实验配置
实验配置。
(1)配置IP地址。
R1的配置:
<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname AR1
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 12.1.1.1 24
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 13.1.1.1 24
[AR1-GigabitEthernet0/0/1]quit
[AR1]interface LoopBack 0
[AR1-LoopBack0]ip address 1.1.1.1 32
[AR1-LoopBack0]quit
R2的配置:
<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname AR2
[AR2]interface g0/0/1
[AR2-GigabitEthernet0/0/1]ip address 12.1.1.2 24
[AR2-GigabitEthernet0/0/1]quit
[AR2]interface g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 24.1.1.2 24
[AR2-GigabitEthernet0/0/0]quit
[AR2]interface LoopBack 0
[AR2-LoopBack0]ip address 2.2.2.2 32
[AR2-LoopBack0]quit
R3的配置:
<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname AR3
[AR3]interface g0/0/0
[AR3-GigabitEthernet0/0/0]ip address 13.1.1.3 24
[AR3-GigabitEthernet0/0/0]quit
[AR3]interface g0/0/1
[AR3-GigabitEthernet0/0/1]ip address 35.1.1.3 24
[AR3-GigabitEthernet0/0/1]quit
[AR3]interface LoopBack 0
[AR3-LoopBack0]ip address 3.3.3.3 32
[AR3-LoopBack0]quit
R4的配置
<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname AR4
[AR4]interface g0/0/1
[AR4-GigabitEthernet0/0/1]ip address 24.1.1.4 24
[AR4-GigabitEthernet0/0/1]quit
[AR4]interface g0/0/0
[AR4-GigabitEthernet0/0/0]ip address 45.1.1.4 24
[AR4-GigabitEthernet0/0/0]quit
[AR4]interface LoopBack 0
[AR4-LoopBack0]ip address 4.4.4.4 32
[AR4-LoopBack0]quit
R5的配置
<Huawei>system-view
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR5
[AR5]interface g0/0/0
[AR5-GigabitEthernet0/0/0]ip address 35.1.1.5 24
[AR5-GigabitEthernet0/0/0]quit
[AR5]interface g0/0/1
[AR5-GigabitEthernet0/0/1]ip address 45.1.1.5 24
[AR5-GigabitEthernet0/0/1]quit
[AR5]interface LoopBack 0
[AR5-LoopBack0]ip address 5.5.5.5 32
[AR5-LoopBack0]quit
(2)配置IS-IS。
R1的配置:
[AR1]isis
[AR1-isis-1]network-entity 49.0123.0000.0000.0001.00 //配置NET地址
[AR1-isis-1]is-level level-1 //路由器的类型为 Level-1
[AR1-isis-1]cost-style wide //设置宽度量值
[AR1-isis-1]quit
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]isis enable
[AR1-GigabitEthernet0/0/0]quit
[AR1]interface g0/0/1
[AR1-GigabitEthernet0/0/1]isis enable
[AR1-GigabitEthernet0/0/1]quit
[AR1]interface LoopBack 0
[AR1-LoopBack0]isis enable
[AR1-LoopBack0]quit
R2的配置:
[AR2]isis
[AR2-isis-1]network-entity 49.0123.0000.0000.0002.00
[AR2-isis-1]cost-style wide
[AR2-isis-1]quit
[AR2]interface g0/0/1
[AR2-GigabitEthernet0/0/1]isis enable
[AR2-GigabitEthernet0/0/1]quit
[AR2]interface g0/0/0
[AR2-GigabitEthernet0/0/0]isis enable
[AR2-GigabitEthernet0/0/0]quit
[AR2]interface LoopBack 0
[AR2-LoopBack0]isis enable
[AR2-LoopBack0]quit
