(1)NULL
(2)简单密码身份验证
(3)MD5身份验证
身份验证又分接口级别身份验证和区域级别身份验证和virtual-link身份验证
配置简单密码身份验证:
接口级别的身份验证:
配置简单身份验证:
第一步: 使用接口配置命令ip ospf authentication-key password 指定一个密码(密钥),用于对邻接路由器进行OSPF简单密码身份验证。
第二步:使用接口配置命令ip ospf authentication [message-digest | null] MD5 指定身份验证类型
R1的配置:
R1#config t
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int s1/0
R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#no shut R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key cisco
R1(config-if)#endR1(config)#router ospf 100
R1(config-router)#net 192.168.12.0 0.0.0.255 a 0
R1(config-router)#net 1.1.1.1 0.0.0.255 a 0R1#show ip ospf database
OSPF Router with ID (1.1.1.1) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 254 0x80000003 0x00B2DE 3
2.2.2.2 2.2.2.2 255 0x80000002 0x00F197 3########通过上面看出只有一类LSA###########################
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:33 192.168.12.2 Serial1/0########与2.2.2.2已经形成邻居关系###########################
R2的配置:
R2#config t
R2(config)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int s1/0
R2(config-if)#ip add 192.168.12.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int
R2(config-if)#int s1/1
R2(config-if)#ip add 192.168.23.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
R2(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.
*Mar 1 01:16:32.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to down....
Success rate is 0 percent (0/5)
R2(config)#int s1/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key cisco
R2(config-if)#exit
R2(config)#router ospf 100
R2(config-router)#net 2.2.2.2 0.0.0.255 a 0
R2(config-router)#net 192.168.12.0 0.0.0.255 a 0
R2(config-router)#end
R2#show ip ospf neighbor #检查邻居的生成状态
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:38 192.168.12.1 Serial1/0
R2#show ip ospf database #查看拥有几类LSA
OSPF Router with ID (2.2.2.2) (Process ID 100)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 24 0x80000003 0x00B2DE 3
2.2.2.2 2.2.2.2 23 0x80000002 0x00F197 3
########通过上面看出只有一类LSA############################
验证简单密码身份验证:
R1上的路由器输出:
R1#show ip ospf interface
Loopback0 is up, line protocol is up
Internet Address 1.1.1.1/24, Area 0
Process ID 100, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
Serial1/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 100, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R2上路由器的输出:
R2#show ip ospf interface
Serial1/0 is up, line protocol is up
Internet Address 192.168.12.2/24, Area 0
Process ID 100, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Loopback0 is up, line protocol is up
Internet Address 2.2.2.2/24, Area 0
Process ID 100, Router ID 2.2.2.2, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host区域级别的简单身份验证(以及调试输出):区域级别的身份验证涉及区域的接口都要启用认证
第一步: 使用接口配置命令ip ospf authentication-key password 指定一个密码(密钥),用于对邻接路由器进行OSPF简单密码身份验证。
第二步:使用接口配置命令ip ospf authentication [message-digest | null] MD5 指定身份验证类型 。
第三步:在路由协议模式下area area-id authentic-cation [message-digest]
R1#debug ip ospf adj
############查看有那些邻接关系及邻接双方接口信息################################################
OSPF adjacency events debugging is on
R1#debug ip ospf event
OSPF events debugging is on
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int lo0
R1(config-if)#ip ospf authentication-key cisco
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip ospf authentication-key cisco
R1(config-if)#exit
R1(config)#router ospf 100
R1(config-router)#net 1.1.1.1 0.0.0.255 a 0
*Mar 1 01:44:33.551: OSPF: Interface Loopback0 going Up
*Mar 1 01:44:34.055: OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x80000001, process 100
R1(config-router)#net 192.168.12.0 0.0.0.255 a 0
*Mar 1 01:44:48.395: OSPF: Interface Serial1/0 going Up
*Mar 1 01:44:48.395: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.1
*Mar 1 01:44:48.455: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial1/0 192.168.12.2
*Mar 1 01:44:48.455: OSPF: 2 Way Communication to 2.2.2.2 on Serial1/0, state 2WAY
*Mar 1 01:44:48.455: OSPF: Send DBD to 2.2.2.2 on Serial1/0 seq 0x1A11 opt 0x52 flag 0x7 len 32
*Mar 1 01:44:48.459: OSPF: Send immediate hello to nbr 2.2.2.2, src address 192.168.12.2, on Serial1/0
*Mar 1 01:44:48.459: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.1
*Mar 1 01:44:48.459: OSPF: End of hello processing
*Mar 1 01:44:48.495: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0 seq 0x1AD4 opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Mar 1 01:44:48.499: OSPF: NBR Negotiation Done. We are the SLAVE
