All routing protocols can be protected by using authentication and OSPF is no exception. There are two options for authentication:
- Plain text authentication
- MD5 authentication
Each OSPF packet will be authenticated if you enable any form of authentication. In this lesson we’ll take a look at how to configure plain text authentication for OSPF. Here’s the topology that we’ll use:
Above you see the topology I’m going to use for authentication. Just two routers but we can use it to check all different methods of authentication.
R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0First I’ll enable OSPF, nothing fancy here.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key MYPASSR2(config)#interface fastEthernet 0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key MYPASSBy using the ip ospf authentication command we enable plain text authentication on the interface level. I configured the password MYPASS by using the ip ospf authentication-key command.
R1(config)#router ospf 1
R1(config-router)#area 0 authenticationIf you have a lot of interfaces you probably don’t want to enable OSPF authentication for each interface. You can also enable area-wide authentication by using the area authentication command. In my example above I enabled authentication for area 0.
R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
Backup Designated router (ID) 192.168.12.1, Interface address 192.168.12.1
Flush timer for old DR LSA due in 00:01:49
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.12.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabledIf you use the show ip ospf interface command you can see OSPF information per interface. You can also check if authentication is enabled. You can see the neighbor count is 1 and simple password authentication is enabled.
Can we use either one for plain text authentication under interfaces or ospf process, Lets say we dont configure authentication under interfaces and configure authentication under area only then what should be the authentication credentials.
Hi Sudej,
If you enable authentication for the entire area then you still have to configure the password on the interface.
Rene
HI Rene,
This seems like bad design by Cisco or ignorance on my part. Why enable authentication at the area to save work but still have to go into each interface to add the key?
I can only think they know something I don’t or they would have made it where you can do both at the global level… anyway thanks for clarifying!
Hello Brian
The reason the key must be configured on the interface is because each link between two OSPF routers can have a different key. The keys are not global but are specific to the interfaces being connected.
I hope this has been helpful!
Laz
There is very short theory concept about this topic, but practically very explained, you configured many few things on the router, i want to know this is completely configuration of ospf plain text authantiction in CCNP Ospf ?