本帖最后由 碧云天 于 2020-2-26 17:13 编辑
一.测试拓扑
配置总结:
1.IS-IS的老式认证有三个级别:接口、Area、Domain,范围依次增加,优先级依次递减
2. 配置IS-IS的老式认证的双方需要是相同级别的,否则即使密码相同也会认证失败
---备注:如果一个配置area认证,另外一个既配置了接口认证,又配置了area认证,即使密码相同也会认证失败
3. 如果一方为老式的Area认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由
4. 如果一方为老式的Domain认证,另一方没有配置,双方邻居能建立,路由也能正常学习,说明Domain认证没有什么用
5.IS-IS的新式认证只有接口级别和进程级别两种认证
6.如果一方为新式的进程级别认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由
二.基本配置
1.R1路由器
hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASAv防火墙
firewall transparent
interface GigabitEthernet0/0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface GigabitEthernet0/1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器
hostname R2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置IS-IS以及防火墙策略
1.R1路由器
router isis
net 49.0001.1111.1111.1111.00
is-type level-1
log-adjacency-changes all
passive-interface Loopback0
interface Loopback0
ip router isis
interface FastEthernet0/0
ip router isis
isis network point-to-point
2.R3路由器
router isis
net 49.0001.2222.2222.2222.00
is-type level-1
log-adjacency-changes all
passive-interface Loopback0
interface Loopback0
ip router isis
interface FastEthernet0/0
ip router isis
isis network point-to-point
3.ASAv防火墙
policy-map global_policy
class inspection_default
inspect icmp
access-list Inside-ISIS ethertype permit dsap isis
access-list Outside-ISIS ethertype permit dsap isis
access-group Inside-ISIS in interface inside
access-group Outside-ISIS in interface outside
4.验证
R1#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 24 02
R1#show cln
R1#show clns ne
R1#show clns neighbors
System Id Interface SNPA State Holdtime Type Protocol
R2 Fa0/0 ca0a.1667.0000 Up 27 L1 IS-IS
R1#
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
四.配置老式IS-IS认证
1.配置老式的接口级别的认证
①R1路由器
R1(config)#int f0/0
R1(config-if)#isis password Cisc0123
*Feb 26 08:50:28.199: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
*Feb 26 08:50:49.747: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, hold time expired
R1(config-if)#do show isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R1(config-if)#
备注:可以看到R1接口配置完密码认证后,会收到认证失败信息,并且邻居很快就down
②R2路由器
R2(config-router)#int f0/0
R2(config-if)#isis password Cisc0123
R2(config-if)#
*Feb 26 08:52:00.271: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
备注:可以看到R2也配置完认证之后,邻居很快就up
③路由也能正常学习
R1#clear isis *
R1#clear
*Feb 26 10:26:02.599: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:26:02.599: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
R1#clear ip route *
R1#show ip
*Feb 26 10:26:09.531: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
2.配置老式的area级别的认证
①R1路由器
interface FastEthernet0/0
no isis password Cisc0123
router isis
area-password Cisc0123
②R2路由器取消接口级别的认证
R2(config-router)#int f0/0
*Feb 26 09:36:27.455: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
R2(config-if)#no isis password Cisc0123
R2(config-if)#end
*Feb 26 09:36:48.899: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, hold time expired
*Feb 26 09:36:49.935: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2#clear isis *
*Feb 26 09:38:02.147: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 09:38:02.151: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 09:38:08.647: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
--可以看到,只是把接口的认证取消,还没有配置area级别的认证,邻居已经up了
---R1上邻居也up,虽然有报错,但是仍然能够学习到路由
R1#
*Feb 26 09:38:08.959: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 09:38:08.983: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 09:38:25.079: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:38:55.263: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:39:25.407: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1#
*Feb 26 09:39:55.551: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failedcle
R1#clear ip rou
R1#clear ip route *
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
R1#
--此时R1路由器因为LSP认证错误,无法学习到路由
R1(config-router)#do clear isis *
*Feb 26 10:31:09.247: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:31:09.247: %CLNS-5-ADJCLEAR: ISIS: All adjacencies clea
*Feb 26 10:31:13.691: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:31:14.707: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do clear ip route *
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
R1(config-router)#
*Feb 26 10:31:44.887: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do show isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 29 02
R1(config-router)#
③R2路由器配置area级别的认证
R2(config)#router isis
R2(config-router)#area-password Cisc0123
---此时R1能正常获取路由了
R1#clear isis *
R1#
*Feb 26 10:34:42.323: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:34:42.323: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:34:43.223: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
3.配置老式的domain级别的认证
①R1路由器
router isis
no area-password
domain-password Cisc0123
R1#clear isis *
*Feb 26 10:37:28.995: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:37:28.995: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleare
R1#clear ip route *
*Feb 26 10:37:36.999: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacen
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
备注:此时R1为domain认证,但是R2为area认证,可以看到R1能正常学习到路由
②R2路由器取消area级别的认证
R2(config-if)#router isis
*Feb 26 10:40:19.587: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:40:49.731: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#no area-password
*Feb 26 10:41:19.899: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#do clear isis *
