Basic OSPF Configuration

OSPF (Open Shortest Path First) is configured using the router ospf command followed by network statements that specify which interfaces participate in OSPF and to which area they belong. In this lesson, I’ll explain how to configure single-area OSPF with examples of setting the router ID, cost calculations, authentication, and default route advertisements.

Key Takeaways

• OSPF uses wildcard masks (inverse subnet masks) in network statements, not regular subnet masks.
• The router ID is selected from the highest loopback IP address, or the highest active interface IP address if no loopback exists.
• OSPF uses cost as a metric based on interface bandwidth.
• Authentication can be configured as plaintext or MD5, either per interface or per area.
• The show ip ospf neighbor command verifies neighbor adjacencies.
• Loopback interfaces provide stable router IDs and can be advertised like physical interfaces.
• Default routes are advertised with the default-information originate always command.

Prerequisites

To follow this OSPF configuration lesson, you should have an understanding of basic OSPF. You can read the Introduction to OSPF lesson for this.

Configuration

Let’s start with the configuration. This is the topology we’ll use:

We have three routers, connected in a triangle. All routers are in OSPF Area 0.

hostname R1
!
interface Ethernet0/1
 ip address 192.168.12.1 255.255.255.0
 no shutdown
!
interface Ethernet0/2
 ip address 192.168.13.1 255.255.255.0
 no shutdown
!
end

hostname R2
!
interface Ethernet0/1
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Ethernet0/2
 ip address 192.168.23.2 255.255.255.0
 no shutdown
!
end

hostname R3
!
interface Ethernet0/1
 ip address 192.168.13.3 255.255.255.0
 no shutdown
!
interface Ethernet0/2
 ip address 192.168.23.3 255.255.255.0
 no shutdown
!
end

We’ll start by enabling the router OSPF process on all routers. I’ll also manually set a router ID on each:

R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1

R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2

R3(config)#router ospf 3
R3(config-router)#router-id 3.3.3.3

We use the router ospf command to start the process and the router-id command to set a unique router ID for each router.

The number “1” is a process ID, and you can choose any number you like. It doesn’t matter and if you want you can use a different number on each router.

Now let’s establish neighbor adjacencies. We’ll start with R1 and R2:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0

R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0

The second step is to use the network command. Let me break it down for you:

network 192.168.12.0 0.0.0.255

The network command does two things:

• Advertise the networks that fall within this range in OSPF.
• Activate OSPF on the interface(s) that fall within this range. This means that OSPF will send hello packets on the interface.

Behind 192.168.12.0, you can see it says 0.0.0.255. This is not a subnet mask but a wildcard mask. A wildcard mask is a reverse subnet mask. Let me give you an example:

When I say reverse subnet mask I mean that the binary 1s and 0s of the wildcard mask are flipped compared to the subnet mask. A subnet mask of 255.255.255.0 is the same as wildcard mask 0.0.0.255. Don’t worry about this too much for now as I’ll explain wildcard masks to you when we talk about access-lists!

OSPF uses areas so you need to specify the area:

area 0

In our example we have configured single area OSPF. All routers belong to area 0.

After typing in my network command you’ll see this message in the console:

R1# %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/1 from LOADING to FULL, Loading Done

R2# %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/1 from LOADING to FULL, Loading Done

Great! It seems that R1 and R2 have become neighbors. There’s another command we can use to verify that we have become neighbors:

R1#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:34    192.168.12.2    Ethernet0/1

R2#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:37    192.168.12.1    Ethernet0/1

show ip ospf neighbor is a great command to see if your router has OSPF neighbors. When the state is full you know that the routers have successfully become neighbors.

Each OSPF router has a router ID and we check it with the show ip protocols command:

R1#show ip protocols 
*** IP Routing is NSF aware ***

Routing Protocol is "application"
  Sending updates every 0 seconds
  Invalid after 0 seconds, hold down 0, flushed after 0
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Maximum path: 32
  Routing for Networks:
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 4)

Routing Protocol is "ospf 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 1.1.1.1
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    192.168.12.0 0.0.0.255 area 0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 110)

This gives a lot of information. You can see the router ID of R1 is 1.1.1.1.

