OSPF认证示例配置
本文显示OSPF认证的示例配置。 OSPF 支持两纯文本和MD5认证。当您配置认证时,您 必须用认证的同样类型配置一个整个区域。开始在® Cisco IOS 12.0.8,认证在单个交换面基础上 在RFC 2328 支持,如 被提及,附录D 。此功能在Bug CSCdk33792添 加了。如果是 注册的CCO用户 并且登录了,您能查看Bug详细信息。
请采取以下网络例如。
网络图
纯文本认证的配置
纯文本认证为安全是 有用的在执行OSPF重新配置,而不是。纯文本认证密码不必 须是相同在区域过程中,但是他们必须是同样在相邻之间。
--------------------------------------------------------
R4-4K
interface Loopback0
ip address 70.70.70.70 255.255.255.255
!
interface Serial2
ip address 192.16.64.2 255.255.255.0
ip ospf authentication-key kal
!
router ospf 10
network 192.16.64.0 0.0.0.255 area 0
network 70.0.0.0 0.255.255.255 area 0
area 0 authentication
---------------------------------------------------------------
R1-7010
interface Loopback0
ip address 172.16.10.36 255.255.255.240
!
interface Serial1/0
ip address 192.16.64.1 255.255.255.0
ip ospf authentication-key kal
!
router ospf 10
network 172.16.0.0 0.0.255.255 area 0
network 192.16.64.0 0.0.0.255 area 0
area 0 authentication
调试与验证提示
Here's debug output for R1-7010:
R1-7010#debug ip ospf adj
OSPF: Receive dbd from 70.70.70.70 seq 0x14B
OSPF: 2 Way Communication to neighbor 70.70.70.70
OSPF: send DBD packet to 192.16.64.2 seq 0x1797
OSPF: Receive dbd from 70.70.70.70 seq 0x1797
OSPF: NBR Negotiation Done We are the MASTER
OSPF: send DBD packet to 192.16.64.2 seq 0x1798
OSPF: Database request to 70.70.70.70
OSPF: sent LS REQ packet to 192.16.64.2, length 12
OSPF: Receive dbd from 70.70.70.70 seq 0x1798
OSPF: send DBD packet to 192.16.64.2 seq 0x1799
OSPF: Receive dbd from 70.70.70.70 seq 0x1799
OSPF: Exchange Done with neighbor 70.70.70.70
OSPF: Synchronized with neighbor 70.70.70.70, state:FULL
OSPF: Build router LSA, router ID 172.16.13.1
R1-7010#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
70.70.70.70 1 FULL/ - 00:00:36 192.16.64.2 Serial1/0
R1-7010#show ip route
O 70.70.70.70 [110/65] via 192.16.64.2, 00:01:27, Serial1/0
C 192.16.64.0/24 is directly connected, Serial1/0
[page]
MD5认证的配置
消息摘要5 (MD5)认证比纯文本认证提供高安全性。 类似纯文本认证,密码不必须是相同在区域过程中,但是他 们需要是同样在相邻之间。MD5认证使用允许路由器参考多个 密码,使密码迁移更加容易和更加安全的一个键ID。例如, 从一个密码移植到另一个,配置一个密码在一个不同的键ID 之下 然后去除第一个键。
----------------------------------------------------------
R4-4K
interface Loopback0
ip address 70.70.70.70 255.255.255.255
!
interface Serial2
ip address 192.16.64.2 255.255.255.0
ip ospf message-digest-key 1 md5 kal
!
router ospf 10
network 192.16.64.0 0.0.0.255 area 0
network 70.0.0.0 0.255.255.255 area 0
area 0 authentication message-digest
--------------------------------------------------------------
R1-7010
interface Loopback0
ip address 172.16.10.36 255.255.255.240
!
interface Serial1/0
ip address 192.16.64.1 255.255.255.0
ip ospf message-digest-key 1 md5 kal
!
router ospf 10
network 172.16.0.0 0.0.255.255 area 0
network 192.16.64.0 0.0.0.255 area 0
area 0 authentication message-digest
调试与验证提示
R1-7010#debug ip ospf adj
OSPF: Send with youngest Key 1
OSPF: Receive dbd from 70.70.70.70 seq 0xEDC
OSPF: 2 Way Communication to neighbor 70.70.70.70
OSPF: send DBD packet to 192.16.64.2 seq 0x9A3
OSPF: Send with youngest Key 1
OSPF: Receive dbd from 70.70.70.70 seq 0x9A3
OSPF: NBR Negotiation Done We are the MASTER
OSPF: send DBD packet to 192.16.64.2 seq 0x9A4
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Database request to 70.70.70.70
OSPF: sent LS REQ packet to 192.16.64.2, length 12
OSPF: Receive dbd from 70.70.70.70 seq 0x9A4
OSPF: send DBD packet to 192.16.64.2 seq 0x9A5
OSPF: Send with youngest Key 1
OSPF: Send with youngest Key 1
OSPF: Receive dbd from 70.70.70.70 seq 0x9A5
OSPF: Exchange Done with neighbor 70.70.70.70
OSPF: Synchronized with neighbor 70.70.70.70, state:FULL
OSPF: Build router LSA, router ID 172.16.13.1
R1-7010#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
70.70.70.70 1 FULL/ - 00:00:38 192.16.64.2 Serial1/0
R1-7010#show ip route
O 70.70.70.70 [110/65] via 192.16.64.2, 00:00:59, Serial1/0
C 192.16.64.0/24 is directly connected, Serial1/0
浙公网安备 33010602011771号