Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configuring OSPF Authentication

Network Requirements

  • Configure OSPF for all devices run OSPF, and configure area authentication for the devices. Configure simple text authentication for Area 0, and configure MD5 authentication for Area 1.
  • Configure OSPF interface authentication, configure interface authentication of Area 0 to simple text authentication, and configure interface authentication of Area 1 to MD5 authentication.
  • After configuration is completed, devices should able to normally set up neighbor relations and learn route from each other.

Network Topology

Networking for Configuring OSPF Authentication

Figure 7-2 Networking for Configuring OSPF Authentication

Configuration Steps

Step 1: Create VLANs, and add ports to the required VLANs. (Omitted)

Step 2: Configure IP addresses for the ports. (Omitted)

Step 3: Configure an OSPF process, and configure the interfaces to cover different areas, and enable area authentication. Configure the simple text authentication for Area 0, and configure the MD5 authentication for Area 1.

#On Device1, configure an OSPF process and configure the area authentication function.

Device1#configure terminal
Device1(config)#router ospf 100
Device1(config-ospf)#router-id 1.1.1.1
Device1(config-ospf)#area 0 authentication
Device1(config-ospf)#network 10.0.0.0 0.0.0.255 area 0
Device1(config-ospf)#exit

#On Device2, configure an OSPF process and configure the area authentication function.

Device2#configure terminal
Device2(config)#router ospf 100
Device2(config-ospf)#router-id 2.2.2.2
Device2(config-ospf)#area 0 authentication
Device2(config-ospf)#area 1 authentication message-digest
Device2(config-ospf)#network 10.0.0.0 0.0.0.255 area 0
Device2(config-ospf)#network 20.0.0.0 0.0.0.255 area 1
Device2(config-ospf)#exit

#On Device3, configure an OSPF process and configure the area authentication function.

Device3#configure terminal
Device3(config)#router ospf 100
Device3(config-ospf)#router-id 3.3.3.3
Device3(config-ospf)#area 1 authentication message-digest
Device3(config-ospf)#network 20.0.0.0 0.0.0.255 area 1
Device3(config-ospf)#exit

#Query the OSPF process information of Device1.

Device1#show ip ospf 100 
 Routing Process "ospf 100" with ID 1.1.1.1 
 Process bound to VRF default 
 Process uptime is 30 minutes 
 IETF NSF restarter support disabled 
 IETF NSF helper support enabled 
 Conforms to RFC2328, and RFC1583 Compatibility flag is disabled 
 Supports only single TOS(TOS0) routes 
 Supports opaque LSA 
 Supports Graceful Restart 
 Initial SPF schedule delay 5000 msecs 
 Minimum hold time between two consecutive SPFs 10000 msecs 
 Maximum wait time between two consecutive SPFs 10000 msecs 
 Refresh timer 10 secs 
 Number of external LSA 0. Checksum Sum 0x000000 
 Number of opaque AS LSA 0. Checksum Sum 0x000000 
 Number of non-default external LSA is 0 
 External LSA database is unlimited. 
 Not Support Demand Circuit lsa number is 0, autonomy system support flood DoNotAge Lsa 
 Number of areas attached to this router: 1 
    Area 0 (BACKBONE)       Number of interfaces in this area is 1(1) 
        Number of fully adjacent neighbors in this area is 1 
        Number of fully adjacent sham-link neighbors in this area is 0 
        Area has simple password authentication 
        SPF algorithm last executed 00:27:43.916 ago 
        SPF algorithm executed 3 times 
        Number of LSA 4. Checksum Sum 0x0160f7 
        Not Support Demand Circuit lsa number is 0,  
        Indication lsa (by other routers) number is: 0,  
        Area support flood DoNotAge Lsa 

According to the queried information, the area authentication is the simple text mode.

#Query the OSPF neighbors and routing table of Device1.

Device1#show ip ospf neighbor  
OSPF process 100: 
Neighbor ID   Pri   State     Dead Time   Address   Interface
2.2.2.2       1     Full/DR   00:00:38	  10.0.0.2  vlan2 
 
Device1#show ip route  
Codes: C - connected, S - static, R - RIP, O - OSPF, OE-OSPF External, M Management 
       D - Redirect, E - IRMP, EX - IRMP external, o - SNSP, B BGP, i-ISIS  
 
Gateway of last resort is not set 
 
C 10.0.0.0/24 is directly connected, 00:14:01, vlan2
O 20.0.0.0/24 [110/2] via 10.0.0.2, 00:10:38, vlan2
C 127.0.0.0/8 is directly connected, 20:55:08, lo0 

On Device1, neighbors can be normally set up, and routes can be learnt normally.

#Query the OSPF process information of Device3.

Device3#show ip ospf 100 
 Routing Process "ospf 100" with ID 3.3.3.3 
 Process bound to VRF default 
 Process uptime is 28 minutes 
 IETF NSF restarter support disabled 
 IETF NSF helper support enabled 
 Conforms to RFC2328, and RFC1583Compatibility flag is disabled 
 Supports only single TOS(TOS0) routes 
 Supports opaque LSA 
 Supports Graceful Restart 
 Initial SPF schedule delay 5000 msecs 
 Minimum hold time between two consecutive SPFs 10000 msecs 
 Maximum wait time between two consecutive SPFs 10000 msecs 
 Refresh timer 10 secs 
 Number of external LSA 0. Checksum Sum 0x000000 
 Number of opaque AS LSA 0. Checksum Sum 0x000000 
 Number of non-default external LSA is 0 
 External LSA database is unlimited. 
 Not Support Demand Circuit lsa number is 0, autonomy system support flood DoNotAge Lsa 
 Number of areas attached to this router: 1 
    Area 1       Number of interfaces in this area is 1(1) 
        Number of fully adjacent neighbors in this area is 1 
        Number of fully adjacent sham-link neighbors in this area is 0 
        Number of fully adjacent virtual neighbors through this area is 0 
        Area has message digest authentication 
        SPF algorithm last executed 00:24:01.783 ago 
        SPF algorithm executed 5 times 
        Number of LSA 4. Checksum Sum 0x0337cf 
        Not Support Demand Circuit lsa number is 0,  
        Indication lsa (by other routers) number is: 0,  
        Area support flood DoNotAge Lsa 

According to the queried information, the area authentication is the MD5 authentication mode.