R3的配置:
<AR3>sys
[AR3]isis
[AR3-isis-1]network-entity 49.0123.0000.0000.0003.00
[AR3-isis-1]cost-style wide
[AR3-isis-1]quit
[AR3]interface g0/0/0
[AR3-GigabitEthernet0/0/0]isis enable
[AR3-GigabitEthernet0/0/0]quit
[AR3]interface g0/0/1
[AR3-GigabitEthernet0/0/1]isis enable
[AR3-GigabitEthernet0/0/1]quit
[AR3]interface LoopBack 0
[AR3-LoopBack0]isis enable
[AR3-LoopBack0]quit
R4的配置:
[AR4]isis
[AR4-isis-1]network-entity 49.0045.0000.0000.0004.00
[AR4-isis-1]is-level level-2
[AR4-isis-1]cost-style wide
[AR4-isis-1]quit
[AR4]interface g0/0/1
[AR4-GigabitEthernet0/0/1]isis enable
[AR4-GigabitEthernet0/0/1]quit
[AR4]interface g0/0/0
[AR4-GigabitEthernet0/0/0]isis enable
[AR4-GigabitEthernet0/0/0]quit
[AR4]interface LoopBack 0
[AR4-LoopBack0]isis enable
[AR4-LoopBack0]quit
R5的配置:
<AR5>sys
[AR5]isis
[AR5-isis-1]network-entity 49.0045.0000.0000.0005.00
[AR5-isis-1]cost-style wide
[AR5-isis-1]is-level level-2
[AR5-isis-1]quit
[AR5]interface g0/0/0
[AR5-GigabitEthernet0/0/0]quit
[AR5]interface g0/0/1
[AR5-GigabitEthernet0/0/1]isis enable
[AR5-GigabitEthernet0/0/1]quit
[AR5]interface g0/0/0
[AR5-GigabitEthernet0/0/0]isis enable
[AR5-GigabitEthernet0/0/0]quit
[AR5]interface LoopBack 0
[AR5-LoopBack0]isis enable
[AR5-LoopBack0]quit
(3)R1和R2之间的接口用简单的明文认证。
R1的配置:
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]isis authentication-mode simple joinlabs level-1
R2的配置:
[AR2]interface g0/0/1
[AR2-GigabitEthernet0/0/1]isis authentication-mode simple joinlabs level-1
(4)R4和R5之间的接口用MD5认证。
R4的配置:
[AR4]interface g0/0/0
[AR4-GigabitEthernet0/0/0]isis authentication-mode md5 joinlabs level-2
R5的配置:
[AR5]interface g0/0/1
[AR5-GigabitEthernet0/0/1]isis authentication-mode md5 joinlabs level-2
(5)49.0123配置区域认证。
R1的配置:
[AR1]isis
[AR1-isis-1]area-authentication-mode md5 joinlabs
R2的配置:
[AR2]isis
[AR2-isis-1]area-authentication-mode md5 joinlabs
R3的配置:
[AR3]isis
[AR3-isis-1]area-authentication-mode md5 joinlabs
(6)配置路由域认证
R2的配置:
[AR2]isis
[AR2-isis-1]domain-authentication-mode md5 1234
[AR2-isis-1]q
R3的配置:
[AR3]isis
[AR3-isis-1]domain-authentication-mode md5 1234
[AR3-isis-1]q
R4的配置:
[AR4]isis
[AR4-isis-1]domain-authentication-mode md5 1234
[AR4-isis-1]q
R5的配置:
[AR5]isis
[AR5-isis-1]domain-authentication-mode md5 1234
[AR5-isis-1]qIS-IS认证
一、认证类型
1. 接口认证(邻接认证)
-
作用范围:单个接口上的IS-IS报文
-
认证对象:邻居间交换的所有IS-IS协议报文
-
典型应用:防止非法设备建立邻接关系
2. 区域认证
-
作用范围:整个Level-1区域
-
认证对象:Level-1的LSP和SNP报文
-
典型应用:保证区域内部路由信息的安全性
3. 域认证
-
作用范围:整个Level-2域
-
认证对象:Level-2的LSP和SNP报文
-
典型应用:保护骨干区域路由信息
二、认证方式
1. 明文认证
-
密码以明文形式传输
-
配置简单但安全性低
2. MD5认证
-
使用哈希算法加密
-
安全性较高(但MD5现在被认为不够安全)
3. HMAC-SHA认证(较新设备支持)
-
使用更安全的SHA算法
-
推荐的安全认证方式