ospf认证2

4.在Area0上进行区域认证<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

    R1(config)#router ospf 10

R1(config-router)#area 0 authentication

R1(config-router)#

*Aug 15 23:09:32.619: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

发现快速以太网接口的邻居已经丢失。通过debug信息我们看到：

R1#

*Aug 15 23:10:32.619: OSPF: Rcv pkt from 21.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1

 

我们注意到我们并没有配置密码。也就是说在不配置密码的情况下，仍需要双方都启用认证才可以保持邻居关系。

 

为了使R1和R2的快速以太网口恢复邻居关系，我们有两种方法可以使用。

 

第一种方法是在R1的快速以太网口关闭认证，配置方法如下：

R1(config)#int fa0/0

R1(config-if)#ip ospf authentication null

R1(config-if)#

*Aug 15 23:22:33.227: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on FastEthernet0/0 from LOADING to FULL, Loading Done

R1#show ip ospf nei

 

Neighbor ID     Pri   State           Dead Time   Address         Interface

2.2.2.2           1   FULL/DR         00:00:39    21.1.1.2        FastEthernet0/0

2.2.2.2           0   FULL/  -        00:00:30    10.1.1.2        Serial1/0

 

邻居关系已经恢复。

 

第二种是在R2上也开启区域认证，邻居即可恢复。

R2(config-router)#area 0 authentication

R2(config-router)#

*Aug 15 23:20:43.239: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

邻居关系也恢复了。

 

 现在我们在R2上重启OSPF进程。

R2#clear ip ospf pro  

Reset ALL OSPF processes? [no]: y

R2#

*Aug 15 23:28:01.275: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Aug 15 23:28:01.279: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Aug 15 23:28:01.283: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial1/0 from FULL to DOWN, Neighbor Down: Interface down or detached

*Aug 15 23:28:01.331: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on Serial1/1 from FULL to DOWN, Neighbor Down: Interface down or detached

R2#   

*Aug 15 23:28:03.247: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done

R2#

*Aug 15 23:28:05.911: %OSPF-5-ADJCHG: Process 10, Nbr 1.1.1.1 on Serial1/0 from LOADING to FULL, Loading Done

R2#

*Aug 15 23:28:10.423: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on Serial1/1 from LOADING to FULL, Loading Done

R2#

 

等所有的邻居关系起来后，我们到R1上看路由表，发现没有R3的loopback端口。

 

R1#sho ip rou

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

     1.0.0.0/24 is subnetted, 1 subnets

C       1.1.1.0 is directly connected, Loopback0

     21.0.0.0/24 is subnetted, 1 subnets

C       21.1.1.0 is directly connected, FastEthernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Serial1/0

     11.0.0.0/24 is subnetted, 1 subnets

O IA    11.1.1.0 [110/65] via 21.1.1.2, 00:00:57, FastEthernet0/0

 

因为R3是通过虚链路连接到骨干区域的。我们看看R2和R3之间的虚链路是否正常：

 

R2#sho ip ospf virtual-links

Virtual Link OSPF_VL0 to router 3.3.3.3 is up

  Run as demand circuit

  DoNotAge LSA allowed.

  Transit area 1, via interface Serial1/1, Cost of using 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:06

  Simple password authentication enabled

 

R3#sho ip ospf virtual-links

Virtual Link OSPF_VL0 to router 2.2.2.2 is up

  Run as demand circuit

  DoNotAge LSA allowed.

  Transit area 1, via interface Serial1/0, Cost of using 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Hello due in 00:00:04

 

因为virtual-link属于Area0，因此在R2配置完成Area0区域认证后，R3也需要相应的配置。

R3(config)#router ospf 10

R3(config-router)#area 0 authentication

 

R3(config-router)#

*Aug 15 23:32:57.175: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on OSPF_VL0 from LOADING to FULL, Loading Done

R2#sho ip ospf virtual-links

Virtual Link OSPF_VL0 to router 3.3.3.3 is up

  Run as demand circuit

  DoNotAge LSA allowed.

  Transit area 1, via interface Serial1/1, Cost of using 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:05

    Adjacency State FULL (Hello suppressed)

    Index 3/4, retransmission queue length 0, number of retransmission 1

    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

    Last retransmission scan length is 1, maximum is 1

    Last retransmission scan time is 0 msec, maximum is 0 msec

  Simple password authentication enabled

 

5.虚链路的认证配置

 

虚链路也可以单独配置认证，同样分为Null，明文认证，MD5认证。配置命令如下：

 

Null：

R2(config-router)#area 1 virtual-link 3.3.3.3 authentication null

R3(config-router)#area 1 virtual-link 2.2.2.2 authentication null

 

明文：

R2(config-router)#area 1 virtual-link 3.3.3.3 authentication-key cisco

R3(config-router)#area 1 virtual-link 2.2.2.2 authentication-key cisco

 

MD5：

R2(config-router)#area 1 virtual-link 3.3.3.3 authentication message-digest

R2(config-router)#area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco

R3(config-router)#area 1 virtual-link 2.2.2.2 authentication message-digest

R3(config-router)#area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco

 

另外在上个实验我们知道虚链路在建立起来后是DNA LSA（不老化LSA），所以如果没有重启OSPF进程的话，即使一端配置了认证，虚链路也是不会断开的。

转载于:https://blog.51cto.com/wirless/277745