9.3 配置OSPF的认证
9.3.1 原理概述
OSPF支持报文验证功能,只有通过验证的报文才能接收,否则将不能正常建立邻居关系。OSPF协议支持两种认证方式——区域认证和链路认证。使用区域认证时,一个区域中所有的路由器在该区域下的认证模式和口令必须一致;OSPF链路认证相比于区域认证更加灵活,可专门针对某个邻居设置单独的认证模式和密码。如果同时配置了接口认证和区域认证时,优先使用接口认证建立OSPF邻居。
每种认证方式又分为简单验证模式、MD5验证模式和Key chain验证模式。简单验证模式在数据传递过程中,认证密钥和密钥ID都是明文传输,很容易被截获;MD5验证模式下的密钥是经过MD5加密传输,相比于简单验证模式更为安全;Key chain验证模式可以同时配置多个密钥,不同密钥可单独设置生效周期等。
9.3.2 实验内容
本实验模拟企业网络环境。R3、R5、R6属于公司总部骨干区域路由器,R2为ABR。公司分部路由器R1和R4都属于区域1,但分属不同部门,R1作为市场部门网关,R4作为财务部门网关。网络管理员在区域0和区域1上配置OSPF区域认证,其中区域0开启密文认证,区域1开启明文认证。为进一步提高该OSPF网络安全性,R2和R4上单独设置密钥,配置OSPF链路认证。
9.3.3 实验拓扑
9.3.4 实验编址表
| 设备 | 接口 | IP地址 | 子网掩码 | 默认网关 |
|---|---|---|---|---|
| AR1(AR2220) | Loopback 0 | 1.1.1.1 | 255.255.255.255 | N/A |
| AR1(AR2220) | GE 0/0/0 | 172.16.1.1 | 255.255.255.252 | N/A |
| AR2(AR2220) | Loopback 0 | 2.2.2.2 | 255.255.255.255 | N/A |
| AR2(AR2220) | GE 0/0/0 | 172.16.1.2 | 255.255.255.252 | N/A |
| AR2(AR2220) | GE 0/0/1 | 172.16.2.2 | 255.255.255.252 | N/A |
| AR2(AR2220) | GE 0/0/2 | 172.16.3.1 | 255.255.255.252 | N/A |
| AR3(AR2220) | Loopback 0 | 3.3.3.3 | 255.255.255.255 | N/A |
| AR3(AR2220) | GE 0/0/0 | 172.16.4.2 | 255.255.255.252 | N/A |
| AR3(AR2220) | GE 0/0/1 | 172.16.5.2 | 255.255.255.252 | N/A |
| AR3(AR2220) | GE 0/0/2 | 172.16.3.2 | 255.255.255.252 | N/A |
| AR4(AR2220) | Loopback 0 | 4.4.4.4 | 255.255.255.255 | N/A |
| AR4(AR2220) | GE 0/0/1 | 172.16.2.1 | 255.255.255.252 | N/A |
| AR5(AR2220) | Loopback 0 | 5.5.5.5 | 255.255.255.255 | N/A |
| AR5(AR2220) | GE 0/0/0 | 172.16.4.1 | 255.255.255.252 | N/A |
| AR6(AR2220) | Loopback 0 | 6.6.6.6 | 255.255.255.255 | N/A |
| AR6(AR2220) | GE 0/0/1 | 172.16.5.1 | 255.255.255.252 | N/A |
9.3.5 实验步骤
1、基本配置
根据实验编址表进行相应的基本配置,并测试各直连链路的连通性。
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 172.16.1.1 255.255.255.252
[AR1-GigabitEthernet0/0/0]interface loopback 0
[AR1-LoopBack0]ip address 1.1.1.1 255.255.255.255
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]ip address 172.16.1.2 255.255.255.252
[AR2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 172.16.2.2 255.255.255.252
[AR2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address 172.16.3.1 255.255.255.252
[AR2-GigabitEthernet0/0/2]interface loopback 0
[AR2-LoopBack0]ip address 2.2.2.2 255.255.255.255
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 172.16.4.2 255.255.255.252
[AR3-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 172.16.5.2 255.255.255.252
[AR3-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[AR3-GigabitEthernet0/0/2]ip address 172.16.3.2 255.255.255.252
[AR3-GigabitEthernet0/0/2]interface loopback 0
[AR3-LoopBack0]ip address 3.3.3.3 255.255.255.255
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]ip address 172.16.2.1 255.255.255.252
[AR4-GigabitEthernet0/0/1]interface loopback 0
[AR4-LoopBack0]ip address 4.4.4.4 255.255.255.255
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]ip address 172.16.4.1 255.255.255.252
[AR5-GigabitEthernet0/0/0]interface loopback 0
[AR5-LoopBack0]ip address 5.5.5.5 255.255.255.255
[AR6]interface GigabitEthernet 0/0/1
[AR6-GigabitEthernet0/0/1]ip address 172.16.5.1 255.255.255.252
[AR6-GigabitEthernet0/0/1]interface loopback 0
[AR6-LoopBack0]ip address 6.6.6.6 255.255.255.255
[AR5]ping 172.16.4.2
PING 172.16.4.2: 56 data bytes, press CTRL_C to break
Reply from 172.16.4.2: bytes=56 Sequence=1 ttl=255 time=100 ms
Reply from 172.16.4.2: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 172.16.4.2: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 172.16.4.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 172.16.4.2: bytes=56 Sequence=5 ttl=255 time=30 ms
--- 172.16.4.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/36/100 ms
2、搭建OSPF网络
在路由器上面进行OSPF多区域 配置。
[AR1]ospf 1
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]network 172.16.1.0 0.0.0.3
[AR1-ospf-1-area-0.0.0.1]network 1.1.1.1 0.0.0.0
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.3
