OSPF Virtual Link Authentication

In the OSPF virtual link lesson, I explained how to configure a virtual link, but I didn’t show how to enable virtual link authentication. That’s what we are going to cover in this lesson.

There are two authentication methods:

• Plain text
• MD5

I’ll show you both options.

Configuration

Here is the topology we will use:

We have two routers running OSPF. Area 0 is discontinuous, so we need a virtual link through area 1 to fix this.

hostname R1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 area 1 virtual-link 2.2.2.2
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

hostname R2
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 area 1 virtual-link 1.1.1.1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

Let’s see if we can authenticate this virtual link.

Plain Text Authentication

There are two things we need to do to enable authentication:

• Enable authentication for area 0: the virtual link belongs to area 0, so you need authentication for the backbone area, not the area that the virtual link goes through.
• Set the authentication password for the virtual link.

Only two commands are required to achieve this:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#area 1 virtual-link 2.2.2.2 authentication-key NWL

R2(config)#router ospf 1
R2(config-router)#area 0 authentication 
R2(config-router)#area 1 virtual-link 1.1.1.1 authentication-key NWL

Let’s see if it works. Let’s reset the OSPF process:

R1#clear ip ospf process 
Reset ALL OSPF processes? [no]: yes

After a few seconds, our virtual link is back:

R1#
%OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on OSPF_VL0 from LOADING to FULL, Loading Done

Let’s verify that authentication is enabled:

R1#show ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface GigabitEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)
    Index 1/1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Simple password authentication enabled

There we go, above you can see that simple password authentication is enabled.

hostname R1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 area 0 authentication
 area 1 virtual-link 2.2.2.2 authentication-key NWL
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

hostname R2
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 area 0 authentication
 area 1 virtual-link 1.1.1.1 authentication-key NWL
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

MD5 Authentication

Let’s try MD5 authentication. The configuration is similar:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest 
R1(config-router)#area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 NWL

R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest 
R2(config-router)#area 1 virtual-link 1.1.1.1 message-digest-key 1 md5 NWL

First, we need to configure area 0 to use MD5 authentication and then set the MD5 key for the virtual link.

Let’s see if it works: