华为基于区域和接口的OSPF的认证方式

admin

华为基于区域和接口的OSPF的认证方式

一、基本OSPF 区域的认证配置方法

R1

<Huawei>system-view

[Huawei]sysnamer1

[r1]routerid 1.1.1.1

[r1]interfaceloopback 0

[r1-LoopBack0]ipaddress 1.1.1.1 32

[r1-LoopBack0]quit

[r1]interface GigabitEthernet 0/0/0

[r1-GigabitEthernet0/0/0]ipaddress 192.168.12.1 24

[r1-GigabitEthernet0/0/0]quit

[r1]ospf1

[r1-ospf-1]area0

[r1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0

[r1-ospf-1-area-0.0.0.0]network192.168.12.0 0.0.0.255

[r1-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234  //

基于区域的认证，认证模式为md5加密,KEY ID密钥编号一般写1，密码为admin1234；习惯性先宣告网络，再配置认证；

[r1-ospf-1-area-0.0.0.0]return

R2

<Huawei>system-view

[Huawei]sysnamer2

[r2]routerid 2.2.2.2

[r2]interfaceloopback 0

[r2-LoopBack0]ipaddress 2.2.2.2 32

[r2-LoopBack0]quit

[r2]interface GigabitEthernet 0/0/0

[r2-GigabitEthernet0/0/0]ipaddress 192.168.12.2 24

[r2-GigabitEthernet0/0/0]quit

[r2]ospf1

[r2-ospf-1]area0

[r2-ospf-1-area-0.0.0.0]network2.2.2.2 0.0.0.0

[r2-ospf-1-area-0.0.0.0]network192.168.12.0 0.0.0.255

[r2-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234

[r2-ospf-1-area-0.0.0.0]return

<r2>system-view

[r2]interface GigabitEthernet 0/0/1

[r2-GigabitEthernet0/0/1]ip address 192.168.23.2 24

[r2]ospf1

[r2-ospf-1]area1

[r2-ospf-1-area-0.0.0.1]network192.168.23.0 0.0.0.255

[r2-ospf-1-area-0.0.0.1]authentication-modemd5 1 cipher admin2345

[r2-ospf-1-area-0.0.0.1]return

R3

<Huawei>system-view

[Huawei]sysnamer3

[r3]routerid 3.3.3.3

[r3]interfaceloopback 0

[r3-LoopBack0]ipaddress 3.3.3.3 32

[r3-LoopBack0]quit

[r3]interfaceGigabitEthernet 0/0/0

[r3-GigabitEthernet0/0/0]ipaddress 192.168.23.3 24

[r3-GigabitEthernet0/0/0]quit

[r3]ospf1

[r3-ospf-1]area1

[r3-ospf-1-area-0.0.0.1]network3.3.3.3 0.0.0.0

[r3-ospf-1-area-0.0.0.1]network192.168.23.0 0.0.0.255

[r3-ospf-1-area-0.0.0.1]authentication-modemd5 1 cipher admin2345

[r3-ospf-1-area-0.0.0.1]return

<r3>system-view

[r3]interfaceGigabitEthernet 0/0/1

[r3-GigabitEthernet0/0/1]ipaddress 192.168.34.3 24

[r3-GigabitEthernet0/0/1]quit

[r3]ospf1

[r3-ospf-1]area2

[r3-ospf-1-area-0.0.0.2]network192.168.34.0 0.0.0.255

[r3-ospf-1-area-0.0.0.2]authentication-modemd5 1 cipher admin3456

[r3-ospf-1-area-0.0.0.2]return

R4

[Huawei]sysname r4

[r4]router id 4.4.4.4

[r4]interfaceloopback 0

[r4-LoopBack0]ipaddress 4.4.4.4 32

[r4-LoopBack0]quit

[r4]interface GigabitEthernet 0/0/0

[r4-GigabitEthernet0/0/0]ip address 192.168.34.4 24

[r4-GigabitEthernet0/0/0]quit

[r4-ospf-1-area-0.0.0.2]network4.4.4.4 0.0.0.0

[r4-ospf-1-area-0.0.0.2]network192.168.34.0 0.0.0.255

[r4-ospf-1-area-0.0.0.2]authentication-modemd5 1 cipher admin3456

[r4-ospf-1-area-0.0.0.2]return

R2（配置Vlink虚连接）

[r2]ospf1

[r2-ospf-1-area-0.0.0.1]vlink-peer3.3.3.3

[r2-ospf-1-area-0.0.0.1]return

R3

[r3]ospf1

[r3-ospf-1]area1

[r3-ospf-1-area-0.0.0.1]vlink-peer2.2.2.2

[r3-ospf-1-area-0.0.0.1]return

<r3>display ospf vlink

        OSPF Process 1 with Router ID 3.3.3.3

               Virtual Links

Virtual-link Neighbor-id  -> 2.2.2.2, Neighbor-State: Down

Interface: 192.168.23.3 (GigabitEthernet0/0/0)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

