Configuring OSPF Authentication

For simple password authentication, a password must be specified which is to be used by the neighboring routers using the OSPF simple password authentication.

1. Execute the following commands in ISS2 and ISS4.

   Type the following:

   Configuration in ISS2

   • Enter the Global Configuration Mode in ISS2.

   iS5comm# configure terminal

   • Enable OSPF globally in the switch ISS2.

   iS5comm(config)# router ospf

   • Enable OSPF over the VLAN interface and associate the interface with an OSPF area. VLAN interfaces VLAN1 and VLAN10 are created as a part of the prerequisite configuration.

   iS5comm(config-router)# network 10.4.0.1 area 0.0.0.0

   Note:

   When OSPF routing is enabled using the “network” command, the established session is properly mapped with the interface only if the interface administrative status is up. This is because to enable OSPF in an interface, both IP address and interface index are used.

   • Exit from the Router Configuration Mode.

   iS5comm(config-router)# exit

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Configure the authentication key for simple password authentication.

   iS5comm(config-if)# ip ospf authentication-key 1234

   • Enable simple password authentication.

   iS5comm(config-if)# ip ospf authentication

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

   Configuration in ISS4

   • Enter the Global Configuration Mode in ISS4.

   iS5comm# configure terminal

   • Enable OSPF globally in the switch ISS4.

   iS5comm(config)# router ospf

   • Enable OSPF over the VLAN interface and associate the interface with an OSPF area. VLAN interfaces VLAN1 and VLAN10 are created as a part of the prerequisite configuration.

   iS5comm(config-router)# network 10.4.0.4 area 0.0.0.0

   Note:

   When OSPF routing is enabled using the “network” command, the established session is properly mapped with the interface only if the interface administrative status is up. This is because to enable OSPF in an interface, both IP address and interface index are used.

   • Exit from the Router Configuration Mode.

   iS5comm(config-router)# exit

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Configure the authentication key for simple password authentication.

   iS5comm(config-if)# ip ospf authentication-key 1234

   • Enable simple password authentication.

   iS5comm(config-if)# ip ospf authentication

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

2. View the configuration details by executing the following show command.

   Type the following:

   iS5comm# show ip ospf interface

   vlan1 is line protocol is up 

   Internet Address 10.4.0.1, Mask 255.255.0.0, Area 0.0.0.0

   AS 1, Router ID ID 10.4.0.2, Network Type BROADCAST, Cost 1

   Transmit Delay is 1 sec, State 5, Priority 1 

   Designated RouterId 10.4.0.4, Interface address 10.4.0.4

   Backup Designated RouterId 10.4.0.2, Interface address 10.4.0.2

   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

   Hello due in 0 sec

   Neighbor Count is 1, Adjacent neighbor count is 1 

   Adjacent with the neighbor 10.4.0.4

   Simple password authentication enabled

3. View the adjacency formed between the neighbors (ISS 2 and ISS 4) by executing the following command. BDR stands for Backup Designated Router.

   Type the following:

   iS5comm# show ip ospf neighbor detail

   Neighbor 10.4.0.4, interface address 10.4.0.4

   In the area 0.0.0.0 via interface vlan1

   Neighbor priority is 1,	State is FULL/BACKUP, 5 state changes

   DR is 10.4.0.4 BDR is 10.4.0.2

   Options is 0x2

4. Remove a previously assigned OSPF password by executing the following command.

   Type the following:

   iS5comm(config-if)# no ip ospf authentication-key

Message-Digest Authentication is a cryptographic authentication. A key (password) and key-id are configured on each router. The router uses an algorithm based on the OSPF packet, the key, and the key-id to generate a “message-digest” that appends to the packet.

1. Execute the following commands to configure the message-digest authentication.

   Type the following:

   Configuration in ISS2

   • Enter the Global Configuration Mode in ISS2.

   iS5comm# configure terminal

   • Enter the Interface Configuration Mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication key for simple password authentication.

   iS5comm(config-if)# no ip ospf authentication-key

   • Configure the authentication key for the message-digest authentication.

   iS5comm(config-if)# ip ospf message-digest-key 0 md5 asdf

   • Exit from the Interface Configuration Mode.

   iS5comm(config-if)# end

   Configuration in ISS4

   • Enter the Global Configuration Mode in ISS2.

   iS5comm# configure terminal

   • Enter the Interface Configuration Mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication key for simple password authentication.

   iS5comm(config-if)# no ip ospf authentication-key

   • Configure the authentication key for the message-digest authentication.

   iS5comm(config-if)# ip ospf message-digest-key 0 md5 asdf

   • Exit from the Interface Configuration Mode.

   iS5comm(config-if)# end

2. View the configuration details by executing the following show command.

   Type the following:

   iS5comm# show ip ospf interface

   vlan1 is line protocol is up 

   Internet Address 10.4.0.1, Mask 255.255.0.0, Area 0.0.0.0

   AS 1, Router ID ID 10.4.0.2, Network Type BROADCAST, Cost 1

   Transmit Delay is 1 sec, State 5, Priority 1 

   Designated RouterId 10.4.0.4, Interface address 10.4.0.4

   Backup Designated RouterId 10.4.0.2, Interface address 10.4.0.2

   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

   Hello due in 0 sec

   Neighbor Count is 1, Adjacent neighbor count is 1 

   Adjacent with the neighbor 10.4.0.4

   Message duest authentication enabled

3. View the adjacency formed between the neighbors (ISS2 and ISS4) by executing the following command. BDR stands for Backup Designated Router.

