IP : 开放最短路径优先 (OSPF)

在虚拟链路上配置 OSPF 认证

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈


目录


简介

开放最短路径优先 (OSPF) 自治系统中的所有区域都必须以物理方式与主干区域(区域 0)相连。然而,在无法实现这种物理连接的情况下,可使用虚拟链路通过非主干区域连接到主干网。您还可以利用虚拟链路通过非主干区域连接一个分区主干网中的两个部分。您也可以在虚拟链路上启用 OSPF 身份验证。

本文档介绍了如何在 OSPF 网络的虚拟链路上启用纯文本身份验证和消息摘要 5 (MD5) 身份验证。有关如何配置 OSPF 身份验证的详细信息,请参阅 OSPF 身份验证配置示例

先决条件

要求

尝试进行此配置之前,请确保满足以下要求:

  • OSPF 路由协议及其操作的知识

  • OSPF 虚拟链路概念知识

有关 OSPF 路由协议及 OSPF 中虚拟链路概念的详细信息,请参阅 OSPF 设计指南

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco 2500 系列路由器

  • Cisco IOS�软件版本12.2(27)

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 有关本文档所用命令的详细信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用以下网络设置:

/image/gif/paws/8313/27-a.gif

配置

本文档使用以下配置:

配置纯文本身份验证

纯文本身份验证是指以明文形式通过网络发送口令。在此配置中,路由器 3.3.3.3 在区域 0 中没有接口,而是以虚拟方式连接到区域 0。此配置将路由器 3.3.3.3 设为虚拟的区域边界路由器 (ABR),因此必须在路由器 3.3.3.3 上启用针对区域 0 的身份验证。此部分提供了在使用虚拟链路的情况下配置纯文本身份验证的命令。

注意: 配置时使用的身份验证密钥定义了可直接插入 OSPF 报头的密钥(口令)。当 Cisco IOS 软件发起路由协议数据包时,该密钥将插入报头中。可以基于每个接口为每个网络指定单独的口令。同一网络上的所有邻接路由器都必须有相同的口令才能交换 OSPF 信息。

路由器 1.1.1.1
hostname r1.1.1.1

interface Loopback0
 ip address 1.1.1.1 255.0.0.0

interface Ethernet0
 ip address 4.0.0.1 255.0.0.0
 ip ospf authentication-key cisco

!--- This command configures the authentication key (password)
!--- on the interface as "cisco".


interface Serial0
 ip address 5.0.0.1 255.0.0.0
 clockrate 64000
 
!
 
 router ospf 2
 network 4.0.0.0 0.255.255.255 area 0
 network 5.0.0.0 0.255.255.255 area 1
 area 0 authentication

!--- This command enables plain authentication for area 0 
!--- on the router.

area 1 virtual-link 3.3.3.3 authentication-key cisco

!--- This command creates the virtual link between Router 
!--- 1.1.1.1 and Router 3.3.3.3 with plain text authentication enabled.

路由器 3.3.3.3
hostname r3.3.3.3

interface Loopback0
 ip address 3.3.3.3 255.0.0.0

interface Ethernet0
 ip address 12.0.0.3 255.0.0.0

interface Serial0
 ip address 6.0.0.3 255.0.0.0
 
!
 
 router ospf 2
 network 12.0.0.0 0.255.255.255 area 2
 network 6.0.0.0 0.255.255.255 area 1
 area 0 authentication

!--- This command enables plain authentication for area 0 
!--- on the router.

 area 1 virtual-link 1.1.1.1 authentication-key cisco

!--- This command creates the virtual link to area 0 via 
!--- transit area 1 with plain text authentication enabled.

配置 MD5认证

MD5 身份验证提供的安全性高于纯文本身份验证。之所以说 MD5 身份验证提供的安全性更高,是因为该方法使用 MD5 算法来基于 OSPF 数据包的内容和口令(或密钥)计算散列值。此散列值将与密钥 ID 以及非递减次序号一起在数据包中传输。知道同一口令的接收方将计算出其自己的散列值。此部分提供了在使用虚拟链路的情况下配置 MD5 身份验证的命令。

路由器 1.1.1.1
hostname r1.1.1.1

interface Loopback0
 ip address 1.1.1.1 255.0.0.0

interface Ethernet0
 ip address 4.0.0.1 255.0.0.0
 ip ospf message-digest-key 1 md5 cisco

!--- This command configures the MD5 authentication key
!--- on the interface as "cisco".

interface Serial0
 ip address 5.0.0.1 255.0.0.0
 clockrate 64000
 
!
 
 router ospf 2
 network 4.0.0.0 0.255.255.255 area 0
 network 5.0.0.0 0.255.255.255 area 1
 area 0 authentication message-digest

!--- This command enables MD5 authentication for area 0 
!--- on the router.

 area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco

!--- This command creates the virtual link between Router 
!--- 1.1.1.1 and Router 3.3.3.3 with MD5 authentication enabled.

