Categories R&S

OSPF – Implement and troubleshoot authentication – MD5 authentication

Let’s continue our CCIE R&Sv5 study with more OSPF authentication.

 

Requirements:

 

Configure OSPF authentication in area 2 using MD5 and key CISCO.

 

Diagram:

Not-so-totally-stubby area

 

Configuration and verification:

Let’s start by R4. Because R4 has all his interfaces in area 2, we will enable the authentication at the OSPF process level. Still we need to specify the key at the interface level.

R4#sh ip ospf int brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Lo0          10    2               4.4.4.4/32         1     LOOP  0/0
Et1/0        10    2               10.10.2.4/24       1000  DR    2/2
Et0/1        10    2               10.10.24.2/30      10    P2P   1/1
Et0/0        10    2               10.10.14.2/30      1     P2P   1/1

R4(config)#router ospf 10
R4(config-router)#area 2 authentication message-digest
R4(config-router)#int Et0/0
R4(config-if)# ip ospf message-digest-key 1 md5 CISCO
R4(config-if)#int Et0/1
R4(config-if)# ip ospf message-digest-key 1 md5 CISCO
R4(config-if)#int Et1/0
R4(config-if)# ip ospf message-digest-key 1 md5 CISCO

 

Currently authentication is only enable on R4, so we lost the adjacency with our neighbor.

Let’s check in the debug output if we can see it.

R4#sh ip ospf neigh
R4#sh ip ospf
 Routing Process "ospf 10" with ID 44.44.44.44
 Start time: 00:00:30.264, Time elapsed: 00:19:41.680
SNIP
    Area 2
        Number of interfaces in this area is 4 (1 loopback)
        Area has message digest authentication

R4#debug ip ospf 10 adj
OSPF adjacency debugging is on for process 10
*Feb 10 13:40:05.652: OSPF-10 ADJ   Et1/0: Rcv pkt from 10.10.2.6 : Mismatched Authentication type. Input packet specified type 0, we use type 2
*Feb 10 13:40:06.980: OSPF-10 ADJ   Et0/1: Rcv pkt from 10.10.24.1 : Mismatched Authentication type. Input packet specified type 0, we use type 2
*Feb 10 13:40:09.028: OSPF-10 ADJ   Et0/0: Rcv pkt from 10.10.14.1 : Mismatched Authentication type. Input packet specified type 0, we use type 2

 

So as soon as we turned on the debug OSPF adjacency, we see the message saying there is a mismatch in authentication.

 

Let’s enable authentication on R1, this time at the interface level.

R1(config)#int Et1/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 CISCO

 

Because it is not turned on at the process level, we don’t see it with the command “sh ip ospf proc”.

However, we can see it at the interface level.

R1#sh ip ospf
SNIP
    Area 2
        Number of interfaces in this area is 1
        Area has no authentication

R1#sh ip ospf int Et1/0
Ethernet1/0 is up, line protocol is up
  Internet Address 10.10.14.1/30, Area 2, Attached via Interface Enable
SNIP
  Message digest authentication enabled
    Youngest key id is 1

 

 

Let’s finish to enable it on the other routers.

R4 now see all the connected routers as neighbor.

R4#sh ip ospf neigh
Neighbor ID     Pri   State           Dead Time   Address         Interface
55.55.55.55       0   FULL/DROTHER    00:00:36    10.10.2.5       Ethernet1/0
66.66.66.66     254   FULL/BDR        00:00:39    10.10.2.6       Ethernet1/0
22.22.22.22       0   FULL/  -        00:00:37    10.10.24.1      Ethernet0/1
11.11.11.11       0   FULL/  -        00:00:36    10.10.14.1      Ethernet0/0

 

I have one concern about the loopback interface, it’s in area 2, I haven’t configured any authentication on it but it hasn’t any neighbor connected to it.

R4#sh ip ospf int brie
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Lo0          10    2               4.4.4.4/32         1     LOOP  0/0

R4#sh ip ospf int Lo0
Loopback0 is up, line protocol is up
  Internet Address 4.4.4.4/32, Area 2, Attached via Interface Enable
  Process ID 10, Router ID 44.44.44.44, Network Type LOOPBACK, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Enabled by interface config, including secondary ip addresses
  Loopback interface is treated as a stub Host

 

Let’s have a look at this, do we need to enable authentication on this?

No, because loopback doesn’t have a peer connected to it. Authentication took place during peering establishment so this make no sense to enable OSPF authentication on a loopback.

 

 

In the next blog post, we will look at the last authentication, SHA authentication.

 

Thank you for reading.

 

OSPF – Implement and troubleshoot authentication – MD5 authentication