- The passwords do not have to be the same throughout the area, but must be the same between neighbors.
- By default OSPF uses NULL authentication.
- OSPF supports the following authentication types:
1. (type 0) Null authentication
2. (type 1) Clear-text passwords
3. (type 2) MD5 cryptographic checksums
- Authentication keys are locally significant to an interface, and therefore may differ on a per interface basis.
- When doing changes to the keychain, first remove the config of the interface.
- A interface-level command will overwrite the OSPF process-level command.
To configure type 0 null authentication
interface Serial1
ip ospf authentication null
2 stage process
1. Under the interface - authentication keys is per interface
ip ospf authentication-key
2. Under the OSPF process
area {id} authentication
command set:
int s0/0
ip ospf authentication
ip ospf authentication-key string
!
router ospf 1
area 0 authentication
for virtual link
area 30 virtual-link 1.1.1.1 auth {key}
To configure type 2 authentication
- for interface
interface Serial2
ip ospf message-digest-key {key-id} md5 {key}
!
router ospf 1
area 20 authentication {message-digest}- The virtual-link command will overwrite the OSPF process-level command.
- Virtual-link authentication can be enabled in the following 2 ways:
1. area {id} authentication [message-digest]
area0 area1 area2
----------R3-----------------R2---------------
f1/0 f1/0
R3
interface FastEthernet1/0
ip address 131.1.23.3 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
ip ospf message-digest-key 2 md5 cisco2
ip address 131.1.23.3 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 1router-id 3.3.3.3
log-adjacency-changes
area 1 authentication message-digest
area 1 virtual-link 2.2.2.2
R2
interface FastEthernet1/0
ip address 131.1.23.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 1ip address 131.1.23.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
ip ospf message-digest-key 2 md5 cisco2
!
router-id 2.2.2.2
log-adjacency-changes
area 1 authentication message-digest
area 1 virtual-link 3.3.3.3
area 2 authentication message-digest
Note: for a hub n spoke setup, usually the hub have different keys for each spoke.
issue: reloading the hub will send the youngest key (highest), after 10 mins will send all the keys on the list.
Solution: manually enter the keys.
2. area {id} virtual-link router-id authentication [message-digest | null]
note: if authentication is enabled on Area0 be sure to enable also the authentication on remoter VL router in area 0 as well.
- try not to override area default by using interface level command.
- virtual link is the interface.
area0 area1 area2
----------R3-----------------R2---------------
Se0/0.304 f1/0 f1/0
R3
interface Serial0/0.304 point-to-point
ip address 131.1.34.3 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
!
interface FastEthernet1/0
ip address 131.1.23.3 255.255.255.0
!
router ospf 1ip address 131.1.23.3 255.255.255.0
!
router-id 3.3.3.3
log-adjacency-changes
area 0 authentication message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco0
R2
interface FastEthernet1/0
ip address 131.1.23.2 255.255.255.0
!
router ospf 1ip address 131.1.23.2 255.255.255.0
!
router-id 2.2.2.2
log-adjacency-changes
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco0
area 2 authentication message-digest
note: sometimes its good to issue shut no shut on the interface for the keys to take effect immediately.
or reload the router.
verification
R3#show ip ospf virtual-links
Virtual Link OSPF_VL1 to router 2.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface FastEthernet1/0, Cost of using 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 1
Virtual Link OSPF_VL1 to router 2.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface FastEthernet1/0, Cost of using 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 1
R2#do sho ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 131.1.23.2/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) R3, Interface address 131.1.23.3
Backup Designated router (ID) R2, Interface address 131.1.23.2
Flush timer for old DR LSA due in 00:02:16
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 2/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor R3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
FastEthernet1/0 is up, line protocol is up
Internet Address 131.1.23.2/24, Area 1
Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) R3, Interface address 131.1.23.3
Backup Designated router (ID) R2, Interface address 131.1.23.2
Flush timer for old DR LSA due in 00:02:16
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 2/5, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor R3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
note: the config must be on both ends of VL.
area 1 virtual-link 3.3.3.3 authentication null
No comments:
Post a Comment