If we only care about the router ID, we can filter like this:

R2#show ip protocols | include ID
  Router ID 2.2.2.2

Right now we have an OSPF neighbor adjacency between R1 and R2. Let’s configure our routers so that R1 and R3, and R2 and R3 also become OSPF neighbors:

R1(config)#router ospf 1
R1(config-router)#network 192.168.13.0 0.0.0.255 area 0

R2(config)#router ospf 1
R2(config-router)#network 192.168.23.0 0.0.0.255 area 0

R3(config)#router ospf 1
R3(config-router)#network 192.168.13.0 0.0.0.255 area 0
R3(config-router)#network 192.168.23.0 0.0.0.255 area 0

I’ll advertise all networks in OSPF. Before we check the routing table it’s a good idea to see if our routers have become OSPF neighbors:

R1#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/DR         00:00:38    192.168.13.3    Ethernet0/2
2.2.2.2           1   FULL/BDR        00:00:39    192.168.12.2    Ethernet0/1

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/DR         00:00:31    192.168.23.3    Ethernet0/2
1.1.1.1           1   FULL/DR         00:00:35    192.168.12.1    Ethernet0/1

R3#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:31    192.168.23.2    Ethernet0/2
1.1.1.1           1   FULL/BDR        00:00:37    192.168.13.1    Ethernet0/1

Excellent our routers have become OSPF neighbors and the state is full which means they are done exchanging information. Let’s check the routing tables:

R1#show ip route ospf 

O     192.168.23.0/24 [110/20] via 192.168.13.3, 00:00:53, Ethernet0/2
                      [110/20] via 192.168.12.2, 00:00:53, Ethernet0/1

Here’s what you see:

• The “O” stands for OSPF. This entry was learned through OSPF.
• 192.168.23.0 /24 is the network that we learned. This is the link between R2 and R3.
• The “110” is the administrative distance of OSPF.
• The “20” is the metric. OSPF uses cost as a metric. To reach this network we have a total cost of 20.
• “via” is the next hop IP address where we send our traffic to.

Since the total metric (cost) is the same through R2 and R3, R1 installs two routes to get to 192.168.23.0/24.

How did we come up with a total metric of 20? Let’s take a look at the interface:

R1#show ip ospf interface Ethernet0/1
Ethernet0/1 is up, line protocol is up 
  Internet Address 192.168.12.1/24, Interface ID 3, Area 0
  Attached via Network Statement
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           10        no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 1.1.1.1, Interface address 192.168.12.1
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.12.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Can be protected by per-prefix Loop-Free FastReroute
  Can be used for per-prefix Loop-Free FastReroute repair paths
  Not Protected by per-prefix TI-LFA
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 3
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)

You can use the show ip ospf interface command to check the cost of a certain interface. As you can see, this interface has a cost of 10.

Here are R2 and R3:

R2#show ip route ospf

O     192.168.13.0/24 [110/20] via 192.168.23.3, 00:01:03, Ethernet0/2
                      [110/20] via 192.168.12.1, 00:01:03, Ethernet0/1

R3#show ip route ospf

O     192.168.12.0/24 [110/20] via 192.168.23.2, 00:01:12, Ethernet0/2
                      [110/20] via 192.168.13.1, 00:01:12, Ethernet0/1

All Ethernet interfaces in this topology have a cost of 10. Let’s see what happens when we shut an interface. For example, the link between R1 and R2:

R1(config)#interface Ethernet0/1
R1(config-if)#shutdown

The first thing you’ll see is that R1 and R2 lose their neighbor adjacency:

R1#
%OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached

R1 shows this immediately because it knows the interface is down. For R2 it takes a bit longer, it declares R1 down when the dead timer has expired:

R2#
*%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired

Now let’s check the paths:

R1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.12.0/24 [110/30] via 192.168.13.3, 00:01:01, Ethernet0/2
O     192.168.23.0/24 [110/20] via 192.168.13.3, 00:07:12, Ethernet0/2

In the output above, you can see R1 now uses R3 to get to the other two networks. Here’s R2:

R2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.13.0/24 [110/20] via 192.168.23.3, 00:07:35, Ethernet0/2

And R3:

R3#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.12.0/24 [110/20] via 192.168.23.2, 00:01:48, Ethernet0/2

When an interface goes down, OSPF will calculate the new shortest path.

