JUNOS IS-IS Hello及CSNP/PSNP认证 – TLV类型#10

junos-isis-csnp-psnp-and-iih-authentication-tlv-10
youtube

JUNOS IS-IS CSNP/PSNP与IIH认证 – TLVs类型描述 Part2

点击上文↑链接至YouTube收看高清版本实验视频

youtube

JUNOS IS-IS CSNP/PSNP与IIH认证 – TLVs类型描述 Part3

点击上文↑链接至YouTube收看高清版本实验视频

IS-IS支持明文以及MD5加密认证,并且使用TLV #10通告相关认证信息,根据启用的认证类型,认证信息被encoded到各种LSP当中。承接之前第一部分,我们在R1上同时启用level-1上的CSNP/PSNP以及Hello认证;而仅仅在R2上启用level-1上的hello认证。IS-IS Hello认证信息被封装到IIH内。注意除了no-authentication-check全局关闭认证以外,在Juniper路由器上使用JUNOS配置IS-IS认证均基于per-interface/per-level层次定义。

JUNOS IS-IS Hello及CSNP/PSNP认证配置 – R1

[edit logical-routers]
nigel@junos# show r1 protocols isis
level 1 {
    authentication-key "$9$fQ39SyKv87cy"; ## SECRET-DATA
    authentication-type md5; ## SECRET-DATA
}
interface fxp1.12 {
    level 2 disable;
    level 1 {
        hello-authentication-key "$9$cfdSvLdVYoZjs2";
        ## SECRET-DATA
        hello-authentication-type simple;
        ## SECRET-DATA
    }
}
interface lo0.1 {
    passive;
}

JUNOS IS-IS Hello及CSNP/PSNP认证配置 – R2

[edit logical-routers]
nigel@junos# show r2 protocols isis
level 1 {
    no-csnp-authentication;
    no-psnp-authentication;
}
interface fxp2.12 {
    level 2 disable;
    level 1 {
        hello-authentication-key "$9$hFacK8-ds4JDwY";
        ## SECRET-DATA
        hello-authentication-type simple;
        ## SECRET-DATA
    }
}
interface lo0.2 {
    passive;
}

完成配置并重置IS-IS数据库后,可以发现R1与R2之间由于启用了相同密码的明文认证,因此它们仍然能保持IS-IS邻接关系。

[edit logical-routers]
nigel@junos# run clear isis database logical-router r1  

[edit logical-routers]
nigel@junos# run clear isis database logical-router r2  

[edit logical-routers]
nigel@junos# run show isis adjacency logical-router r2
Interface System         L State Hold (secs) SNPA
fxp2.12   1111.1111.1111 1 Up            21  0:0:0:0:0:0

而我们对比R1与R2的路由表便能发现,由于R2关闭了level-1上的CSNP/PSNP认证,因此从R2通过level-1链路发送至R1上的路由信息,并未被允许进入R1路由表。同时另外一方面,携带者level-1认证信息的,从R1发送出来的路由信息,依然能够进入R2路由表内。

[edit]
nigel@junos# run show route logical-router r1 protocol
isis 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown,
0 hidden)

iso.0: 1 destinations, 1 routes (1 active, 0 holddown,
0 hidden)

[edit]
nigel@junos# run show route logical-router r2 protocol
isis 

inet.0: 8 destinations, 8 routes (8 active, 0 holddown,
0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.6.1/32        *[IS-IS/15] 00:00:03, metric 10
                    > to 10.0.4.5 via fxp2.12

iso.0: 1 destinations, 1 routes (1 active, 0 holddown,
0 hidden)

进一步,我们在R2上使用不同的源地址向R1的环回接口10.0.6.1发送ICMP包也得到截然不同的结果。

[edit]
nigel@junos# run ping 10.0.6.1 logical-router r2 rapid
PING 10.0.6.1 (10.0.6.1): 56 data bytes
!!!!!
--- 10.0.6.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.399/0.447/0.509/0.040ms

[edit]
nigel@junos# run ping 10.0.6.1 logical-router r2 source
10.0.6.2 rapid
PING 10.0.6.1 (10.0.6.1): 56 data bytes
.....
--- 10.0.6.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet
loss

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s