[AR2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]area 1
[AR2-ospf-1-area-0.0.0.1]network 172.16.1.0 0.0.0.3
[AR2-ospf-1-area-0.0.0.1]network 172.16.2.0 0.0.0.3
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.3
[AR3-ospf-1-area-0.0.0.0]network 172.16.4.0 0.0.0.3
[AR3-ospf-1-area-0.0.0.0]network 172.16.5.0 0.0.0.3
[AR3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]network 172.16.2.0 0.0.0.3
[AR4-ospf-1-area-0.0.0.1]network 4.4.4.4 0.0.0.0
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 172.16.4.0 0.0.0.3
[AR5-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[AR6]ospf 1
[AR6-ospf-1]area 0
[AR6-ospf-1-area-0.0.0.0]network 172.16.5.0 0.0.0.3
[AR6-ospf-1-area-0.0.0.0]network 6.6.6.6 0.0.0.0
配置完成后测试环回接口的连通性。
[AR1]ping 6.6.6.6
PING 6.6.6.6: 56 data bytes, press CTRL_C to break
Reply from 6.6.6.6: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 6.6.6.6: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 6.6.6.6: bytes=56 Sequence=3 ttl=253 time=40 ms
Reply from 6.6.6.6: bytes=56 Sequence=4 ttl=253 time=30 ms
Reply from 6.6.6.6: bytes=56 Sequence=5 ttl=253 time=40 ms
--- 6.6.6.6 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/36/40 ms
3、配置公司分部OSPF区域明文认证
在R1上OSPF的区域1视图模式下使用authentication-mode命令指定该区域使用认证模式为simple,即简单认证模式,配置口令为huawei1,并配置plain参数。配置plain参数后,可以使得在查看配置文件时,口令均已明文方式显示,如果不设置该参数的话,在查看配置文件时候,默认会以密文的方式显示,即无法查看所配置的口令。
[AR1]ospf 1
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]authentication-mode simple huawei1
[AR2]ospf 1
[AR2-ospf-1]area 1
[AR2-ospf-1-area-0.0.0.1]authentication-mode simple huawei1
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]authentication-mode simple huawei1
[AR1-ospf-1-area-0.0.0.1]display this
[V200R003C00]
#
area 0.0.0.1
authentication-mode simple cipher %$%$BbG9=_{ART!AY{$~;@|"SV.u%$%$
network 1.1.1.1 0.0.0.0
network 172.16.1.0 0.0.0.3
#
return
配置完成后再R2上面查看OSPF邻居关系。
[AR2]display ospf peer brief
OSPF Process 1 with Router ID 172.16.1.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 172.16.4.2 Full
0.0.0.1 GigabitEthernet0/0/0 172.16.1.1 Full
0.0.0.1 GigabitEthernet0/0/1 172.16.2.1 Full
----------------------------------------------------------------------------
4、配置公司总部OSPF区域密文认证
在R2上配置OSPF area 0区域认证,使用验证模式为MD5,验证字标识符为1,配置口令为huawei3
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei3
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei3
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei3
[AR6]ospf 1
[AR6-ospf-1]area 0
[AR6-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei3
配置完成后想R3上面查看邻居状态。
[AR3]display ospf peer brief
OSPF Process 1 with Router ID 172.16.4.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 172.16.4.1 Full
0.0.0.0 GigabitEthernet0/0/1 172.16.5.1 Full
0.0.0.0 GigabitEthernet0/0/2 172.16.1.2 Full
----------------------------------------------------------------------------
5、配置OSPF链路认证
在上面两个步骤中,使用了OSPF的区域认证方式配置了OSPF认证,使用链路认证方式配置可以达到同样的效果。如果采用链路认证的方式,就需要在同一OSPF的链路接口下都配置链路认证的命令,设置验证模式和口令等参数;而采用区域认证的方式时,在同一区域中,仅需在OSPF进程下的相应区域视图下配置一条命令来设置验证模式和口令即可,大大节省了配置量,所以在同一区域中如果有多台OSPF设备需要配置认证,建议选用区域认证的方式进行配置。
目前公司分部的OSPF区域中配置了简单模式的区域认证,为了进一步提升R2与R4之间的OSPF网络安全性,网络管理员需要在两台设备之间部署MD5验证模式的OSPF链路认证。
在R2的GE 0/0/1接口下使用ospf authentication-mode命令配置链路认证,配置使用MD5验证模式,验证字标识符为1,口令为huawei5。
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ospf authentication-mode md5 1 huawei5
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]ospf authentication-mode md5 1 huawei5
配置完成后,等待一段时间,查看OSPF的邻居信息,并测试连通性。
[AR4]display ospf peer brief
OSPF Process 1 with Router ID 172.16.2.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/1 172.16.1.2 Full
----------------------------------------------------------------------------
[AR6]ping 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=40 ms
Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=30 ms
--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/40 ms