路由器 3.3.3.3
hostname r3.3.3.3

interface Loopback0
 ip address 3.3.3.3 255.0.0.0

interface Ethernet0
 ip address 12.0.0.3 255.0.0.0

interface Serial0
 ip address 6.0.0.3 255.0.0.0
 
!
 
 router ospf 2
 network 12.0.0.0 0.255.255.255 area 2
 network 6.0.0.0 0.255.255.255 area 1
area 0 authentication message-digest

!--- This command enables MD5 authentication for area 0 
!--- on the router.

area 1 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco

!--- This command creates the virtual link to area 0 via 
!--- the transit area 1 with MD5 authentication enabled.

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show ip ospf virtual-links — 显示 OSPF 虚拟链路的参数和当前状态。

  • show ip route - 显示路由表的当前状态。

show 命令输出示例 — 配置纯文本身份验证

r3.3.3.3# show ip ospf virtual-links

Virtual Link OSPF_VL0 to router 1.1.1.1 is up

!--- The status of the virtual link displays.

  Run as demand circuit
  DoNotAge LSA allowed

!--- This specifies that OSPF runs as a demand circuit over virtual links,
!--- and so link-state advertisements (LSAs) are not refreshed (not aged out).

  Transit area 1, via interface Serial0, Cost of using 128
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)

!--- The status of the neighbor adjacency displays.

    Index 1/2, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Simple password authentication enabled

!--- The type of authentication that is enabled displays.
!--- The authentication type is simple password.

r3.3.3.3#

注意: 该输出显示 OSPF Hello 数据包被抑制。这意味着,启动虚拟链路后将不会交换任何 Hello 数据包。由于 OSPF 将虚拟链路视为需求电路,因此会抑制 Hello 数据包。通常情况下,OSPF 会每隔 10 秒发送一次 Hello 数据包,每隔 30 分钟刷新其 LSA。不过,这种流量对于需求电路来说仍太大。使用 OSPF 需求电路选项将抑制 Hello 和 LSA 刷新功能。因此,在使用 clear ip ospf process 命令清除 OSPF 进程之前,对 OSPF 身份验证所做的任何更改都不会生效。例如,在路由器上更改身份验证类型。

r3.3.3.3# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set 
C 3.0.0.0/8 is directly connected, Loopback0 
O 4.0.0.0/8 [110/138] via 6.0.0.2, 00:31:08, Serial0 
O 5.0.0.0/8 [110/128] via 6.0.0.2, 22:55:44, Serial0 
C 6.0.0.0/8 is directly connected, Serial0 
C 12.0.0.0/8 is directly connected, Ethernet0 
r3.3.3.3#

show 命令输出示例 — 配置 MD5 身份验证

r3.3.3.3# show ip ospf virtual-links

Virtual Link OSPF_VL1 to router 1.1.1.1 is up 

!--- The status of the virtual link displays.

  Run as demand circuit
  DoNotAge LSA allowed

!--- This specifies that OSPF runs as a demand circuit over virtual links,
!--- and so LSAs are not refreshed (not aged out).

  Transit area 1, via interface Serial0, Cost of using 128
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed) 

!--- The status of the neighbor adjacency displays.

    Index 1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled 

!--- The type of authentication that is enabled displays.
!--- The authentication type is MD5.

    Youngest key id is 1
r3.3.3.3# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set 
C 3.0.0.0/8 is directly connected, Loopback0 
O 4.0.0.0/8 [110/138] via 6.0.0.2, 00:02:41, Serial0 
O 5.0.0.0/8 [110/128] via 6.0.0.2, 00:02:51, Serial0 
C 6.0.0.0/8 is directly connected, Serial0 
C 12.0.0.0/8 is directly connected, Ethernet0