#Query the OSPF neighbors and routing table of Device3.

Device3#show ip ospf neighbor OSPF process 100: 
Neighbor ID   Pri   State         Dead Time   Address    Interface
2.2.2.2       1     Full/Backup   00:00:33	  20.0.0.1   vlan2 
 
Device3#show ip route 
Codes: C - connected, S - static, R - RIP, O - OSPF, OE-OSPF External, M Management 
       D - Redirect, E - IRMP, EX - IRMP external, o - SNSP, B BGP, i-ISIS  
 
Gateway of last resort is not set 
 
O 10.0.0.0/24 [110/2] via 20.0.0.1, 00:09:31, vlan2
C 20.0.0.0/24 is directly connected, 00:20:36, vlan2
C 127.0.0.0/8 is directly connected, 24:00:06, lo0 

On Device3, neighbors can be normally set up, and routes can be learnt normally.

Step 4: Configure OSPF interface authentication.

#On Device1, configure interface VLAN2 with simple text authentication, and set the password to admin.

Device1(config)#interface vlan2
Device1(config-if-vlan2)#ip ospf authentication
Device1(config-if-vlan2)#ip ospf authentication-key 0 admin
Device1(config-if-vlan2)#exit

#On Device2, configure interface VLAN2 with simple text authentication, and set the password to admin. Configure interface VLAN3 with MD5 authentication, set Key ID to 1, and set password to admin.

Device2(config)#interface vlan2
Device2(config-if-vlan2)#ip ospf authentication
Device2(config-if-vlan2)#ip ospf authentication-key 0 admin
Device2(config-if-vlan2)#exit
Device2(config)#interface vlan3
Device2(config-if-vlan3)#ip ospf authentication message-digest
Device2(config-if-vlan3)#ip ospf message-digest-key 1 md5 0 admin
Device2(config-if-vlan3)#exit

#On Device3, configure interface VLAN2 with MD5 authentication, set Key ID to 1, and set password to admin.

Device3(config)#interface vlan2
Device3(config-if-vlan2)#ip ospf authentication message-digest
Device3(config-if-vlan2)#ip ospf message-digest-key 1 md5 0 admin
Device3(config-if-vlan2)#exit

Step 5: Check the result.

#Query the OSPF neighbor information of Device2.

Device2#show ip ospf neighbor OSPF process 100: 
Neighbor ID  Pri   State        Dead Time   Address    Interface
1.1.1.1      1     Full/Backup  00:00:33    10.0.0.1   vlan2 
3.3.3.3      1     Full/DR      00:00:39    20.0.0.2   vlan3 

#Query the OSPF interface information of Device2.

Device2#show ip ospf interface vlan2
vlan2 is up, line protocol is up 
  Internet Address 10.0.0.2, 10.0.0.255( a[10.0.0.2] d[10.0.0.255]) Area 0, MTU 1500 
  Process ID 100, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1 
  Transmit Delay is 1 sec, State DR, Priority 1, TE Metric 0 
  Designated Router (ID) 2.2.2.2, Interface Address 10.0.0.2 
  Backup Designated Router (ID) 1.1.1.1, Interface Address 10.0.0.1 
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 
    Hello due in 00:00:04 
  Neighbor Count is 1, Adjacent neighbor count is 1 
  Crypt Sequence Number is 0 
  Graceful restart proxy id is 0x0 
  Hello received 406 sent 454, DD received 8 sent 6 
  LS-Req received 2 sent 2, LS-Upd received 11(LSA: 15) sent 10(LSA: 14) 
  LS-Ack received 10 sent 0, Discarded 0 
 
Device2#show ip ospf interface vlan3
vlan3 is up, line protocol is up 
  Internet Address 20.0.0.1, 20.0.0.255( a[20.0.0.1] d[20.0.0.255]) Area 1, MTU 1500 
  Process ID 100, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1 
  Transmit Delay is 1 sec, State Backup, Priority 1, TE Metric 0 
  Designated Router (ID) 3.3.3.3, Interface Address 20.0.0.2 
  Backup Designated Router (ID) 2.2.2.2, Interface Address 20.0.0.1 
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 
    Hello due in 00:00:00 
  Neighbor Count is 1, Adjacent neighbor count is 1 
  Crypt Sequence Number is 485 
  Graceful restart proxy id is 0x0 
  Hello received 412 sent 454, DD received 9 sent 12 
  LS-Req received 3 sent 3, LS-Upd received 9(LSA: 10) sent 13(LSA: 16) 
  LS-Ack received 13 sent 8, Discarded 0 

After MD5 authentication is configured, a Crypt Sequence Number is generated. In the case of simple text authentication, no sequence number is generated.

note


  • In configuring OSPF authentication, you can configure only area authentication or interface authentication, or configure both of them.
  • If both area authentication and interface authentication are configured, interface authentication takes effect first.