lab 4-3 cấu hình vấn đề xác thực trong ospf

Lab 4-3: CẤU HÌNH VẤN ĐỀ XÁC THỰC TRONG OSPFMô tả Chứng thực láng giềng neighbor authentication cho phép router xem xét nguồn gốc của các routing thông tin định tuyến nhận được.. Cisco c

Lab 4-3: CẤU HÌNH VẤN ĐỀ XÁC THỰC TRONG OSPF

Mô tả

Chứng thực láng giềng (neighbor authentication) cho phép router xem xét nguồn gốc của các routing thông tin định tuyến nhận được Mã chứng thực (authentication key) được trao đổi giữa các router; nếu mã không trùng nhau thì routing thông tin định tuyến không được chấp nhận Cisco có hai loại chứng thực cho các router OSPF láng giềng: plain text

và MD5 (Message Digest Algorithm Version 5) Chứng thực dạng plain text gởi mã trên đường truyền, mã ở dạng plain text nên nó có thể được đọc trong quá trình truyền Chứng thực MD5 gởi các digest message (bản tin đã được đồng hóa) thay vì mã Thuật toán MD5 dùng để thực hiện băm mã (hash) và sau đó gởi đi Bài thực hành này mô tả cách cấu hình chứng thực (authentication) trong OSPF với plain text và MD5 password Khi cấu hình chứng thực, phải cấu hình toàn bộ vùng cùng một loại chứng thực Kể từ Cisco IOS 12.0.8 trở đi, có thể cấu hình xác thực trên từng cổng giao tiếp của router chạy OSPF

Cấu hình

Plain Text Authentication

Router R1

!

hostname R1

!

interface Loopback0

ip address 172.16.10.36 255.255.255.240

no ip directed-broadcast

!

interface Serial0

ip address 192.16.64.1 255.255.255.0

ip ospf authentication-key vnpro

!

router ospf 1

area 0 authentication

network 172.16.10.32 0.0.0.15 area 0

network 192.16.64.0 0.0.0.255 area 0

!

line con 0

line aux 0

line vty 0 4

login

!

end

Router R2

hostname R2

!

interface Loopback0

ip address 70.70.70.70 255.255.255.255

!

interface Serial0

ip address 192.16.64.2 255.255.255.0

ip ospf authentication-key vnpro

clockrate 64000

!

router ospf 1

area 0 authentication

network 70.70.70.70 0.0.0.0 area 0

network 192.16.64.0 0.0.0.255 area 0

!

line con 0

line aux 0

line vty 0 4

login

!

end

Các bước thực hiện

1 Cấu hình authentication key trong interface mode

R1(config)#int s0

R1(config-if)#ip address 192.16.64.1 255.255.255.0

R1(config-if)#ip ospf authentication-key vnpro

2 Cấu hình OSPF authentication

R1(config)#router ospf 1

R1(config-router)#area 0 authentication

R1(config-router)#network 172.16.10.32 0.0.0.15 area 0

R1(config-router)#network 192.16.64.0 0.0.0.255 area 0

Kiểm tra

R2#sh ip ospf

Routing Process "ospf 1" with ID 70.70.70.70

Supports only single TOS(TOS0) routes

Supports opaque LSA

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs Minimum LSA arrival 1 secs Number of external LSA 0 Checksum Sum 0x0

Number of opaque AS LSA 0 Checksum Sum 0x0

Number of DCbitless external and opaque AS LSA 0

Number of DoNotAge external and opaque AS LSA 0

Number of areas in this router is 1 1 normal 0 stub 0 nssa External flood list length 0

Area BACKBONE(0)

Number of interfaces in this area is 2

Area has simple password authentication chứng thực kiểu plain text←

SPF algorithm executed 7 times

Area ranges are

Number of LSA 2 Checksum Sum 0x5375

Number of opaque link LSA 0 Checksum Sum 0x0

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

Từ R1 xem trạng thái OSPF neigbor, lúc này R1 đã thiết lập được neigbor với

70.70.70.70 (R2)

