论坛: 系统集成 标题: 三言两语话网络--OSPF认证实验 复制本贴地址    
作者: 零下一度 [xiaoshi]    论坛用户   登录



OSPF认证实验


地基
CJ-QT(config)#router ospf 10
CJ-QT(config-router)#net 10.1.1.0 0.0.0.255 area 0
CJ-QT(config-router)#net 192.168.1.0 0.0.0.255 area 0
CJ-ML(config)#router ospf 20
CJ-ML(config-router)#net 172.16.56.0 0.0.0.255 area 0
CJ-ML(config-router)#net 192.168.1.0 0.0.0.255 area 0
CJ-ML(config-router)#net 61.144.56.0 0.0.0.255 area 0
CJ-JMS(config)#router ospf 30
CJ-JMS(config-router)#net 202.96.128.0 0.0.0.255 area 0
CJ-JMS(config-router)#net 61.144.56.0 0.0.0.255 area 0


砌墙
CJ-QT#sho ip rou
    172.16.0.0/32 is subnetted, 1 subnets
O      172.16.56.20 [110/65] via 192.168.1.2, 00:02:15, Serial1/1
    10.0.0.0/24 is subnetted, 1 subnets
C      10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial1/1
    202.96.128.0/32 is subnetted, 1 subnets
O      202.96.128.166 [110/1627] via 192.168.1.2, 00:02:15, Serial1/1
    61.0.0.0/24 is subnetted, 1 subnets
O      61.144.56.0 [110/1626] via 192.168.1.2, 00:02:15, Serial1/1


CJ-ML#sho ip rou
    172.16.0.0/24 is subnetted, 1 subnets
C      172.16.56.0 is directly connected, Loopback0
    10.0.0.0/32 is subnetted, 1 subnets
O      10.1.1.1 [110/1563] via 192.168.1.1, 00:03:51, Serial1/0
C    192.168.1.0/24 is directly connected, Serial1/0
    202.96.128.0/32 is subnetted, 1 subnets
O      202.96.128.166 [110/1563] via 61.144.56.100, 00:03:51, Serial1/1
    61.0.0.0/24 is subnetted, 1 subnets
C      61.144.56.0 is directly connected, Serial1/1



CJ-JMS#sho ip rou 
  172.16.0.0/32 is subnetted, 1 subnets
O      172.16.56.20 [110/65] via 61.144.56.200, 00:04:18, Serial1/0
    10.0.0.0/32 is subnetted, 1 subnets
O      10.1.1.1 [110/1627] via 61.144.56.200, 00:04:18, Serial1/0
O    192.168.1.0/24 [110/1626] via 61.144.56.200, 00:04:18, Serial1/0
C    202.96.128.0/24 is directly connected, Loopback0
    61.0.0.0/24 is subnetted, 1 subnets
C      61.144.56.0 is directly connected, Serial1/0


上大梁
我们现在路由CJ-QT上设置认证密码
CJ-QT(config)#int s1/1
CJ-QT(config-if)#ip ospf message
CJ-QT(config-if)#ip ospf message-digest-key 1 md5 ccna
CJ-QT(config-if)#exit
CJ-QT(config)#router ospf 10
CJ-QT(config-router)#area 0 authentication message-digest

OK,看看debug信息

CJ-QT#debug ip ospf eve
OSPF events debugging is on
CJ-QT#
00:44:57: OSPF: Send with youngest Key 1
00:45:02: OSPF: Rcv pkt from 192.168.1.2, Serial1/1 : Mismatch Authentication type. Input packet specified type 0, we use type 2

错误的认证密码,邻居没有接头暗号,看来你被党组织抛弃了啊,哈哈。
在看看相连的CJ-ML

CJ-ML#debug ip ospf eve
OSPF events debugging is on
CJ-ML#
00:47:23: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100
00:47:23: OSPF: End of hello processing
00:47:31: OSPF: Rcv pkt from 192.168.1.1, Serial1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
00:47:33: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100
00:47:43: OSPF: End of hello processing

看拓扑想必你会明白,CJ-QT(S1/1)---(S1/0)CJ-ML(S1/1)-----(S1/0)CJ-JMS
当CJ-ML的左边路由设置了认证信息,但本地路由没有相应的操作,当收到认证信息的时候无法完成,结果无法交换路由信息。而右边的路由和本路由一样,为做任何操作,就可以继续交换路由信息。
此时,在CJ-QT上做show ip rout 的操作只能看到本地直连端口信息,CJ-ML上有OSPF信息为旁边CJ-JMS的。

封顶
CJ-ML(config)#int s1/1
CJ-ML(config-if)#ip ospf mess
CJ-ML(config-if)#ip ospf message-digest-key 1 md5 ccna
CJ-ML(config-if)#int s1/0
CJ-ML(config-if)#ip ospf mess
CJ-ML(config-if)#ip ospf message-digest-key 1 md5 ccna
CJ-ML(config-if)#exit
CJ-ML(config)#router ospf 20
CJ-ML(config-router)#area 0 authentication message-digest

应为CJ-ML连接了两个端口的路由,所有s1/1 s/10都有设置,不然党又要失去一个好干部了,呵呵。
CJ-JMS上做相应的操作。

验收
此时,分别在三台路由上shou ip rout
和当初未设置认证的时候一样,其实认证过程已经完成。

多收了三五斗
CJ-QT(S1/1)---(S1/0)CJ-ML(S1/1)-----(S1/0)CJ-JMS

我们在CJ-QT(S1/1)上
interface Serial1/1
ip address 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 ccna
serial restart-delay 0

(S1/0)CJ-ML上
interface Serial1/0
ip address 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 ccna
serial restart-delay 0


CJ-ML(S1/1)上
interface Serial1/1
ip address 61.144.56.200 255.255.255.0
ip ospf message-digest-key 2 md5 nnca
serial restart-delay 0

(S1/0)CJ-JMS上
!
interface Serial1/0
ip address 61.144.56.100 255.255.255.0
ip ospf message-digest-key 2 md5 nnca
serial restart-delay 0

我们再来看看CJ-ML上的DEBUG信息
CJ-ML#debug ip ospf eve
OSPF events debugging is on
01:27:16: OSPF: Send with youngest Key 1
01:27:17: OSPF: Send with youngest Key 2
01:27:21: OSPF: Rcv hello from 10.1.1.1 area 0 from Serial1/0 192.168.1.1
01:27:21: OSPF: End of hello processing
01:27:23: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100
01:27:23: OSPF: End of hello processing

发送两个钥匙,自动去开门,反正没有警报,慢慢试吧,呵呵。
再次执行sho ip rout
还是一样。没变,似乎党的群众基础很好么,没放弃谁啊。

遗憾
在这里有个东西
CJ-ML(config-if)#ip ospf message-digest-key 2 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
看提示意思是设置加密的等级,当我设置不同的等级,相同密码,相同钥匙编号
还是一样的通过,不知道他的真实用意在那?

结帐
OSPF认证设置
int s1/1
ip ospf message-digest-key 1(钥匙编号) md5 ccna(认证密码)
router ospf 100
area 0 authentication message-digest (应用)


地主 发表时间: 07-03-21 21:51

论坛: 系统集成

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号