Wednesday, March 21, 2012

OSPF Authentication - IPV4

In ospf you have three different authentication types and two different ways to configure them. The three types are in table 1 and very brief  description.

Table 1

Type #Description
Type 0 no authentication(Default)
Type 1Clear Text
Type 2MD5


We are going to use Diagram 1 for this write up.

Diagram 1
 Configuring Authentication:
You can enable MD5 authentication globally for the entire area via router configuration mode or you can enable it on a per interface and the per interface overrides the global configuration method. You also still need to define the key under the interface, I think it's just easier and more formal to configure it under the interface and not globally.

Enable MD5 Auth on all interface in Area 0

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest

Clear Text - Type 1

R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key joel

MD5 - Type 2

R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 joel

You can also configure more then one key but note that you will send duplicate hello's out, one for each key. In eigrp you have the luxury of using a key-chain setup that allows you to configure expiration dates on keys. When you configure expiration dates, make sure your devices are using NTP for time sync configuration or PTP - 1588.

Verifying Authentiion Settings:

You can see all the way at the bottom of this output that we are using MD5. The only way to truly confirm all your configurations are correct is to verify you have established a neighborship.

R1#show ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 192.168.10.1/24, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Enabled by interface config, including secondary ip addresses
  Transmit Delay is 1 sec, State DR, Priority 10
  Designated Router (ID) 1.1.1.1, Interface address 192.168.10.1
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.10.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:01
  Supports Link-local Signaling (LLS)
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 3
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:39    192.168.10.2    FastEthernet0/0
R1#
Posted by at
Labels: , , , ,
Location: Perth Amboy, NJ 08861, USA

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)