OSPF Authentication
OSPF supports two types of Authentication:
1. Plain Text (64-bit Password)
(config-if)#ip ospf authentication-key ^&*(^*&&%
2. MD5 (ID + 128-bit Password):
(config-if)#ip ospf message-digest-key 1 MD5 ^&*^&^*
You can enable the OSPF Authentication:
1. Globally on the Router, in the "router ospf" configuration, so it's enabled on all the Interfaces
(config-router)#area 0 authentication [message-digest]
*If you enable the Authentication globaly on the routing process configuration, have in mind that you MUST configure the Authentication Key on ALL the OSPF Interfaces. If you need to DISABLE the authentication on some of the interfaces, use the following Interface command:
(config-if)#ip ospf authentication null
**When you've got the Authentication enabled only for one of the Areas within the OSPF process - it will BREAK all the Virtual Links with the non-authentication Areas, and you will get the following message:
*May 1 14:58:46.971: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on OSPF_VL1 from FULL to DOWN, Neighbor Down: Interface down or detached
It will also not receive any Intra-area routes (marked as O IA in the Routing Table)
2. Directly on the Interface
(config-if)#ip ospf authentication [message-digest]
*When you configure per-interface Authentication, the other routers NO NOT NEED TO HAVE THE AUTHENTICATION ENABLED!
Check what type of OSPF Authentication has been configured and what Key/Password is applied:
Cisqueros_R1#show ip ospf interface s1/0.12
Serial1/0.12 is up, line protocol is up
Internet Address 10.1.12.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Topology-MTID Cost Disabled Shutdown Topology Name
0 64 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled <--- AUTHENTICATION TYPE
Youngest key id is 1 <--- THE APPLIED AUTHENTICATION KEY
If you need to seemlessly change the authentication key, here is how it's done:
1. Add the MD5 authentication Key 2
2. Make sure that both keys are configured using the command from above. Note that these lines will be added to the bottom of the output:
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
3. Configure the Key 2 on the Neighbor routers, and do the same command as above. You will notice that the output changes to:
Message digest authentication enabled
Youngest key id is 2
4. It is now safe to remove the Key 1. KEY NUMBERS HAVE NOTHING TO DO WITH THE ORDER!!! This means that next time you need to change Keys, you can use Key 1 again with a different Password.
Subscribe to:
Post Comments (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...
No comments:
Post a Comment