Let’s recover that link:

R1(config)#interface Ethernet0/1
R1(config-if)#no shutdown

What if I wanted to force OSPF to use one of the two Ethernet interfaces without shutting the interface? It’s possible to manually change the cost. Let me show you how:

R2(config)#interface Ethernet0/1
R2(config-if)#ip ospf cost 100

We can verify this:

R2#show ip ospf interface Ethernet0/1 | include Cost
  Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 100

Use the ip ospf cost command to change the cost. When I set it to 100, this link isn’t as attractive anymore. Let’s check:

R2#show ip route ospf
*Feb  6 14:47:33.427: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.65.20.1)
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.13.0/24 [110/20] via 192.168.23.3, 00:10:29, Ethernet0/2

R2 now prefers the link through R3 to get network 192.168.13.0/24.

We can also reduce the cost to make a link more attractive. For example:

R1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.23.0/24 [110/20] via 192.168.13.3, 00:12:23, Ethernet0/2
                      [110/20] via 192.168.12.2, 00:00:13, Ethernet0/1

R1 uses both links to get to 192.168.23.0/24. Let’s change the cost:

R1(config)#interface Ethernet0/2
R1(config-if)#ip ospf cost 1

Verify:

R1#show ip ospf interface Ethernet0/2 | include Cost
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1

We now use the shortest path:

R1#show ip route ospf                               
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

O     192.168.23.0/24 [110/11] via 192.168.13.3, 00:00:22, Ethernet0/2

With a total metric of 11 (1+11).

How about we advertise something else? We can create a loopback interface, and advertise it in OSPF. Let me show you:

R1(config)#interface Loopback 0
R1(config-if)#ip address 1.1.1.1 255.255.255.0

This is how you create a new loopback. Let’s advertise it:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 0

R2 and R3 learned how to reach it:

R2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/21] via 192.168.23.3, 00:00:52, Ethernet0/2
O     192.168.13.0/24 [110/20] via 192.168.23.3, 00:16:50, Ethernet0/2

The total metric for R2 is 21. It has to go through R3 (metric of 10), then the link between R1-R3 (metric 10), and then reaches the loopback interface (metric 1).

Here’s R3:

R3#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/11] via 192.168.13.1, 00:01:07, Ethernet0/1
O     192.168.12.0/24 [110/20] via 192.168.13.1, 00:04:55, Ethernet0/1

R3 has a total metric of 11. It can use the direct link from R1 to R3 (metric 10) and then reaches the loopback (metric 1).

The great thing about loopback interfaces is that they are reachable just like normal interfaces:

R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

You can ping them just like any other interface.

We can also advertise a default route into OSPF. This might be useful if your router is connected to the Internet and you want to advertise this to other routers, this is how you do it:

R2(config)#router ospf 1
R2(config-router)#default-information originate always

You need to use the default-information originate command. If you don’t already have a default route in your routing table then you need to add the always keyword.

Let’s see if the default route has been advertised:

R1#show ip route ospf | include 0.0.0.0
Gateway of last resort is 192.168.12.2 to network 0.0.0.0
O*E2  0.0.0.0/0 [110/1] via 192.168.12.2, 00:00:15, Ethernet0/1

R3#show ip route ospf | include 0.0.0.0
Gateway of last resort is 192.168.23.2 to network 0.0.0.0
O*E2  0.0.0.0/0 [110/1] via 192.168.23.2, 00:00:34, Ethernet0/2

As you can see R1 and R3 have learned the default route from R2.