R2(config-router)#
*Feb 26 10:41:36.723: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:41:36.723: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:41:36.771: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-router)#do clear ip route *
R2(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-router)#
--此时查看R1的路由,发现也能正常获取路由,并且没有报错
R1#clear isis *
R1#cle
*Feb 26 10:43:22.187: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:43:22.191: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:43:22.611: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacencyr
R1#clear ip route *
R1#show ip route isis
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
五.配置新式IS-IS认证
1.配置新式的接口级别的认证
①R1路由器
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain R1
②R2路由器
key chain R2
key 1
key-string Cisc0123
interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain R2
③验证
R1#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 28 02
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
3.配置新式的区域级别的认证
--备注:配置R1的时候,先保留R2的新式的接口级别认证
①R1路由器先取消接口级别认证
R1(config)#int f0/0
R1(config-if)#no isis authentication mode md5
R1(config-if)#no isis authentication key-chain R1
R1(config-if)#
*Feb 26 09:05:18.507: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
②R1路由器配置进程级别认证
R1(config-if)#router isis
R1(config-router)# authentication key-chain R1
R1(config-router)# authentication mode md5 level-1
R1(config-router)#
③R2路由器先取消接口级别认证
R2(config-if)#int f0/0
R2(config-if)#no isis authentication mode md5
R2(config-if)#no isis authentication key-chain R2
*Feb 26 10:16:16.687: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do clear isis *
R2(config-if)#
*Feb 26 10:16:36.763: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:16:36.763: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:16:40.823: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-if)#
---此时R1会报PSNP authentication failed错误,虽然邻居建立了,但是学习不到路由
R1(config-router)#
*Feb 26 10:54:53.111: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:54:53.155: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:55:16.731: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 10:55:16.775: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:55:23.823: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#
*Feb 26 10:55:53.987: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
R1(config-router)#
④R2路由器配置进程级别的认证
R2(config)#router isis
R2(config-router)#authentication key-chain R2
R2(config-router)#authentication mode md5 level-1
备注:此时R1和R2都能正常获取路由
R2#show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2#
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
一.测试拓扑
配置总结:
1.IS-IS的老式认证有三个级别:接口、Area、Domain,范围依次增加,优先级依次递减
2. 配置IS-IS的老式认证的双方需要是相同级别的,否则即使密码相同也会认证失败
---备注:如果一个配置area认证,另外一个既配置了接口认证,又配置了area认证,即使密码相同也会认证失败
3. 如果一方为老式的Area认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由
4. 如果一方为老式的Domain认证,另一方没有配置,双方邻居能建立,路由也能正常学习,说明Domain认证没有什么用
5.IS-IS的新式认证只有接口级别和进程级别两种认证
6.如果一方为新式的进程级别认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由
二.基本配置
1.R1路由器
hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASAv防火墙
firewall transparent
interface GigabitEthernet0/0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface GigabitEthernet0/1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器
hostname R2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置IS-IS以及防火墙策略
1.R1路由器
router isis
net 49.0001.1111.1111.1111.00
is-type level-1
log-adjacency-changes all
passive-interface Loopback0
interface Loopback0
ip router isis
interface FastEthernet0/0
ip router isis
isis network point-to-point
2.R3路由器
router isis
net 49.0001.2222.2222.2222.00
is-type level-1
log-adjacency-changes all
passive-interface Loopback0
interface Loopback0
ip router isis
interface FastEthernet0/0
ip router isis
isis network point-to-point
3.ASAv防火墙
policy-map global_policy
class inspection_default
inspect icmp
access-list Inside-ISIS ethertype permit dsap isis
access-list Outside-ISIS ethertype permit dsap isis
access-group Inside-ISIS in interface inside
access-group Outside-ISIS in interface outside
4.验证
R1#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 24 02
R1#show cln
R1#show clns ne
R1#show clns neighbors
System Id Interface SNPA State Holdtime Type Protocol
R2 Fa0/0 ca0a.1667.0000 Up 27 L1 IS-IS
R1#
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
四.配置老式IS-IS认证
1.配置老式的接口级别的认证
①R1路由器
R1(config)#int f0/0
R1(config-if)#isis password Cisc0123
*Feb 26 08:50:28.199: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
*Feb 26 08:50:49.747: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, hold time expired
R1(config-if)#do show isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R1(config-if)#
备注:可以看到R1接口配置完密码认证后,会收到认证失败信息,并且邻居很快就down
②R2路由器
R2(config-router)#int f0/0
R2(config-if)#isis password Cisc0123
R2(config-if)#
*Feb 26 08:52:00.271: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
备注:可以看到R2也配置完认证之后,邻居很快就up
③路由也能正常学习
R1#clear isis *
R1#clear
*Feb 26 10:26:02.599: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:26:02.599: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
R1#clear ip route *
R1#show ip
*Feb 26 10:26:09.531: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
2.配置老式的area级别的认证
①R1路由器
interface FastEthernet0/0
no isis password Cisc0123
router isis
area-password Cisc0123
②R2路由器取消接口级别的认证
R2(config-router)#int f0/0
*Feb 26 09:36:27.455: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
R2(config-if)#no isis password Cisc0123