故障排除

使用本部分可排除配置故障。

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

  • debug ip ospf adj — 调试 OSPF 邻接关系建立过程。

debug 命令输出示例 — 配置纯文本身份验证

r3.3.3.3# debug ip ospf adj

23:31:41: OSPF: Interface OSPF_VL0 going Up
23:31:41: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x8000002E
23:31:41: OSPF: Build router LSA for area 1, router ID 3.3.3.3, seq 0x8000002E
23:31:41: OSPF: Build router LSA for area 2, router ID 3.3.3.3, seq 0x80000031
23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x887 opt 0x62 flag 0x7 
 len 32  mtu 0 state INIT
23:31:51: OSPF: 2 Way Communication to 1.1.1.1 on OSPF_VL0, state 2WAY
23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2102 opt 0x62 flag 0x7 len 32
23:31:51: OSPF: First DBD and we are not SLAVE
23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2102 opt 0x62 flag 0x2 
 len 172  mtu 0 state EXSTART
23:31:51: OSPF: NBR Negotiation Done. We are the MASTER
23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2103 opt 0x62 flag 0x3 len 172
23:31:51: OSPF: Database request to 1.1.1.1
23:31:51: OSPF: sent LS REQ packet to 5.0.0.1, length 12
23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2103 opt 0x62 flag 0x0 len 32  
 mtu 0 state EXCHANGE
23:31:51: OSPF: Send DBD to 1.1.1.1 on OSPF_VL0 seq 0x2104 opt 0x62 flag 0x1 len 32
23:31:51: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL0 seq 0x2104 opt 0x62 flag 0x0 
 len 32  mtu 0 state EXCHANGE
23:31:51: OSPF: Exchange Done with 1.1.1.1 on OSPF_VL0
23:31:51: OSPF: Synchronized with 1.1.1.1 on OSPF_VL0, state FULL

!--- This indicates the establishment of neighbor adjacency.

23:31:51: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on OSPF_VL0 from LOADING to FULL, 
 Loading Done
23:31:52: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x8000002F
23:32:23: OSPF: Dead event ignored for 1.1.1.1 on demand circuit OSPF_VL0
r3.3.3.3#

debug 命令输出示例 — 配置 MD5 身份验证

r3.3.3.3# debug ip ospf adj

23:48:06: OSPF: Interface OSPF_VL1 going Up
23:48:06: OSPF: Send with youngest Key 0
23:48:07: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x80000001
23:48:07: OSPF: Build router LSA for area 2, router ID 3.3.3.3, seq 0x80000033
23:48:07: OSPF: Build router LSA for area 1, router ID 3.3.3.3, seq 0x80000030
23:48:14: OSPF: 2 Way Communication to 1.1.1.1 on OSPF_VL1, state 2WAY
23:48:14: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EA opt 0x62 flag 0x7 len32
23:48:14: OSPF: Send with youngest Key 1
23:48:14: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x3FB opt 0x62 flag 0x7 
 len 32 mtu 0 state EXSTART
23:48:14: OSPF: First DBD and we are not SLAVE
23:48:16: OSPF: Send with youngest Key 1
23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EA opt 0x62 flag 0x7 len 32
23:48:19: OSPF: Send with youngest Key 1
23:48:19: OSPF: Retransmitting DBD to 1.1.1.1 on OSPF_VL1 [1]
23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x3FB opt 0x62 flag 0x7 len 32 
 mtu 0 state EXSTART
23:48:19: OSPF: First DBD and we are not SLAVE
23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EA opt 0x62 flag 0x2 
 len 172 mtu 0 state EXSTART
23:48:19: OSPF: NBR Negotiation Done. We are the MASTER
23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EB opt 0x62 flag 0x3 len 112
23:48:19: OSPF: Send with youngest Key 1
23:48:19: OSPF: Send with youngest Key 1
23:48:19: OSPF: Database request to 1.1.1.1
23:48:19: OSPF: sent LS REQ packet to 5.0.0.1, length 48
23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EB opt 0x62 flag 0x0 len 32 
 mtu 0 state EXCHANGE
23:48:19: OSPF: Send DBD to 1.1.1.1 on OSPF_VL1 seq 0x1EC opt 0x62 flag 0x1 len 32
23:48:19: OSPF: Send with youngest Key 1
23:48:19: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x80000030
23:48:19: OSPF: Rcv DBD from 1.1.1.1 on OSPF_VL1 seq 0x1EC opt 0x62 flag 0x0 len 32 
 mtu 0 state EXCHANGE
23:48:19: OSPF: Exchange Done with 1.1.1.1 on OSPF_VL1
23:48:19: OSPF: Synchronized with 1.1.1.1 on OSPF_VL1, state FULL

!--- This indicates the establishment of neighbor adjacency.

23:48:19: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on OSPF_VL1 from LOADING to FULL, 
 Loading Done

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 8313