Let’s continue our OSPF configuration. I want to show you how to do plaintext and MD5 authentication. I’ll start by configuring plaintext authentication between R1 and R2:

R2(config)#interface Ethernet0/2
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key MY_PASS

R3(config)#interface Ethernet0/2
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key MY_PASS

First you need to use the ip ospf authentication command to enable plaintext authentication on the interface. Secondly we need to configure a password using the ip ospf authentication-key command.

Once you configure authentication on one router you’ll see the neighbor adjacency going down for a moment until you configure the other router.

There is a useful debug command you can use to verify if authentication has been enabled or not:

R2#debug ip ospf packet 
OSPF packet debugging is on

Here’s what you see:

R2#
OSPF-1 PAK  : Et0/2:  IN: 192.168.23.3->224.0.0.5: ver:2 type:1 len:48 rid:3.3.3.3 area:0.0.0.0 chksum:3339 auth:1
OSPF-1 PAK  : Et0/1: OUT: 192.168.12.2->224.0.0.5: ver:2 type:1 len:48 rid:2.2.2.2 area:0.0.0.0 chksum:4D40 auth:0
OSPF-1 PAK  : Et0/1:  IN: 192.168.12.1->224.0.0.5: ver:2 type:1 len:48 rid:1.1.1.1 area:0.0.0.0 chksum:4D40 auth:0
OSPF-1 PAK  : Et0/2: OUT: 192.168.23.2->224.0.0.5: ver:2 type:1 len:48 rid:2.2.2.2 area:0.0.0.0 chksum:3339 auth:1
OSPF-1 PAK  : Et0/2:  IN: 192.168.23.3->224.0.0.5: ver:2 type:1 len:48 rid:3.3.3.3 area:0.0.0.0 chksum:3339 auth:1
OSPF-1 PAK  : Et0/2: OUT: 192.168.23.2->224.0.0.5: ver:2 type:1 len:48 rid:2.2.2.2 area:0.0.0.0 chksum:3339 auth:1
OSPF-1 PAK  : Et0/1: OUT: 192.168.12.2->224.0.0.5: ver:2 type:1 len:48 rid:2.2.2.2 area:0.0.0.0 chksum:4D40 auth:0

The packets on the Ethernet0/1 interface are to and from R1. The aut:0 means that this packet is not authenticated. This is correct because we didn’t configure authentication between R1 and R2.

The packets between R2 and R3 show aut:1. This means we have enabled plaintext authentication. Let’s disable debug before we continue:

R2#no debug all
All possible debugging has been turned off

Let’s configure MD5 authentication between R1 and R2:

R3(config)#interface Ethernet 0/1
R3(config-if)#ip ospf authentication message-digest 
R3(config-if)#ip ospf message-digest-key 1 md5 MY_KEY

R1(config)#interface Ethernet 0/1
R1(config-if)#ip ospf authentication message-digest 
R1(config-if)#ip ospf message-digest-key 1 md5 MY_KEY

First, we tell OSPF to use MD5 with the ip ospf authentication message-digest command. Secondly the ip ospf message-digest-key tells OSPF to use MD5 key 1 (you can pick any number you like as long it’s the same on both routers) and password “MY_KEY”.

If you enable the debug, you can see that it’s working:

R1#debug ip ospf packet 
OSPF packet debugging is on

You’ll see messages like these:

R1#
*Feb  6 15:04:31.608: OSPF-1 PAK  : Et0/1:  IN: 192.168.12.2->224.0.0.5: ver:2 type:1 len:48 rid:2.2.2.2 area:0.0.0.0 chksum:0 auth:2 keyid:1 seq:0x6986
*Feb  6 15:04:32.597: OSPF-1 PAK  : Et0/1: OUT: 192.168.12.1->224.0.0.5: ver:2 type:1 len:48 rid:1.1.1.1 area:0.0.0.0 chksum:0 auth:2 keyid:1 seq:0x6986

In the output above you can see it says auth:2 which means MD5 authentication. You can also see the key-id.

In the examples above I enabled authentication per interface. It’s also possible to do this for the entire area…this might save you some time if you have a router with many interfaces. You can do it like this: