配置RIP认证
实验目的
使用RIP版本2的认证功能,增强网络的安全性。学会使用RIPv2的2种认证,明文和MD5认证。
预配置:
第一步:R1上进行配置
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface S1/2
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#interface loopback0
R1(config-if)#ip address 172.16.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 172.16.1.1
R1(config-router)#network 192.168.0.1
第二步:在R2上进行配置
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface s2/1
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.0.2 255.255.255.0
R2(config-if)#interface loopback 0
R2(config-if)#ip address 172.16.2.2 255.255.255.0
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.0.2
R2(config-router)#network 172.16.2.2
R2(config-router)#end
R2#
实验过程:
第一步 在R1上配置密码
R1(config)#key chain R1 //配置密码组,组名为R1
R1(config-keychain)#key 1 //R1下第一个密码为cisco
R1(config-keychain-key)#key-string cisco
R1(config-keychain-key)#exit
R1(config-keychain)#key 2 //R2下第二个密码为cisco1
R1(config-keychain-key)#key-string cisco1
R1(config-keychain-key)#exit
R1(config-keychain)#exit
R1(config)#
R1(config)#interface s1/2
R1(config-if)#ip rip authentication mode md5 //使用MD5认证,默认为明文。
R1(config-if)#ip rip authentication key-chain R1 //配置RIP认证使用R1密码组
R1(config-if)#end
第二步 在R1上使用debug ip rip进行调试
R1#debug ip rip
RIP protocol debugging is on
R1#
00:36:44: RIP: sending v2 update to 224.0.0.9 via Serial1/2 (192.168.0.1)
00:36:44: 172.16.0.0/16 ->
00:36:44: RIP: sending v2 update to 224.0.0.9 via Loopback0 (172.16.1.1)
00:36:44: 192.168.0.0/24 ->
00:36:44: RIP: ignored v2 packet from 172.16.1.1 (sourced from one of our addresses)
R1#
00:36:48: RIP: ignored v2 packet from 192.168.0.2 (invalid authentication)
//发现R1与R2之间的认证失败。
R1#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 27 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
Serial1/2 2 2 R1
Loopback0 2 2
Routing for Networks:
172.16.0.0
192.168.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
是用show ip protocols 可以看到Serial1/2 接口的RIP更新使用 密码组R1。
第三步 现在在R2上配置认证
R2(config)#key chain R2
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
R2(config-keychain-key)#exit
R2(config-keychain)#key 2
R2(config-keychain-key)#key-string cisco1
R2(config-keychain-key)#exit
R2(config-keychain)#exit
R2(config)#interface s2/1
R2(config-if)#ip rip authentication mode md5
R2(config-if)#ip rip authentication key-chain R2
R2(config-if)#end
R2#
第四步 在R2上进行调试
R2#debug ip rip
RIP protocol debugging is on
R2#
00:49:13: RIP: sending v2 update to 224.0.0.9 via Serial2/1 (192.168.0.2)
00:49:13: 172.16.0.0/16 ->
00:49:13: RIP: sending v2 update to 224.0.0.9 via Loopback0 (172.16.2.2)
00:49:13: 172.16.0.0/16 ->
00:49:13: 192.168.0.0/24 ->
00:49:13: RIP: ignored v2 packet from 172.16.2.2 (sourced from one of our addresses)
R2#
00:49:17: RIP: received packet with MD5 authentication
00:49:17: RIP: received v2 update from 192.168.0.1 on Serial2/1
00:49:17: 172.16.0.0/16 ->
RIP: received packet with MD5 authentication
Rip MD5认证成功!
总结:
当R1的s1/2接口配置RIP认证时,会发送RIP更新,但R1的S1/2在收到RIP更新时,会使用自己的密钥,看是否接受RIP包,来更新路由表。
当一个密码组有2个key时,使用
浙公网安备 33010602011771号