   Type the following:

   iS5comm# show ip ospf neighbor detail

   Neighbor 10.4.0.4, interface address 10.4.0.4

   In the area 0.0.0.0 via interface vlan1

   Neighbor priority is 1,	State is FULL/BACKUP, 5 state changes

   DR is 10.4.0.4 BDR is 10.4.0.2

   Options is 0x2

4. Remove a previously assigned OSPF password by executing the following command.

   Type the following:

   iS5comm(config-if)# no ip ospf authentication-key

1. Execute the following commands to configure the OSPF authentication type as Null Authentication.

   Type the following:

   Configuration in ISS2

   • Enter the Global Configuration Mode in ISS2.

   iS5comm# configure terminal

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication key for message-digest authentication.

   iS5comm(config-if)# no ip ospf message-digest-key 0

   • Enable null authentication.

   iS5comm(config-if)# ip ospf authentication null

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

   Configuration in ISS4

   • Enter the Global Configuration Mode in ISS4.

   iS5comm# configure terminal

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication key for message-digest authentication.

   iS5comm(config-if)# no ip ospf message-digest-key 0

   • Enable null authentication.

   iS5comm(config-if)# ip ospf authentication null

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

2. View the adjacency formed between the neighbors (ISS 2 and ISS 4) by executing the following command. BDR stands for Backup Designated Router.

   Type the following:

   iS5comm# show ip ospf neighbor detail

   Neighbor 10.4.0.4, interface address 10.4.0.4

   In the area 0.0.0.0 via interface vlan1

   Neighbor priority is 1,	State is FULL/BACKUP, 5 state changes

   DR is 10.4.0.4 BDR is 10.4.0.2

   Options is 0x2

SHA-1, a 160-bit message-digest algorithm, developed by the National Security Agency, is generally considered to provide stronger cryptographic security than MD5 (a 128-bit digest developed by RSA Data Security, Inc), because it uses a longer message digest and it is not vulnerable to some attacks that can be conducted against MD5.

1. Execute the following commands to configure the message-digest authentication.

   Type the following:

   Configuration in ISS2

   • Enter the Global Configuration Mode in ISS2.

   iS5comm# configure terminal

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication from null.

   iS5comm(config-if)# no ip ospf authentication

   • Configure the authentication key for the message-digest authentication. Here, same can be replaced by other “sha” algorithms like sha-224 / sha-256/ sha-384/ sha-512.

   iS5comm(config-if)# ip ospf message-digest-key 0 sha-1 abcd

   • Enable sha-1 authentication. Here, same can be replaced by other sha algorithms like (sha-224 / sha-256/ sha-384/ sha-512).

   iS5comm(config-if)# ip ospf authentication sha-1

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

   Configuration in ISS2

   • Enter the Global Configuration Mode in ISS4.

   iS5comm# configure terminal

   • Enter the Interface Configuration mode.

   iS5comm(config)# interface vlan 1

   • Delete the authentication from null.

   iS5comm(config-if)# no ip ospf authentication

   • Configure the authentication key for the message-digest authentication. Here, same can be replaced by other “sha” algorithms like sha-224 / sha-256/ sha-384/ sha-512.

   iS5comm(config-if)# ip ospf message-digest-key 0 sha-1 abcd

   • Enable sha-1 authentication. Here, same can be replaced by other sha algorithms like (sha-224 / sha-256/ sha-384/ sha-512)2.

   iS5comm(config-if)# ip ospf authentication sha-1

   • Exit from the Interface Configuration mode.

   iS5comm(config-if)# end

2. View the configuration details by executing the following show command.

   Type the following:

   iS5comm# show ip ospf interface

   vlan1 is line protocol is up 

   Internet Address 10.4.0.1, Mask 255.255.0.0, Area 0.0.0.0

   AS 1, Router ID ID 10.4.0.2, Network Type BROADCAST, Cost 1

   Transmit Delay is 1 sec, State 5, Priority 1 

   Designated RouterId 10.4.0.4, Interface address 10.4.0.4

   Backup Designated RouterId 10.4.0.2, Interface address 10.4.0.2

   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

   Hello due in 0 sec

   Neighbor Count is 1, Adjacent neighbor count is 1 

   Adjacent with the neighbor 10.4.0.4

   Youngest key id is 0

   vlan1 is line protocol is up

   Adjacent with the neighbor 

   10.4.0.4 Message digest 

   Internet Address 10.4.0.2, Mask 255.255.0.0, Area 0.0.0.0

   AS 1, Router ID 10.4.0.2, Network Type BROADCAST, Cost 1

   demand circuit is disabled

   Transmit Delay is 1 sec, State 5, Priority 1 Designated RouterId 10.4.0.4, Interface address 10.4.0.4

   Backup Designated RouterId 10.4.0.2, Interface address 10.4.0.2

   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

   Hello due in 0 sec

   Neighbor Count is 1, Adjacent neighbor count is 1sha-1 authentication key is configured 

   Youngest key id is 0 

   Key Start Accept Time	is 29-May-2013,17:01

   Key Start Generate Time	is 29-May-2013,17:01

   Key Stop Generate Time	is 06-Feb-2136,06:28

   Key Stop Accept Time	is 06-Feb-2136,06:28

   Simple Authentication	Key is not 

   Connected to VRF	default

3. View the adjacency formed between the neighbors (ISS 2 and ISS 4) by executing the following command. BDR stands for Backup Designated Router.

   Type the following:

   iS5comm# show ip ospf neighbor detail

   Neighbor 10.4.0.4, interface address 10.4.0.4

   In the area 0.0.0.0 via interface vlan1

   Neighbor priority is 1,	State is FULL/BACKUP, 5 state changes

   DR is 10.4.0.4 BDR is 10.4.0.2

   Options is 0x2