|
作者: xiaoshi [xiaoshi] 论坛用户 | 登录 |
OSPF认证实验 地基 CJ-QT(config)#router ospf 10 CJ-QT(config-router)#net 10.1.1.0 0.0.0.255 area 0 CJ-QT(config-router)#net 192.168.1.0 0.0.0.255 area 0 CJ-ML(config)#router ospf 20 CJ-ML(config-router)#net 172.16.56.0 0.0.0.255 area 0 CJ-ML(config-router)#net 192.168.1.0 0.0.0.255 area 0 CJ-ML(config-router)#net 61.144.56.0 0.0.0.255 area 0 CJ-JMS(config)#router ospf 30 CJ-JMS(config-router)#net 202.96.128.0 0.0.0.255 area 0 CJ-JMS(config-router)#net 61.144.56.0 0.0.0.255 area 0 砌墙 CJ-QT#sho ip rou 172.16.0.0/32 is subnetted, 1 subnets O 172.16.56.20 [110/65] via 192.168.1.2, 00:02:15, Serial1/1 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, Loopback0 C 192.168.1.0/24 is directly connected, Serial1/1 202.96.128.0/32 is subnetted, 1 subnets O 202.96.128.166 [110/1627] via 192.168.1.2, 00:02:15, Serial1/1 61.0.0.0/24 is subnetted, 1 subnets O 61.144.56.0 [110/1626] via 192.168.1.2, 00:02:15, Serial1/1 CJ-ML#sho ip rou 172.16.0.0/24 is subnetted, 1 subnets C 172.16.56.0 is directly connected, Loopback0 10.0.0.0/32 is subnetted, 1 subnets O 10.1.1.1 [110/1563] via 192.168.1.1, 00:03:51, Serial1/0 C 192.168.1.0/24 is directly connected, Serial1/0 202.96.128.0/32 is subnetted, 1 subnets O 202.96.128.166 [110/1563] via 61.144.56.100, 00:03:51, Serial1/1 61.0.0.0/24 is subnetted, 1 subnets C 61.144.56.0 is directly connected, Serial1/1 CJ-JMS#sho ip rou 172.16.0.0/32 is subnetted, 1 subnets O 172.16.56.20 [110/65] via 61.144.56.200, 00:04:18, Serial1/0 10.0.0.0/32 is subnetted, 1 subnets O 10.1.1.1 [110/1627] via 61.144.56.200, 00:04:18, Serial1/0 O 192.168.1.0/24 [110/1626] via 61.144.56.200, 00:04:18, Serial1/0 C 202.96.128.0/24 is directly connected, Loopback0 61.0.0.0/24 is subnetted, 1 subnets C 61.144.56.0 is directly connected, Serial1/0 上大梁 我们现在路由CJ-QT上设置认证密码 CJ-QT(config)#int s1/1 CJ-QT(config-if)#ip ospf message CJ-QT(config-if)#ip ospf message-digest-key 1 md5 ccna CJ-QT(config-if)#exit CJ-QT(config)#router ospf 10 CJ-QT(config-router)#area 0 authentication message-digest OK,看看debug信息 CJ-QT#debug ip ospf eve OSPF events debugging is on CJ-QT# 00:44:57: OSPF: Send with youngest Key 1 00:45:02: OSPF: Rcv pkt from 192.168.1.2, Serial1/1 : Mismatch Authentication type. Input packet specified type 0, we use type 2 错误的认证密码,邻居没有接头暗号,看来你被党组织抛弃了啊,哈哈。 在看看相连的CJ-ML CJ-ML#debug ip ospf eve OSPF events debugging is on CJ-ML# 00:47:23: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100 00:47:23: OSPF: End of hello processing 00:47:31: OSPF: Rcv pkt from 192.168.1.1, Serial1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0 00:47:33: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100 00:47:43: OSPF: End of hello processing 看拓扑想必你会明白,CJ-QT(S1/1)---(S1/0)CJ-ML(S1/1)-----(S1/0)CJ-JMS 当CJ-ML的左边路由设置了认证信息,但本地路由没有相应的操作,当收到认证信息的时候无法完成,结果无法交换路由信息。而右边的路由和本路由一样,为做任何操作,就可以继续交换路由信息。 此时,在CJ-QT上做show ip rout 的操作只能看到本地直连端口信息,CJ-ML上有OSPF信息为旁边CJ-JMS的。 封顶 CJ-ML(config)#int s1/1 CJ-ML(config-if)#ip ospf mess CJ-ML(config-if)#ip ospf message-digest-key 1 md5 ccna CJ-ML(config-if)#int s1/0 CJ-ML(config-if)#ip ospf mess CJ-ML(config-if)#ip ospf message-digest-key 1 md5 ccna CJ-ML(config-if)#exit CJ-ML(config)#router ospf 20 CJ-ML(config-router)#area 0 authentication message-digest 应为CJ-ML连接了两个端口的路由,所有s1/1 s/10都有设置,不然党又要失去一个好干部了,呵呵。 CJ-JMS上做相应的操作。 验收 此时,分别在三台路由上shou ip rout 和当初未设置认证的时候一样,其实认证过程已经完成。 多收了三五斗 CJ-QT(S1/1)---(S1/0)CJ-ML(S1/1)-----(S1/0)CJ-JMS 我们在CJ-QT(S1/1)上 interface Serial1/1 ip address 192.168.1.1 255.255.255.0 ip ospf message-digest-key 1 md5 ccna serial restart-delay 0 (S1/0)CJ-ML上 interface Serial1/0 ip address 192.168.1.2 255.255.255.0 ip ospf message-digest-key 1 md5 ccna serial restart-delay 0 CJ-ML(S1/1)上 interface Serial1/1 ip address 61.144.56.200 255.255.255.0 ip ospf message-digest-key 2 md5 nnca serial restart-delay 0 (S1/0)CJ-JMS上 ! interface Serial1/0 ip address 61.144.56.100 255.255.255.0 ip ospf message-digest-key 2 md5 nnca serial restart-delay 0 我们再来看看CJ-ML上的DEBUG信息 CJ-ML#debug ip ospf eve OSPF events debugging is on 01:27:16: OSPF: Send with youngest Key 1 01:27:17: OSPF: Send with youngest Key 2 01:27:21: OSPF: Rcv hello from 10.1.1.1 area 0 from Serial1/0 192.168.1.1 01:27:21: OSPF: End of hello processing 01:27:23: OSPF: Rcv hello from 202.96.128.166 area 0 from Serial1/1 61.144.56.100 01:27:23: OSPF: End of hello processing 发送两个钥匙,自动去开门,反正没有警报,慢慢试吧,呵呵。 再次执行sho ip rout 还是一样。没变,似乎党的群众基础很好么,没放弃谁啊。 遗憾 在这里有个东西 CJ-ML(config-if)#ip ospf message-digest-key 2 md5 ? <0-7> Encryption type (0 for not yet encrypted, 7 for proprietary) 看提示意思是设置加密的等级,当我设置不同的等级,相同密码,相同钥匙编号 还是一样的通过,不知道他的真实用意在那? 结帐 OSPF认证设置 int s1/1 ip ospf message-digest-key 1(钥匙编号) md5 ccna(认证密码) router ospf 100 area 0 authentication message-digest (应用) |
地主 发表时间: 07-03-21 21:51 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号