When we think about OSPF authentication, we have to think about negotiation between 2 routers:
*May 14 10:38:57.843: OSPF: Rcv pkt from 192.168.253.5, FastEthernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
OSPF Authentication method can be configured under interface configuration mode or router configuration mode. In both cases, the authentication process occurs per interface.
For example If I enter the command:
router ospf 1
area 0 authentication message-digest
This command lets the router enable md5 authentication on all interfaces that are in area 0.
Here is an example. The network is very simple. 3 routers connected to the same ethernet network with a network ID 192.168.253.0
Case1:
We will configure the authentication method on R3 to be type 1, and on R5 & R2 to be type 2
Router R5:
router ospf 1
log-adjacency-changes
network 192.168.253.5 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.5 255.255.255.0
ip ospf authentication message-digest
speed auto
end
Router R2:
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.253.2 0.0.0.0 area 0
interface FastEthernet1/0
ip address 192.168.253.2 255.255.255.0
duplex auto
speed auto
end
Router R3:
router ospf 1
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.3 255.255.255.0
ip ospf authentication
speed auto
As you see that in Router2, I configured the authentication method under the router configuration mode :
area 0 authentication message-digest ; Will enable authentication type 2 on all interfaces that are in area 0
While in R3 and R5, We configured the authentication method under the interface configuration mode:
ip ospf authentication ; will enable authentication type 1 on interface f0 (R3)
ip ospf authentication message-digest ; will enable authentication type 2 on interface f0 (R5)
If we try to see the neighbour relationship on R3:
Router R3:
R3#show ip ospf neigh
R3#
This debug is on Router R5:
00:25:01: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authenticat ion type. Input packet specified type 1, we use type 2
00:25:05: OSPF: Send with youngest Key 0
00:25:11: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authentication type. Input packet specified type 1, we use type 2
Now if we change the authentication method on Router 3, the neighbour relationship will be successful:
R3:
int f0
ip ospf authentication message-digest
R3#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.253.5 1 FULL/DR 00:00:38 192.168.253.5 FastEthernet0
172.18.20.20 1 FULL/BDR 00:00:31 192.168.253.2 FastEthernet0
R3#You can see the authentication type, by using the command: show ip ospf int
R2#show ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 192.168.253.2/24, Area 0
Process ID 1, Router ID 172.18.20.20, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.253.5, Interface address 192.168.253.5
Backup Designated router (ID) 172.18.20.20, Interface address 192.168.253.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.253.5 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
If you see that there is no key configured, it uses default key 0 ( which by default has no value).
Case2:
Now that authentication method negotiation was successful, let us configure the keys.
For a clear text authentication (method type 1), you can configure only 1 key:
int f0
ip ospf authentication-key blogkey
where blogkey is the alphanumeric key, this negotiation is simple, it is only 1 key that must have the same alphanumeric match.
For the md5 authentication ( method type 2), you can configure as many keys as you want. Each 2 routers will check their key-ids, when there is key-id match they will negotiate the alphanumeric key.
int f0
ip opsf message-digest-key 30 md5 blogmd5key
If no key-id was found in both routers, that has the same alphanumeric, then the negotiation will fail, and the neighbour relationship will not be established.
I hope this was helpful for ospf authentication. Please don't hesitate to write your comments or questions
- The authentication method: it can be either clear text (type 1) or md5 (type 2). If the authentication method differs between 2 routers, the neighbour relationship cannot be formed between these 2 routers, even if we set the authentication method without setting keys. Same case if one has authentication method enabled, while the other doesn't have.
- The authentication key. Each key has an identifier and a value (alphanumeric). The router negotiate all of his keys, the same key number on both routers, must match the same value. Once there is one match, the authentication is successful.
*May 14 10:38:57.843: OSPF: Rcv pkt from 192.168.253.5, FastEthernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
OSPF Authentication method can be configured under interface configuration mode or router configuration mode. In both cases, the authentication process occurs per interface.
For example If I enter the command:
router ospf 1
area 0 authentication message-digest
This command lets the router enable md5 authentication on all interfaces that are in area 0.
Here is an example. The network is very simple. 3 routers connected to the same ethernet network with a network ID 192.168.253.0
Case1:
We will configure the authentication method on R3 to be type 1, and on R5 & R2 to be type 2
Router R5:
router ospf 1
log-adjacency-changes
network 192.168.253.5 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.5 255.255.255.0
ip ospf authentication message-digest
speed auto
end
Router R2:
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.253.2 0.0.0.0 area 0
interface FastEthernet1/0
ip address 192.168.253.2 255.255.255.0
duplex auto
speed auto
end
Router R3:
router ospf 1
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.3 255.255.255.0
ip ospf authentication
speed auto
As you see that in Router2, I configured the authentication method under the router configuration mode :
area 0 authentication message-digest ; Will enable authentication type 2 on all interfaces that are in area 0
While in R3 and R5, We configured the authentication method under the interface configuration mode:
ip ospf authentication ; will enable authentication type 1 on interface f0 (R3)
ip ospf authentication message-digest ; will enable authentication type 2 on interface f0 (R5)
If we try to see the neighbour relationship on R3:
Router R3:
R3#show ip ospf neigh
R3#
This debug is on Router R5:
00:25:01: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authenticat ion type. Input packet specified type 1, we use type 2
00:25:05: OSPF: Send with youngest Key 0
00:25:11: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authentication type. Input packet specified type 1, we use type 2
Now if we change the authentication method on Router 3, the neighbour relationship will be successful:
R3:
int f0
ip ospf authentication message-digest
Neighbor ID Pri State Dead Time Address Interface
192.168.253.5 1 FULL/DR 00:00:38 192.168.253.5 FastEthernet0
172.18.20.20 1 FULL/BDR 00:00:31 192.168.253.2 FastEthernet0
R3#You can see the authentication type, by using the command: show ip ospf int
R2#show ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 192.168.253.2/24, Area 0
Process ID 1, Router ID 172.18.20.20, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.253.5, Interface address 192.168.253.5
Backup Designated router (ID) 172.18.20.20, Interface address 192.168.253.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.253.5 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
If you see that there is no key configured, it uses default key 0 ( which by default has no value).
Case2:
Now that authentication method negotiation was successful, let us configure the keys.
For a clear text authentication (method type 1), you can configure only 1 key:
int f0
ip ospf authentication-key blogkey
where blogkey is the alphanumeric key, this negotiation is simple, it is only 1 key that must have the same alphanumeric match.
For the md5 authentication ( method type 2), you can configure as many keys as you want. Each 2 routers will check their key-ids, when there is key-id match they will negotiate the alphanumeric key.
int f0
ip opsf message-digest-key 30 md5 blogmd5key
If no key-id was found in both routers, that has the same alphanumeric, then the negotiation will fail, and the neighbour relationship will not be established.
I hope this was helpful for ospf authentication. Please don't hesitate to write your comments or questions
You can follow our FTP services and solutions blog on http://www.ftp.services
Blog Tags: CCNP CCNA CCIP CCIE Boot Camp Bangalore India Shanghai China IT Jobs Network Engineer Dubai IT Manager North America System Administrator Doha
Blog Tags: CCNP CCNA CCIP CCIE Boot Camp Bangalore India Shanghai China IT Jobs Network Engineer Dubai IT Manager North America System Administrator Doha
No comments:
Post a Comment