R1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

70.70.70.70 1 FULL/ - 00:00:39 192.16.64.2 Serial0

R1#sh ip route

Gateway of last resort is not set

70.0.0.0/32 is subnetted, 1 subnets

O 70.70.70.70 [110/65] via 192.16.64.2, 00:16:02, Serial0 OSPF đã active, R1 nhận được route từ R2←

172.16.0.0/28 is subnetted, 1 subnets

C 172.16.10.32 is directly connected, Loopback0

C 192.16.64.0/24 is directly connected, Serial0

R2#debug ip ospf adj

R2#clear ip ospf process

Reset ALL OSPF processes? [no]: y

R2#

OSPF: Interface Loopback0 going Down

OSPF: 70.70.70.70 address 70.70.70.70 on Loopback0 is dead, state DOWN

OSPF: Interface Serial0 going Down

OSPF: 70.70.70.70 address 192.16.64.2 on Serial0 is dead, state DOWN

OSPF: 172.16.10.36 address 192.16.64.1 on Serial0 is dead, state DOWN

%OSPF-5-ADJCHG: Process 1, Nbr 172.16.10.36 on Serial0 from FULL to DOWN, Neighbor Down

OSPF: Interface Loopback0 going Up

OSPF: Interface Serial0 going Up

OSPF: Build router LSA for area 0, router ID 70.70.70.70, seq 0x80000001

OSPF: 2 Way Communication to 172.16.10.36 on Serial0, state 2WAY

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x16A4 opt 0x42 flag 0x7 len 32 OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x121F opt 0x2 flag 0x7 len 32 mtu

1500 state EXSTART

OSPF: NBR Negotiation Done We are the SLAVE

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x121F opt 0x42 flag 0x2 len 52 OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x1220 opt 0x2 flag 0x3 len 52 mtu

1500 state EXCHANGE

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x1220 opt 0x42 flag 0x0 len 32

OSPF: Database request to 172.16.10.36

OSPF: sent LS REQ packet to 192.16.64.1, length 12

OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x1221 opt 0x2 flag 0x1 len 32 mtu

1500 state EXCHANGE

OSPF: Exchange Done with 172.16.10.36 on Serial0

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x1221 opt 0x42 flag 0x0 len 32

OSPF: Synchronized with 172.16.10.36 on Serial0, state FULL

%OSPF-5-ADJCHG: Process 1, Nbr 172.16.10.36 on Serial0 from LOADING to FULL, Loading Done

OSPF: Build router LSA for area 0, router ID 70.70.70.70, seq 0x80000002

OSPF: Build router LSA for area 0, router ID 70.70.70.70, seq 0x80000006

MD5 Authentication

Router R1

!

hostname R1

!

enable password cisco

!

interface Loopback0

ip address 172.16.10.36 255.255.255.240

!

interface Serial0

ip address 192.16.64.1 255.255.255.0

ip ospf message-digest-key 1 md5 vnpro

!

router ospf 1

area 0 authentication message-digest

network 172.16.10.32 0.0.0.15 area 0

network 192.16.64.0 0.0.0.255 area 0

!

line con 0

line aux 0

line vty 0 4

login

!

end

Router R2

!

hostname R2

!

enable password cisco

!

interface Loopback0

ip address 70.70.70.70 255.255.255.255

!

interface Serial0

ip address 192.16.64.2 255.255.255.0

ip ospf authentication-key vnpro

ip ospf message-digest-key 1 md5 vnpro

clockrate 64000

!

router ospf 1

area 0 authentication message-digest

network 70.70.70.70 0.0.0.0 area 0

network 192.16.64.0 0.0.0.255 area 0

!

line con 0

line aux 0

line vty 0 4

login

!

