请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 588|回复: 2

【原创】IS-IS穿越ASA透明墙及认证测试

[复制链接]
发表于 2020-2-26 17:02:20 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-2-26 17:13 编辑

一.测试拓扑

配置总结
1.IS-IS的老式认证有三个级别:接口、Area、Domain,范围依次增加,优先级依次递减
2. 配置IS-IS的老式认证的双方需要是相同级别的,否则即使密码相同也会认证失败
---备注:如果一个配置area认证,另外一个既配置了接口认证,又配置了area认证,即使密码相同也会认证失败
3. 如果一方为老式的Area认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由
4. 如果一方为老式的Domain认证,另一方没有配置,双方邻居能建立,路由也能正常学习,说明Domain认证没有什么用
5.IS-IS的新式认证只有接口级别和进程级别两种认证
6.如果一方为新式的进程级别认证,另一方没有配置,邻居仍能建立,没有配置认证的一方能获取路由,配置认证的一方获取不到路由

二.基本配置
1.R1路由器
hostname R1
interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.1 255.255.255.0
    no shutdown
2.ASAv防火墙
firewall transparent
interface GigabitEthernet0/0
    bridge-group 1
    nameif inside
    security-level 100
    no shutdown
interface GigabitEthernet0/1
    bridge-group 1
    nameif outside
    security-level 0
    no shutdown
interface BVI1
    ip address 12.1.1.10 255.255.255.0
3.R2路由器
hostname R2
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.2 255.255.255.0
    no shutdown
三.配置IS-IS以及防火墙策略
1.R1路由器

router isis
    net 49.0001.1111.1111.1111.00
    is-type level-1
    log-adjacency-changes all
    passive-interface Loopback0
interface Loopback0
    ip router isis

interface FastEthernet0/0
     ip router isis
     isis network point-to-point
2.R3路由器
router isis
    net 49.0001.2222.2222.2222.00
    is-type level-1
    log-adjacency-changes all
    passive-interface Loopback0
interface Loopback0
    ip router isis
interface FastEthernet0/0
     ip router isis
     isis network point-to-point
3.ASAv防火墙
policy-map global_policy
class inspection_default
  inspect icmp
access-list Inside-ISIS ethertype permit dsap isis
access-list Outside-ISIS ethertype permit dsap isis
access-group Inside-ISIS in interface inside
access-group Outside-ISIS in interface outside
4.验证
R1#show isis neighbors

System Id      Type Interface   IP Address      State Holdtime Circuit Id
R2             L1   Fa0/0       12.1.1.2        UP    24       02
R1#show cln
R1#show clns ne
R1#show clns neighbors
System Id      Interface   SNPA                State  Holdtime  Type Protocol
R2             Fa0/0       ca0a.1667.0000      Up     27        L1   IS-IS
R1#
R1#show ip route isis | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
四.配置老式IS-IS认证
1.配置老式的接口级别的认证
①R1路由器

R1(config)#int f0/0
R1(config-if)#isis password Cisc0123
*Feb 26 08:50:28.199: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
*Feb 26 08:50:49.747: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, hold time expired
R1(config-if)#do show isis nei

System Id      Type Interface   IP Address      State Holdtime Circuit Id
R1(config-if)#
备注:可以看到R1接口配置完密码认证后,会收到认证失败信息,并且邻居很快就down
②R2路由器
R2(config-router)#int f0/0
R2(config-if)#isis password  Cisc0123
R2(config-if)#
*Feb 26 08:52:00.271: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
备注:可以看到R2也配置完认证之后,邻居很快就up
③路由也能正常学习
R1#clear isis *
R1#clear
*Feb 26 10:26:02.599: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:26:02.599: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
R1#clear ip route *
R1#show ip
*Feb 26 10:26:09.531: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
2.配置老式的area级别的认证
①R1路由器

interface FastEthernet0/0
    no isis password Cisc0123
router isis
     area-password Cisc0123
②R2路由器取消接口级别的认证
R2(config-router)#int f0/0
*Feb 26 09:36:27.455: %CLNS-4-AUTH_FAIL: ISIS: Serial IIH authentication failed
R2(config-if)#no isis password Cisc0123
R2(config-if)#end
*Feb 26 09:36:48.899: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, hold time expired
*Feb 26 09:36:49.935: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2#clear isis *
*Feb 26 09:38:02.147: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 09:38:02.151: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 09:38:08.647: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
--可以看到,只是把接口的认证取消,还没有配置area级别的认证,邻居已经up了
---R1上邻居也up,虽然有报错,但是仍然能够学习到路由
R1#
*Feb 26 09:38:08.959: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 09:38:08.983: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 09:38:25.079: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:38:55.263: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 09:39:25.407: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1#
*Feb 26 09:39:55.551: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failedcle
R1#clear ip rou
R1#clear ip route *
R1#show ip route isis | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
R1#
--此时R1路由器因为LSP认证错误,无法学习到路由
R1(config-router)#do clear isis *
*Feb 26 10:31:09.247: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)

*Feb 26 10:31:09.247: %CLNS-5-ADJCLEAR: ISIS: All adjacencies clea      

*Feb 26 10:31:13.691: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:31:14.707: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do clear ip route *
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set