R2(config-if)#end
*Feb 26 09:36:48.899: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, hold time expired
*Feb 26 09:36:49.935: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2#clear isis *
*Feb 26 09:38:02.147: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 09:38:02.151: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 09:38:08.647: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
--可以看到,只是把接口的认证取消,还没有配置area级别的认证,邻居已经up了
---R1上邻居也up,虽然有报错,但是仍然能够学习到路由
R1#
*Feb 26 09:38:08.959: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 09:38:08.983: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 09:38:25.079: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:38:55.263: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:39:25.407: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1#
*Feb 26 09:39:55.551: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failedcle
R1#clear ip rou
R1#clear ip route *
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
R1#
--此时R1路由器因为LSP认证错误,无法学习到路由
R1(config-router)#do clear isis *
*Feb 26 10:31:09.247: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:31:09.247: %CLNS-5-ADJCLEAR: ISIS: All adjacencies clea
*Feb 26 10:31:13.691: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:31:14.707: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do clear ip route *
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
R1(config-router)#
*Feb 26 10:31:44.887: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do show isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 29 02
R1(config-router)#
③R2路由器配置area级别的认证
R2(config)#router isis
R2(config-router)#area-password Cisc0123
---此时R1能正常获取路由了
R1#clear isis *
R1#
*Feb 26 10:34:42.323: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:34:42.323: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:34:43.223: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
3.配置老式的domain级别的认证
①R1路由器
router isis
no area-password
domain-password Cisc0123
R1#clear isis *
*Feb 26 10:37:28.995: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:37:28.995: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleare
R1#clear ip route *
*Feb 26 10:37:36.999: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacen
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
备注:此时R1为domain认证,但是R2为area认证,可以看到R1能正常学习到路由
②R2路由器取消area级别的认证
R2(config-if)#router isis
*Feb 26 10:40:19.587: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:40:49.731: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#no area-password
*Feb 26 10:41:19.899: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#do clear isis *
R2(config-router)#
*Feb 26 10:41:36.723: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:41:36.723: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:41:36.771: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-router)#do clear ip route *
R2(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-router)#
--此时查看R1的路由,发现也能正常获取路由,并且没有报错
R1#clear isis *
R1#cle
*Feb 26 10:43:22.187: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:43:22.191: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:43:22.611: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacencyr
R1#clear ip route *
R1#show ip route isis
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
五.配置新式IS-IS认证
1.配置新式的接口级别的认证
①R1路由器
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain R1
②R2路由器
key chain R2
key 1
key-string Cisc0123
interface FastEthernet0/0
isis authentication mode md5
isis authentication key-chain R2
③验证
R1#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R2 L1 Fa0/0 12.1.1.2 UP 28 02
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
3.配置新式的区域级别的认证
--备注:配置R1的时候,先保留R2的新式的接口级别认证
①R1路由器先取消接口级别认证
R1(config)#int f0/0
R1(config-if)#no isis authentication mode md5
R1(config-if)#no isis authentication key-chain R1
R1(config-if)#
*Feb 26 09:05:18.507: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
②R1路由器配置进程级别认证
R1(config-if)#router isis
R1(config-router)# authentication key-chain R1
R1(config-router)# authentication mode md5 level-1
R1(config-router)#
③R2路由器先取消接口级别认证
R2(config-if)#int f0/0
R2(config-if)#no isis authentication mode md5
R2(config-if)#no isis authentication key-chain R2
*Feb 26 10:16:16.687: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do clear isis *
R2(config-if)#
*Feb 26 10:16:36.763: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:16:36.763: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:16:40.823: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-if)#
---此时R1会报PSNP authentication failed错误,虽然邻居建立了,但是学习不到路由
R1(config-router)#
*Feb 26 10:54:53.111: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:54:53.155: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:55:16.731: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 10:55:16.775: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:55:23.823: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#
*Feb 26 10:55:53.987: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set
R1(config-router)#
④R2路由器配置进程级别的认证
R2(config)#router isis
R2(config-router)#authentication key-chain R2
R2(config-router)#authentication mode md5 level-1
备注:此时R1和R2都能正常获取路由
R2#show ip route isis | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
i L1 1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2#
R1#show ip route isis | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
i L1 2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
