Routing Protocol Authentication (OSPF)
A router authenticates the source of each routing update
packet that it receives. Many routing protocols support authentication like
OSPF, EIGRP, ISIS, BGP, and RIPv2.
Cisco routers support of different approaches to
authentication route advertisements received from a neighboring router:
- Simple text authentication
- Hashing authentication (using MD5)
Simple password authentication:
Router sends packets and key (if a routing protocol doesn’t
support multiple keys, the key number associated with a routing update is 0).
Neighboring router check whether key matches its key. The outing update is
rejected if the keys do not match. The only routing protocols the plan text
authentication are RIPv2, OSPF, and ISIS.
MD5 authentication
Configure a key (password) and key ID, router generate a
message digest or hash of the key, key ID and message. Message digest is send
with packet key is not sent. The neighboring router receives the update and run
a hashing algorithm on the routing update with local key, the results in a hash
digest. If hash digit matches, the router accept the packet, if it not the
update is rejected. This process is more secure than a plain text
authentication. IS-IS, OSPF, RIPv2 and EIGRP use MD5.
OSPF Authentication
Types of authentication in OSPF
Type 0 – NULL
Type 1- simple password authentication
Type 2 – cryptographic (SHA/MD5) authentication
OSPF Authentication can be enabled on OSPF process
level (area) or Link level.
All OSPF packet will be authenticated when you enable any
formation of authentication in OSPF.
Before we start BGP configuration check out some important of BGP CCIE exam topics.
Here are the lists of all OSPF labs and theories CCNA to CCIE.
Let’s see the configuration:
Topology:-
GOAL:
- Configure the topology as per our diagram
- configure OSPF in area 0 and advertise all the interfaces
- configure router 1 and router 2 to exchange routes after establishing successful authentication by using clear text
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Serial3/0 1.1.1.1 YES manual up down
Loopback0 11.0.0.1 YES manual up up
Loopback1 11.0.1.1 YES manual up up
Loopback2 11.0.2.1 YES manual up up
Loopback3 11.0.3.1 YES manual up up
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.1.1.1 YES manual up up
Serial3/0 1.1.1.2 YES manual up up
Loopback0 12.0.0.1 YES manual up up
Loopback1 12.0.1.1 YES manual up up
Loopback2 12.0.2.1 YES manual up up
Loopback3 12.0.3.1 YES manual up up
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.1.1.1 YES manual up up
Serial3/0 1.1.1.2 YES manual up up
Loopback0 12.0.0.1 YES manual up up
Loopback1 12.0.1.1 YES manual up up
Loopback2 12.0.2.1 YES manual up up
Loopback3 12.0.3.1 YES manual up up
R1(config)#router ospf 10
R1(config-router)#router-id 11.11.11.11
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 11.0.0.0 0.0.0.255 area 0
R1(config-router)#router-id 11.11.11.11
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 11.0.0.0 0.0.0.255 area 0
R2(config)#router ospf 10
R2(config-router)#router-id 12.12.12.12
R2(config-router)#network 12.0.0.0 0.0.0.255 area 0
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R2(config-router)#router-id 12.12.12.12
R2(config-router)#network 12.0.0.0 0.0.0.255 area 0
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config)#interface serial 3/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key internet
*Dec 5 12:09:31.047: %OSPF-5-ADJCHG: Process 10, Nbr
12.12.12.12 on Serial3/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R2(config)#interface serial 3/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key internet
(ip ospf authentication command you can enable
plaintext authentication on the
interface level.)
*Dec 5 12:16:37.095: %OSPF-5-ADJCHG: Process 10, Nbr
11.11.11.11 on Serial3/0 from LOADING to FULL, Loading Done
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
12.12.12.12 0 FULL/ - 00:00:39 1.1.1.2 Serial3/0
Neighbor ID Pri State Dead Time Address Interface
12.12.12.12 0 FULL/ - 00:00:39 1.1.1.2 Serial3/0
R2#show ip ospf neighbor
Neighbor ID Pri State
Dead Time Address
Interface
11.11.11.11 0
FULL/ - 00:00:39
1.1.1.1 Serial3/0
(when we have lots of interfaces do not want to enable
OSPF authentication for
each and every interfaces. we can also enable
area-wide authentication by using area
authentication command).
lets see:-
R1(config)#router ospf 10
R1(config-router)#area 0 authentication
R1(config-router)#end
*Dec 5 12:27:32.931: OSPF-10 EVENT: Area config: 'area
0 authentication '
R2(config)#router ospf 10
R2(config-router)#area 0 authentication
R1#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
Internet Address 1.1.1.1/8, Area 0, Attached via
Network Statement
Process ID 10, Router ID 11.11.11.11, Network Type
POINT_TO_POINT, Cost: 64
Topology-MTID Cost
Disabled Shutdown Topology Name
0
64 no
no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait
40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is
1
Adjacent with neighbor 12.12.12.12
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R2#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
Internet Address 1.1.1.2/8, Area 0, Attached via
Network Statement
Process ID 10, Router ID 12.12.12.12, Network Type
POINT_TO_POINT, Cost: 64
Topology-MTID Cost Disabled
Shutdown Topology Name
0
64 no
no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait
40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is
1
Adjacent with neighbor 11.11.11.11
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
MD5 in OSPF:-
MD5 authentication we need different commands. First of all
we use ip ospf message-digest key
name md5 to specify the key num and the password.
name and key number is not matter we can choose whatever name but it must be
the same on both sites. To enable OSPF authentication we need
to type ip ospf authentication message-digest.
Topology:
GOAL:
- we are continuing our previous topology
- erase the simple authentication configuration
- and configure MD5
R1(config)#router ospf 11
R1(config-router)#router-id 11.11.11.11
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 1.0.0.0 0.255.255.255 area 0
R1(config-router)#network 11.0.0.0 0.0.0.255 area 0
R2(config)#router ospf 12
R2(config-router)#router-id 12.12.12.12
R2(config-router)#network 1.0.0.0 0.255.255.255 area 0
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 12.0.0.0 0.0.0.255 area 0
R1(config)# router ospf 11
R1(config-router)# area 0 authentication
message-digest
R1(config-router)# exit
R1(config)# interface serial 3/0
R1(config-if)# ip ospf message-digest-key 1 md5
internet
R2(config)# router ospf 11
R2(config-router)# area 0 authentication message-digest
R2(config-router)# exit
R2(config)# interface serial 3/0
R2(config-if)# ip ospf message-digest-key 1 md5
internet
R1#show ip ospf interface serial 3/0
Serial3/0 is up, line protocol is up
Internet Address 1.1.1.1/8, Area 0, Attached via Network
Statement
Process ID 11, Router ID 11.11.11.11, Network Type
POINT_TO_POINT, Cost: 64
Topology-MTID Cost
Disabled Shutdown Topology Name
0
64 no
no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait
40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 12.12.12.12
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Serial3/0 is up, line protocol is up
Internet Address 1.1.1.2/8, Area 0, Attached via
Network Statement
Process ID 11, Router ID 12.12.12.12, Network Type
POINT_TO_POINT, Cost: 64
Topology-MTID Cost
Disabled Shutdown Topology Name
0
64 no
no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait
40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 11.11.11.11
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
.png)
No comments:
Post a Comment