In our previous article on OSPF multi-area configuration, I showed you how to configure OSPF in multi-area OSPF topology. In this article, we shall use below topology for demonstrating OSPF MD5 authentication. So lets get started.
In above topology we have only two router R1 and R2 directly connected in same OSPF area (area 0). There are two ways you can enable OSPF MD5 authentication on Cisco routers, One way is to configure OSPF authentication on OSPF interfaces while the other way is to enable OSPF on entire area this way you don’t need to enable OSPF on interfaces. Please note that we have already configured OSPF between R1 and R2 and have FULL neighborship between each other.
#R1 OSPF MD5 Configuration interface GigabitEthernet0/0/0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 TECHACAD
For MD5 authentication you need different commands. First use “ip ospf message-digestkey X md5” to specify the key number and a password. It doesn’t matter which key number you choose but it has to be the same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-digest. When we enable OSPF MD5 authentication on R1, neighborship between R1 and R2 goes down and following message appear on console.
R2(config)# 00:21:05: %OSPF-5-ADJCHG: Process 1, Nbr 22.214.171.124 on GigabitEthernet0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired 00:21:05: %OSPF-5-ADJCHG: Process 1, Nbr 126.96.36.199 on GigabitEthernet0/0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
Now we need to enable OSPF MD5 authentication on R2 as well to bring our neighborship back UP.
#R2 OSPF MD5 Configuration interface GigabitEthernet0/0/0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 TECHACAD
As mentioned earlier that the md5 password / key must match at both ends for neighborship to be successful, so lets verify OSPF neighborships.
R2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 188.8.131.52 1 FULL/BDR 00:00:30 192.168.200.1 GigabitEthernet0/0/0
We have FULL neighborship with R1, lets verify whether we have MD5 authentication enabled. We verify this by using command “show ip ospf interface gig0/0/0”
R2#show ip ospf interface gig0/0/0 GigabitEthernet0/0/0 is up, line protocol is up Internet address is 192.168.200.2/24, Area 0 Process ID 1, Router ID 184.108.40.206, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 220.127.116.11, Interface address 192.168.200.2 Backup Designated Router (ID) 18.104.22.168, Interface address 192.168.200.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:01 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 22.214.171.124 (Backup Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1
One last thing, as mentioned earlier that we can enable OSPF authentication on whole OSPF area, It is also possible to enable authentication for the entire area, this way you don’t have to use the ip ospf authentication message-digest command on all of your interfaces to activate it. Here’s the command to enable MD5 authentication for the entire area:
R1(config)#router ospf 1 R1(config-router)#area 0 authentication message-digest
R2(config)#router ospf 1 R2(config-router)#area 0 authentication message-digest
If you want to practice OSPF MD5 Authentication in your own lab, i have pasted below configurations for your reference.
#R1 Configuration interface Loopback0 ip address 126.96.36.199 255.255.255.255 ! interface GigabitEthernet0/0/0 ip address 192.168.200.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 TECHACAD ! router ospf 1 router-id 188.8.131.52 log-adjacency-changes network 192.168.200.0 0.0.0.255 area 0 network 184.108.40.206 0.0.0.0 area 0
#R2 Configuration hostname R2 interface Loopback0 ip address 220.127.116.11 255.255.255.255 ! interface GigabitEthernet0/0/0 ip address 192.168.200.2 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 TECHACAD ! router ospf 1 router-id 18.104.22.168 log-adjacency-changes network 192.168.200.0 0.0.0.255 area 0 network 22.214.171.124 0.0.0.0 area 0
In this article we have configured OSPF MD5 authentication, also verified OSPF neighborship to verify our work.