因为骨干区域配置了认证，导致Vlink的邻居状态是Down！假设区域2与骨干区域相连，则同样在R3区域0中配配置认证；

区域2与骨干区域相连，R3路由会扮演ABR（其它区域与骨干区域相连的边界路由）的角色，那么配置认证就在R3配置的Vlink区域1中进行。

[r3]ospf1

[r3-ospf-1]area0

[r3-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234

[r3-ospf-1-area-0.0.0.0]return

再次显示vlink邻居状态

<r3>displayospf vlink

        OSPF Process 1 with Router ID 3.3.3.3

               Virtual Links

Virtual-link Neighbor-id  -> 2.2.2.2, Neighbor-State: Full

Interface: 192.168.23.3 (GigabitEthernet0/0/0)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

<r2>displayospf vlink

        OSPF Process 1 with Router ID 2.2.2.2

               Virtual Links

Virtual-link Neighbor-id  -> 3.3.3.3, Neighbor-State: Full

Interface: 192.168.23.2 (GigabitEthernet0/0/1)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

R3与R2的Vlink邻居状态为FULL！！说明邻居建立成功；再看路由表：

<r1>display ip routing-table

<r4>display ip routing-table

路由表全部学习完成；

二、基于接口OSPF认证的配置方法

R1

[r1-ospf-1]area0

[r1-ospf-1-area-0.0.0.0]undoauthentication-mode  // undo原有的区域认证

[r1-ospf-1-area-0.0.0.0]return

<r1>system-view

[r1]interfaceGigabitEthernet 0/0/0

[r1-GigabitEthernet0/0/0]ospfauthentication-mode md5 1 cipher admin1234

R2

[r2]ospf1

[r2-ospf-1]area0

[r2-ospf-1-area-0.0.0.0]undoauthentication-mode

[r2-ospf-1-area-0.0.0.0]return

<r2>system-view

[r2]interface GigabitEthernet 0/0/0

[r2-GigabitEthernet0/0/0]ospfauthentication-mode md5 1 cipher admin1234

此时看一下VLink的邻居状态

[r2]displayospf vlink

        OSPF Process 1 with Router ID 2.2.2.2

               Virtual Links

Virtual-link Neighbor-id  -> 3.3.3.3, Neighbor-State: Down

Interface: 192.168.23.2 (GigabitEthernet0/0/1)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

邻居又成为了Down状态；尝试关闭区域2边界路由R3的区域0认证；

[r3]ospf1

[r3-ospf-1]area0

[r3-ospf-1-area-0.0.0.0]undoauthentication-mode

区域0认证方式被取消，VLink邻居再次成为FULL状态；

[r2]displayospf vlink

        OSPF Process 1 with Router ID 2.2.2.2

               Virtual Links

Virtual-link Neighbor-id  -> 3.3.3.3, Neighbor-State: Full

Interface: 192.168.23.2 (GigabitEthernet0/0/1)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

[r3]displayospf vlink

        OSPF Process 1 with Router ID 3.3.3.3

               Virtual Links

Virtual-link Neighbor-id  -> 2.2.2.2, Neighbor-State: Full

Interface: 192.168.23.3 (GigabitEthernet0/0/0)

Cost:1  State: P-2-P  Type: Virtual

Transit Area: 0.0.0.1

Timers: Hello 10 , Dead 40 , Retransmit 5 ,Transmit Delay 1

GR State: Normal

其他接口认证不再赘述，方法相同。

最终测试一下互通：

<r1>ping-a 1.1.1.1 2.2.2.2

  PING 2.2.2.2: 56  data bytes, press CTRL_C to break

   Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=255 time=110 ms

   Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=255 time=10 ms

   Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=255 time=30 ms

   Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=255 time=20 ms

   Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=255 time=20 ms

  ---2.2.2.2 ping statistics ---

    5packet(s) transmitted

    5packet(s) received

   0.00% packet loss

round-trip min/avg/max =10/38/110 ms

<r1>ping-a 1.1.1.1 3.3.3.3

  PING3.3.3.3: 56  data bytes, press CTRL_C tobreak

   Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=254 time=100 ms

   Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=254 time=30 ms

   Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=254 time=20 ms

   Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=254 time=30 ms

   Reply from 3.3.3.3: bytes=56 Sequence=5 ttl=254 time=30 ms

  ---3.3.3.3 ping statistics ---

    5packet(s) transmitted

    5packet(s) received

   0.00% packet loss

round-trip min/avg/max =20/42/100 ms

<r1>ping-a 1.1.1.1 4.4.4.4

  PING 4.4.4.4: 56  data bytes, press CTRL_C to break

   Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=253 time=180 ms

   Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=253 time=40 ms

   Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=253 time=40 ms

   Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=253 time=50 ms

   Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=253 time=40 ms

  ---4.4.4.4 ping statistics ---

    5packet(s) transmitted

    5packet(s) received

    0.00% packet loss

   round-trip min/avg/max = 40/70/180 ms