Configuring OSPF Authentication: A Step-by-Step Guide with Sample Configuration

by

As we all know, security is a big factor in today’s network. We can make our network a bit more secured by enabling ospf authentication. OSPF authenticated routers will allow incoming connections only from the router which are having the same key configured. We can configure ospf authentication in 2 ways: Simple and md5.

Simple OSPF authentication: OSPF key will travel in simple text form.
MD5 authentication: The password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode.

When you configure authentication, you must configure an entire area with the same type of authentication.

I have a simple set up to demonstrate ospf authentication:

ospf1 —- ospf2

As authentication is not configured, routers can exchange routes as shown below:

ospf1#sh ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 10.0.0.2, 00:00:39, GigabitEthernet1/0
ospf2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.0.0.1, 00:01:02, GigabitEthernet1/0

Simple Authentication:
Use following commands to enable simple authentication on a Cisco router

Let us first activate it on ospf1 router

interface GigabitEthernet1/0
ip address 10.0.0.1 255.0.0.0
ip ospf authentication cisco
router ospf 1
log-adjacency-changes
area 0 authentication
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.255 area 0

cisco is the authentication key used here.

As soon as I activate ospf authentication on one of the router, the adjacency breaks as other router is still configured with “null” authentication.


ospf1(config-if)#ip ospf authentication-key cisco
ospf1(config-if)#
00:08:46: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet1/0 from FULL to DOWN, Neighbor Down: Dead timer expired

Configure it on other end as well using the same set of commands

interface GigabitEthernet1/0
ip address 10.0.0.2 255.0.0.0
ip ospf authentication cisco
router ospf 1
log-adjacency-changes
area 0 authentication
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.255 area 0

And you can see adjacency has formed again and routes are exchanged between the 2 routers:

ospf2(config-if)#ip ospf authentication-key cisco
ospf2(config-if)#
00:08:46: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet1/0 from FULL to DOWN, Neighbor Down: Dead timer expired

MD5 Authentication:
The MD5 authentication can also be used in similar manner. Please find below the MD5 authentication example:

ospf1


interface GigabitEthernet1/0
ip address 10.0.0.1 255.0.0.0
ip ospf message-digest-key 10 md5 cisco
negotiation auto
no clns route-cache
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.255 area 0

ospf2


interface GigabitEthernet1/0
ip address 10.0.0.2 255.0.0.0
ip ospf authentication-key cisco
ip ospf message-digest-key 10 md5 cisco
negotiation auto
no clns route-cache
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.255 area 0

2 thoughts on “Configuring OSPF Authentication: A Step-by-Step Guide with Sample Configuration”

  1. Pingback: Classless behavior of Classful Routing protocol - Cisco Professionals
  2. Pingback: OSPF without Area 0: Understanding OSPF Routing in Multi-Area Networks - Cisco Professionals

Leave a Comment