Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.
Only three key point need to be remember while configuring authentication in OSPF
A) Types of Authentication:
There are three different types of authentication available for OSPF version 2: 1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers. 2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network 3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.
B) Enabling OSPF Authentication:
OSPF authentication can be enabling in two ways: 1) Per interface: Authentication is enabling per interface using the "ip ospf athentication" command. 2) Area authentication: Authentication for area can enable using "area authentication" command.
C) Configuring Authentication Key:
In either case password must be configure at interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command
A)Area based authentication Example:
To enable OSPF MD5 authentication: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0 Router(config-if)#ip ospf message-digest-key 1 md5 cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication message-digest Router(config-router)#exit
To enable clear text authentication Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface f0/0 Router(config-if)#ip ospf authentication-key cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication Router(config-router)#exit
To enable clear text authentication Router(config)#int fa0/0 Router(config-if)#ip ospf authentication Router(config-if)#ip ospf authentication-key cisco Router(config-if)#exit Router(config)#
OSPF commands for each authentication types:
ip ospf authentication null
area number authentication
ip ospf authentication
ip ospf authentication-key Key-value
area number authentication message-digest
ip ospf authentication message-digest
ip ospf message-digest-key key-num md5 Key-value
OSPF virtual link authentication:
Virual link is a interface in area 0.This mean if you enable authentication on Area 0 it will automatically turn authentication on virtual link but as discussed above password(Key) must need to enable on interface.As we know Virtual link doesnt have any interface on which you can configure authentication,authentication on virtual link can be configure using"area virtual-link" command under OSPF process.
Authentication failures can occur for two reasons: 1) Authentication type mismatch between neighbors 2) Authentication Key mismatch between neighbors
The below “debug ip ospf adj" output indicate mismatch in authentication type. Router#debug ip ospf adj OSPF adjacency events debugging is on *Mar 1 00:02:30.279: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
*Mar 1 00:02:39.603: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
Router#sh ip ospf int fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 10.1.1.2/24, Area 0 Process ID 100, Router ID 10.1.1.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.2, Interface address 10.1.1.2 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
I'm trying to decide which option is better to capture all the traffic inside vmware (vswitch), so far the solution will include a virtual machine per host which then it will forward all the traffic to an IP (example 184.108.40.206) on an isolated VLAN. The...
Hi team,Just wondering if there is such documentation or reference or guide, if exist, and that's why I posted under this side of the forum, what I'm looking for if someone can tell me, some sort of order of shutdown the reason is that we will h...
Hi-I'm not sure what I'm missing here but I've successfully loaded a new IOS (c2960-lanlitek9-mz.152-4.E6.bin), changed the boot statement, confirmed the next boot and then reload the switch. After reload it still winds up loading the previous IOS (c2960-...
So the thing is am changing a router with 2 cat 9500 with virtual stackwise and im having some problems with a STATIC nat.
i have a server with the ip 172.31.6.2 and i need to natd to a 10.12.12.2 and leaving access only to some specific networks t...