 193.1.1.2, Ethernet1/0 : Mismatch Authentication Key - Message Digest Key 1
01:21:40: OSPF: Send with youngest Key 1

我们要在实际工作中学会使用debug这个思科排错的利器。

【编辑推荐】

  1. 基于OSPF路由协议,组建全国互连项目
  2. 目前CCNA考试中switch与OSPF实验题的解答方法
  3. 双nat路由试验,走ospf动态路由
责任编辑:夏雨 来源: 56CTO
相关推荐

2020-07-03 09:16:13

OSPF邻居子网掩码

2013-11-01 10:51:10

OSPF邻居邻接

2011-03-30 16:27:07

POS接口OSPF

2011-04-11 16:29:31

OSPF

2010-06-10 16:01:22

OSPF路由协议

2009-09-07 09:28:00

思科认证CCSPCCSP认证过程

2011-04-08 17:42:13

OSPFOSPF邻居

2011-05-17 13:25:53

IBGPOSPF路由表

2011-04-11 16:20:06

OSPF

2011-04-01 09:40:28

OSPF路由器

2013-07-01 11:27:11

2011-08-18 09:46:40

活动目录验证原理

2009-08-18 13:49:03

思科认证CCNA报考

2019-11-24 19:20:57

OSPF邻居路由器

2013-06-06 13:42:48

OSPF入门配置

2009-01-11 09:29:00

网络邻居故障

2010-04-20 10:00:29

2009-01-11 09:30:00

局域网网上邻居

2013-10-18 09:30:04

OSPF协议OSPF

2009-08-07 10:43:24

OSPF路由器邻接关系
点赞
收藏

51CTO技术栈公众号