R1(config-router)#
*Feb 26 10:31:44.887: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R1(config-router)#do show isis nei

System Id      Type Interface   IP Address      State Holdtime Circuit Id
R2             L1   Fa0/0       12.1.1.2        UP    29       02
R1(config-router)#
③R2路由器配置area级别的认证
R2(config)#router isis
R2(config-router)#area-password Cisc0123
---此时R1能正常获取路由了
R1#clear isis *
R1#
*Feb 26 10:34:42.323: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:34:42.323: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:34:43.223: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
R1#show ip route isis | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#

3.配置老式的domain级别的认证
①R1路由器

router isis
    no area-password
    domain-password Cisc0123

R1#clear isis *
*Feb 26 10:37:28.995: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:37:28.995: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleare
R1#clear ip route *
*Feb 26 10:37:36.999: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacen
R1#show ip route isis |  begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
备注:此时R1为domain认证,但是R2为area认证,可以看到R1能正常学习到路由
②R2路由器取消area级别的认证
R2(config-if)#router isis
*Feb 26 10:40:19.587: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:40:49.731: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#no area-password
*Feb 26 10:41:19.899: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
R2(config-router)#do clear isis *
R2(config-router)#
*Feb 26 10:41:36.723: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:41:36.723: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:41:36.771: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-router)#do clear ip route *
R2(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
i L1     1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-router)#
--此时查看R1的路由,发现也能正常获取路由,并且没有报错
R1#clear isis *
R1#cle
*Feb 26 10:43:22.187: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:43:22.191: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:43:22.611: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacencyr
R1#clear ip route *
R1#show ip route isis
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#

五.配置新式IS-IS认证
1.配置新式的接口级别的认证
①R1路由器

key chain R1
    key 1
      key-string Cisc0123
interface FastEthernet0/0
     isis authentication mode md5
    isis authentication key-chain R1
②R2路由器
key chain R2
    key 1
      key-string Cisc0123
interface FastEthernet0/0
     isis authentication mode md5
    isis authentication key-chain R2
③验证
R1#show isis neighbors

System Id      Type Interface   IP Address      State Holdtime Circuit Id
R2             L1   Fa0/0       12.1.1.2        UP    28       02
R1#show ip route isis | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#
3.配置新式的区域级别的认证
--备注:配置R1的时候,先保留R2的新式的接口级别认证
①R1路由器先取消接口级别认证
R1(config)#int f0/0
R1(config-if)#no  isis authentication mode md5
R1(config-if)#no isis authentication key-chain R1
R1(config-if)#
*Feb 26 09:05:18.507: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
②R1路由器配置进程级别认证
R1(config-if)#router isis
R1(config-router)# authentication key-chain R1
R1(config-router)# authentication mode md5 level-1
R1(config-router)#
③R2路由器先取消接口级别认证
R2(config-if)#int f0/0
R2(config-if)#no  isis authentication mode md5
R2(config-if)#no isis authentication key-chain R2
*Feb 26 10:16:16.687: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do clear isis *
R2(config-if)#
*Feb 26 10:16:36.763: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Down, clear clns nbr cmd(non-iih)
*Feb 26 10:16:36.763: %CLNS-5-ADJCLEAR: ISIS: All adjacencies cleared
*Feb 26 10:16:40.823: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R1 (FastEthernet0/0) Up, new adjacency
R2(config-if)#do show ip route isis | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
i L1     1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2(config-if)#
---此时R1会报PSNP authentication failed错误,虽然邻居建立了,但是学习不到路由
R1(config-router)#
*Feb 26 10:54:53.111: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:54:53.155: %CLNS-4-AUTH_FAIL: ISIS: LSP authentication failed
*Feb 26 10:55:16.731: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Down, neighbor forgot us
*Feb 26 10:55:16.775: %CLNS-5-ADJCHANGE: ISIS: Adjacency to R2 (FastEthernet0/0) Up, new adjacency
*Feb 26 10:55:23.823: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#
*Feb 26 10:55:53.987: %CLNS-4-AUTH_FAIL: ISIS: PSNP authentication failed
R1(config-router)#do show ip route isis | begin Gate
Gateway of last resort is not set

R1(config-router)#
④R2路由器配置进程级别的认证
R2(config)#router isis
R2(config-router)#authentication key-chain R2
R2(config-router)#authentication mode md5 level-1
备注:此时R1和R2都能正常获取路由
R2#show ip route isis | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
i L1     1.1.1.0 [115/20] via 12.1.1.1, FastEthernet0/0
R2#
R1#show ip route isis  | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
i L1     2.2.2.0 [115/10] via 12.1.1.2, FastEthernet0/0
R1#

本帖子中包含更多资源

您需要 思科 CCO 登录 才可以下载或查看,没有帐号?思科 CCO 注册   

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-27 20:20:14 | 显示全部楼层
谢谢楼主分享
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-3-11 04:32:22 | 显示全部楼层
谢谢楼主分享

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-4-4 14:14 , Processed in 0.094933 second(s), 36 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表