Routing protocols are used to exchange reachability information between routers. Routing information learned from peers is used to determine the next hop towards the destination. To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table. This can be done by authenticating the routing updates exchanged between routers. Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.
Only three key point need to be remember while configuring authentication in OSPF
A) Types of Authentication:
There are three different types of authentication available for OSPF version 2: 1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers. 2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network 3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.
B) Enabling OSPF Authentication:
OSPF authentication can be enabling in two ways: 1) Per interface: Authentication is enabling per interface using the "ip ospf athentication" command. 2) Area authentication: Authentication for area can enable using "area authentication" command.
C) Configuring Authentication Key:
In either case password must be configure at interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command
A)Area based authentication Example:
To enable OSPF MD5 authentication: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0 Router(config-if)#ip ospf message-digest-key 1 md5 cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication message-digest Router(config-router)#exit
To enable clear text authentication Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface f0/0 Router(config-if)#ip ospf authentication-key cisco@123 Router(config-if)#exit Router(config)#router ospf 100 Router(config-router)#area 2 authentication Router(config-router)#exit
To enable clear text authentication Router(config)#int fa0/0 Router(config-if)#ip ospf authentication Router(config-if)#ip ospf authentication-key cisco Router(config-if)#exit Router(config)#
OSPF commands for each authentication types:
ip ospf authentication null
area number authentication
ip ospf authentication
ip ospf authentication-key Key-value
area number authentication message-digest
ip ospf authentication message-digest
ip ospf message-digest-key key-num md5 Key-value
OSPF virtual link authentication:
Virual link is a interface in area 0.This mean if you enable authentication on Area 0 it will automatically turn authentication on virtual link but as discussed above password(Key) must need to enable on interface.As we know Virtual link doesnt have any interface on which you can configure authentication,authentication on virtual link can be configure using"area virtual-link" command under OSPF process.
Authentication failures can occur for two reasons: 1) Authentication type mismatch between neighbors 2) Authentication Key mismatch between neighbors
The below “debug ip ospf adj" output indicate mismatch in authentication type. Router#debug ip ospf adj OSPF adjacency events debugging is on *Mar 1 00:02:30.279: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
*Mar 1 00:02:39.603: OSPF: Rcv pkt from 10.1.1.2, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
Router#sh ip ospf int fa0/0 FastEthernet0/0 is up, line protocol is up Internet Address 10.1.1.2/24, Area 0 Process ID 100, Router ID 10.1.1.2, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.2, Interface address 10.1.1.2 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:06 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
Hi All,our backup server is connect with cisco 3750. that port is configued as Trunk VLAN100. for other sw to sw links we are using VLAN1 trunk. my question is trunk allows all vlan traffic to pass then why they have put vlan100 instead of vlan1 ...
We have a Shoretel VOIP system and I want to ensure I have QOS properly in place on my 3850 and 2960 stacks. We want dscp 46 to have higher priority from what I understand. We basically did "auto qos voip trust" on all user ports, and "au...
Hello,I wanted to measure the time that the connectivity is lost when a link is broken (in millisecond) before RSTP recover the connectivity can sameone tel me how to do that , i tried ping but it's not accurate ? Thanks.