Let’s continue our CCIE R&Sv5 study with more OSPF authentication.
Configure OSPF authentication in area 2 using MD5 and key CISCO.
Configuration and verification:
Let’s start by R4. Because R4 has all his interfaces in area 2, we will enable the authentication at the OSPF process level. Still we need to specify the key at the interface level.
R4#sh ip ospf int brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo0 10 2 22.214.171.124/32 1 LOOP 0/0 Et1/0 10 2 10.10.2.4/24 1000 DR 2/2 Et0/1 10 2 10.10.24.2/30 10 P2P 1/1 Et0/0 10 2 10.10.14.2/30 1 P2P 1/1 R4(config)#router ospf 10 R4(config-router)#area 2 authentication message-digest R4(config-router)#int Et0/0 R4(config-if)# ip ospf message-digest-key 1 md5 CISCO R4(config-if)#int Et0/1 R4(config-if)# ip ospf message-digest-key 1 md5 CISCO R4(config-if)#int Et1/0 R4(config-if)# ip ospf message-digest-key 1 md5 CISCO
Currently authentication is only enable on R4, so we lost the adjacency with our neighbor.
Let’s check in the debug output if we can see it.
R4#sh ip ospf neigh R4#sh ip ospf Routing Process "ospf 10" with ID 126.96.36.199 Start time: 00:00:30.264, Time elapsed: 00:19:41.680 SNIP Area 2 Number of interfaces in this area is 4 (1 loopback) Area has message digest authentication R4#debug ip ospf 10 adj OSPF adjacency debugging is on for process 10 *Feb 10 13:40:05.652: OSPF-10 ADJ Et1/0: Rcv pkt from 10.10.2.6 : Mismatched Authentication type. Input packet specified type 0, we use type 2 *Feb 10 13:40:06.980: OSPF-10 ADJ Et0/1: Rcv pkt from 10.10.24.1 : Mismatched Authentication type. Input packet specified type 0, we use type 2 *Feb 10 13:40:09.028: OSPF-10 ADJ Et0/0: Rcv pkt from 10.10.14.1 : Mismatched Authentication type. Input packet specified type 0, we use type 2
So as soon as we turned on the debug OSPF adjacency, we see the message saying there is a mismatch in authentication.
Let’s enable authentication on R1, this time at the interface level.
R1(config)#int Et1/0 R1(config-if)#ip ospf authentication message-digest R1(config-if)#ip ospf message-digest-key 1 md5 CISCO
Because it is not turned on at the process level, we don’t see it with the command “sh ip ospf proc”.
However, we can see it at the interface level.
R1#sh ip ospf SNIP Area 2 Number of interfaces in this area is 1 Area has no authentication R1#sh ip ospf int Et1/0 Ethernet1/0 is up, line protocol is up Internet Address 10.10.14.1/30, Area 2, Attached via Interface Enable SNIP Message digest authentication enabled Youngest key id is 1
Let’s finish to enable it on the other routers.
R4 now see all the connected routers as neighbor.
R4#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 188.8.131.52 0 FULL/DROTHER 00:00:36 10.10.2.5 Ethernet1/0 184.108.40.206 254 FULL/BDR 00:00:39 10.10.2.6 Ethernet1/0 220.127.116.11 0 FULL/ - 00:00:37 10.10.24.1 Ethernet0/1 18.104.22.168 0 FULL/ - 00:00:36 10.10.14.1 Ethernet0/0
I have one concern about the loopback interface, it’s in area 2, I haven’t configured any authentication on it but it hasn’t any neighbor connected to it.
R4#sh ip ospf int brie Interface PID Area IP Address/Mask Cost State Nbrs F/C Lo0 10 2 22.214.171.124/32 1 LOOP 0/0 R4#sh ip ospf int Lo0 Loopback0 is up, line protocol is up Internet Address 126.96.36.199/32, Area 2, Attached via Interface Enable Process ID 10, Router ID 188.8.131.52, Network Type LOOPBACK, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Enabled by interface config, including secondary ip addresses Loopback interface is treated as a stub Host
Let’s have a look at this, do we need to enable authentication on this?
No, because loopback doesn’t have a peer connected to it. Authentication took place during peering establishment so this make no sense to enable OSPF authentication on a loopback.
In the next blog post, we will look at the last authentication, SHA authentication.
Thank you for reading.
OSPF – Implement and troubleshoot authentication – MD5 authentication