end

Các bước thực hiện

1 Bỏ plain text authentication trên R1 và R2

R1(config)# int s0

R1(config-if)#no ip ospf authentication-key

R1(config)#router ospf 1

R1(config-router)#no area 0 authentication

R2(config)# int s0

R2(config-if)#no ip ospf authentication-key

R2(config)#router ospf 1

R2(config-router)#no area 0 authentication

2 Cấu hình authentication MD5 cho OSPF trên R1 và R2 R1(config)# int s0

R1(config-if)#ip ospf message-digest-key 1 md5 vnpro R1(config)#router ospf 1

R1(config-router)# area 0 authentication message-digest R2(config)# int s0

R2(config-if)# ip ospf message-digest-key 1 md5 vnpro R2(config)#router ospf 1

R2(config-router)#area 0 authentication message-digest Kiểm tra

R2 đã thiết lập được quan hệ cận kề với R1

R2#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

172.16.10.36 1 FULL/ - 00:00:36 192.16.64.1 Serial0

R2#sh ip ospf

Routing Process "ospf 1" with ID 70.70.70.70

Supports only single TOS(TOS0) routes

Supports opaque LSA

SPF schedule delay 5 secs, Hold time between two SPFs 10 secs

Minimum LSA interval 5 secs Minimum LSA arrival 1 secs

Number of external LSA 0 Checksum Sum 0x0

Number of opaque AS LSA 0 Checksum Sum 0x0

Number of DCbitless external and opaque AS LSA 0

Number of DoNotAge external and opaque AS LSA 0

Number of areas in this router is 1 1 normal 0 stub 0 nssa

External flood list length 0

Area BACKBONE(0)

Number of interfaces in this area is 2

Area has message digest authentication ß chứng thực bằng MD5

SPF algorithm executed 14 times

Area ranges are

Number of LSA 4 Checksum Sum 0x6A77

Number of opaque link LSA 0 Checksum Sum 0x0

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

R2#debug ip ospf adj

R2#clear ip ospf process

Reset ALL OSPF processes? [no]: y

R2#

OSPF: Send with youngest Key 1

OSPF: Interface Loopback0 going Down

OSPF: 70.70.70.70 address 70.70.70.70 on Loopback0 is dead, state DOWN

OSPF: Interface Serial0 going Down

OSPF: 70.70.70.70 address 192.16.64.2 on Serial0 is dead, state DOWN

OSPF: 172.16.10.36 address 192.16.64.1 on Serial0 is dead, state DOWN

%OSPF-5-ADJCHG: Process 1, Nbr 172.16.10.36 on Serial0 from FULL to DOWN, Neighbor Down

OSPF: Interface Loopback0 going Up

OSPF: Interface Serial0 going Up

OSPF: Send with youngest Key 1

OSPF: Build router LSA for area 0, router ID 70.70.70.70, seq 0x80000001

OSPF: 2 Way Communication to 172.16.10.36 on Serial0, state 2WAY

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x1629 opt 0x42 flag 0x7 len 32

OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x15F4 opt 0x2 flag 0x7 len 32 mtu

1500 state EXSTART

OSPF: NBR Negotiation Done We are the SLAVE

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x15F4 opt 0x42 flag 0x2 len 52 OSPF: Send with youngest Key 1

OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x15F5 opt 0x2 flag 0x3 len 52 mtu

1500 state EXCHANGE

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x15F5 opt 0x42 flag 0x0 len 32 OSPF: Send with youngest Key 1

OSPF: Send with youngest Key 1

OSPF: Database request to 172.16.10.36

OSPF: sent LS REQ packet to 192.16.64.1, length 12

OSPF: Rcv DBD from 172.16.10.36 on Serial0 seq 0x15F6 opt 0x2 flag 0x1 len 32 mtu

1500 state EXCHANGE

OSPF: Exchange Done with 172.16.10.36 on Serial0

OSPF: Send DBD to 172.16.10.36 on Serial0 seq 0x15F6 opt 0x42 flag 0x0 len 32 OSPF: Send with youngest Key 1

OSPF: Synchronized with 172.16.10.36 on Serial0, state FULL

%OSPF-5-ADJCHG: Process 1, Nbr 172.16.10.36 on Serial0 from LOADING to FULL, Loading Done

OSPF: Build router LSA for area 0, router ID 70.70.70.70, seq 0x80000002