Wednesday, 28 December 2016

CCNP ROUTE OSPF AUTHENTICATION & VIRTUAL LINK

LAB ON YOUTUBE: https://www.youtube.com/watch?v=c4_jWiXfmMc


OSPF Authentication

This post is about the different OSPF authentication methods. It will be part of a series outlining OSPF ] commands/technologies. We can configure OSPF to use authentication for an entire area, or just for a single interface. Today we’ll go over both. Here’s the topology:

First we’ll setup authentication for all of area 0:
R1(config)#interface FastEthernet0/0
R1(config-if)#ip ospf message-digest-key 1 md5 cisco
R1(config-if)#ip ospf 100 area 0
R1(config-if)#router ospf 100
R1(config-router)#area 0 authentication message-digest 
R2(config)#interface FastEthernet0/0
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#ip ospf 100 area 0
R2(config-if)#router ospf 100R
R2(config-router)#area 0 authentication message-digest 
R3(config)#interface FastEthernet0/
0R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#ip ospf 100 area 0
R3(config-if)#router ospf 100
R3(config-router)#area 0 authentication message-digest
Nothing crazy here, we configure OSPF and an MD5 key under our area 0 interfaces, then we specify that all of area 0 should use MD5 authentication. Note that the commands differ slightly if we want to use clear-text, it would be “ip ospf authentication-key [key]” and “area 0 authentication” under the OSPF 100 process.
Let’s verify:

R1#sh ip ospf neighNeighbor ID     Pri   State           Dead Time   Address         Interface2.2.2.2           1   FULL/DR         00:00:32    10.1.123.2      FastEthernet0/03.3.3.3           1   FULL/DROTHER    00:00:35    10.1.123.3      FastEthernet0/0 R1#sh ip ospf int fa0/0...  Message digest authentication enabled    Youngest key id is 1

Everything is working, our neighbors are up and we see that authentication is enabled with the key we specifcied. Note, if we leave off a key, the neigbhors will still form and MD5 will still be enabled, but it will say key 0:

R1(config)#int fa0/0R1(config-if)#no ip ospf message-digest-key 1 md5 cisco R2(config)#int fa0/0R2(config-if)#no ip ospf message-digest-key 1 md5 cisco R2#sh ip ospf int fa0/0...  Message digest authentication enabled      No key configured, using default key id 0

We see that no key is being used, but MD5 is still working. Not critical knowledge, but may be useful sometime.
Next we’ll configure MD5 between routers R3 and R4:

R3(config)#interface Serial0/0R3(config-if)#ip ospf authentication message-digestR3(config-if)#ip ospf message-digest-key 2 md5 ciscoR3(config-if)#ip ospf 100 area 34 R4(config)#interface Serial0/0R4(config-if)#ip ospf authentication message-digestR4(config-if)#ip ospf message-digest-key 2 md5 ciscoR4(config-if)#ip ospf 100 area 34

Notice that here we have not made any changes under the OSPF process, this is all at the interface level. We use the “ip ospf authentication message-digest” command to run MD5 on this interface, then we specify a key the same way as earlier.
We’ll verify this config:

R3#sh ip ospf neighNeighbor ID     Pri   State           Dead Time   Address         Interface4.4.4.4           0   FULL/  -        00:00:36    10.1.34.4       Serial0/0 R3#sh ip ospf int s0/0...  Message digest authentication enabled    Youngest key id is 2

As expected, everything is working.
That’s OSPF authentication. Both ways could be asked on the CCIE Lab, so this is good stuff to know.
Taken from the blog:

OSPF: Authentication over a Virtual Link

In OSPF, we can have an area that is not directly connected to the backbone area by using the virtual link feature. If somehow, OSPF authentication is enabled in area 0. Routers that is connected through a virtual link must have the authentication configured too. This is because the router believe that it is directly connected to the area 0, and since routers in area 0 authenticate themselves for communicating, the virtual-linked router would no longer able to communicate with the routers in area 0.
The command to configure authentication on a virtual-link is:
area NUMBER virtual-link A.B.C.D message-digest-key NUMBER2 md5 WORD

NUMBER: the area number where both virtual-linked routers reside.
A.B.C.D: the router-id of the peer router.
NUMBER2: the id number of the digest key.WORD: the authentication password used.
So, let’s say that we have this topology
We have an md5 authentication configured in area 0 with password of “cisco”. To configure this authentication for area 0, go to all router in area 0, which in this case are R1 and R2 and type the following command (assume that you are from the global configuration level and the OSPF process id is 1):
router ospf 1
area 0 authentication message-digest

interface fastethernet1/0

ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
Now, since authentication is in place for area 0, in order for area 2 to have connectivity with the rest of OSPF network, the authentication should be configured on the virtual-linked routers too, which in this case are R2 and R3. We first go to R2 and go to its OSPF process 1 configuration level and enter the following command
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco
Next we go to R3, go to the OSPF process 1 configuration level and enter the command:
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco
area 0 authentication message-digest
We need to configure the command “area 0 authentication message-digest” on R3 to avoid authentication type mismatcherror (Type 0 – Null authentication on R3, and Type 2 – Message Digest authentication on R2). This is because a virtual-link is a tunnel that makes as if R3 is directly connected to area 0, and since area 0 is configured with message-digest authentication, therefore R3 should be configured to use message-digest authentication too on area 0.
Taken from the blog:

http://netnsoft.blogspot.in/2010/12/ospf-authentication-over-virtual-link.html

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)