*Mar 1 01:44:48.499: OSPF: Send DBD to 2.2.2.2 on Serial1/0 seq 0x1AD4 opt 0x52 flag 0x2 len 52
*Mar 1 01:44:48.515: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0 seq 0x1AD5 opt 0x52 flag 0x3 len 52 mtu 1500 state EXCHANGE
*Mar 1 01:44:48.519: OSPF: Send DBD to 2.2.2.2 on Serial1/0 seq 0x1AD5 opt 0x52 flag 0x0 len 32
*Mar 1 01:44:48.535: OSPF: Rcv DBD from 2.2.2.2 on Serial1/0 seq 0x1AD6 opt 0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Mar 1 01:44:48.539: OSPF: Exchange Done with 2.2.2.2 on Serial1/0
*Mar 1 01:44:48.539: OSPF: Send LS REQ to 2.2.2.2 length 12 LSA count 1
*Mar 1 01:44:48.539: OSPF: Send DBD to 2.2.2.2 on Serial1/0 seq 0x1AD6 opt 0x52 flag 0x0 len 32
*Mar 1 01:44:48.543: OSPF: Rcv LS REQ from 2.2.2.2 on Serial1/0 length 36 LSA count 1
*Mar 1 01:44:48.543: OSPF: Send UPD to 192.168.12.2 on Serial1/0 length 40 LSA count 1
*Mar 1 01:44:48.555: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0 length 76 LSA count 1
*Mar 1 01:44:48.559: OSPF: Synchronized with 2.2.2.2 on Serial1/0, state FULL
*Mar 1 01:44:48.559: %OSPF-5-ADJCHG: Process 100, Nbr 2.2.2.2 on Serial1/0 from LOADING to FULL, Loading Done
*Mar 1 01:44:48.895: OSPF: Build router LSA for area 0, router ID 1.1.1.1, seq 0x80000002, process 100
*Mar 1 01:44:48.927: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial1/0 192.168.12.2
*Mar 1 01:44:48.927: OSPF: End of hello processing
*Mar 1 01:44:49.059: OSPF: Rcv LS UPD from 2.2.2.2 on Serial1/0 length 88 LSA count 1
R1(config-router)#area 0 authentication
*Mar 1 01:44:58.395: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.1
*Mar 1 01:44:58.895: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial1/0 192.168.12.2
*Mar 1 01:44:58.895: OSPF: End of hello processing
R1(config-router)#end
*Mar 1 01:45:00.639: %SYS-5-CONFIG_I: Configured from console by console
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.12.0/24 is directly connected, Serial1/0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/65] via 192.168.12.2, 00:00:06, Serial1/0
*Mar 1 01:45:08.395: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.1
*Mar 1 01:45:08.899: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial1/0 192.168.12.2
*Mar 1 01:45:08.899: OSPF: End of hello processing
R1#show ip ospf interface
Serial1/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 100, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Loopback0 is up, line protocol is up
Internet Address 1.1.1.1/24, Area 0
Process ID 100, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
R1#
*Mar 1 01:45:18.395: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.1
*Mar 1 01:45:18.899: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial1/0 192.168.12.2
*Mar 1 01:45:18.899: OSPF: End of hello processingR2的配置说明:
R2#debug ip ospf adj
OSPF adjacency events debugging is on
R2#debug ip ospf events
OSPF events debugging is on
R2#config t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int s1/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key cisco
R2(config-if)#end
R2(config)#int lo0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key cisco
R2(config-if)#end
R2(config)#router ospf 100
R2(config-router)#net 2.2.2.2 0.0.0.255 a 0
R2(config-router)#net 192.168.12.0 0.0.0.255 a 0
R2(config-router)#area 0 authentication
配置MD5身份验证:
接口模式下配置MD5身份验证:
第一步:使用接口配置命令ip ospf authentication [message-digest | null]指定身份验证类型。如果是MD5则选择message-digest。
第二步: 使用接口配置命令ip ospf message-digest-key key-id md5 key给采用OSPF MD5身份验证的路由器指定要使用的密钥ID和密钥。
key-id 取值范围为0~255的标志符
key 由数字和字母组成的密码,最长16个字符
配置略
区域模式下配置MD5身份验证:
第一步: 使用接口配置命令ip ospf message-digest-key key-id md5 key 指定一个密码(密钥),用于对邻接路由器进行OSPF简单密码身份验证。
第二步:使用接口配置命令ip ospf authentication [message-digest | null] MD5 指定身份验证类型 。
第三步:在路由协议模式下area area-id authentic-cation message-digest
R1(config)#inter f0/0
R1(config-if)#ip ospf message-digest-key 1 md5 0 testtest
R1(config-if)#inter f1/0
R1(config-if)#ip ospf message-digest-key 1 md5 0 testtest============== 1表示密匙链ID,取值1-255; md5表示使用MD5加密; 0代表加密类型,0为缺省,7为cisco私有,testtest为密码。 ============
R1(config-if)#exit
R1(config)#router ospf 10
R1(config-router)#area 1 authentication message-digest========================== area 1 authentication message-digest 表示area1传送摘要而不传送明文,如果不配置则传送明文 ==========================
R2(config)#inter f0/0
R2(config-if)#ip ospf message-digest-key 1 md5 0 testtest
R2(config-if)#exit
R2(config)#router ospf 10R2(config-router)#area 1 authentication message-digest 其余路由器正常配置 注:开启认证则区域内的路由器全部要开启认证。选择摘要传输就必须配置md5类型的密匙。