19-4 ip ospf authentication null

Previous page
Table of content
Next page
 <  Free Open Study  >  

Syntax Description:

  • key-id ” Key used to identify the password. Range of values is 1 to 255. Both ends of a link must use the same key and password.

  • password ” Password to be used for authentication in the selected area on the selected interface. The password is an alphanumeric string from 1 to 8 characters .

Purpose: In IOS versions before 12.0, if authentication was enabled for an OSPF area, then all interfaces in the area had to be configured with the same authentication type. This command allows the configuration of authentication on an interface that is different from the authentication type being used in the area.

Initial Cisco IOS Software Release: 12.0

Configuration Example 1: Simple Password Authentication on an OSPF Network

In Figure 19-1, the serial link in Area 0 is not using authentication, but simple password authentication is employed on the Ethernet network. Start by configuring Routers A and B as shown in the following listing.

Figure 19-1. OSPF Authentication Can Be Configured on Individual Networks

graphics/19fig01.gif 

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Ethernet0/0   ip address 172.16.1.1 255.255.255.0   !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252   clockrate 64000   !   router ospf 1   network 10.1.1.0 0.0.0.3 area 0   network 172.16.1.0 0.0.0.255 area 0   network 1.1.1.1 0.0.0.0 area 1  _________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Ethernet0   ip address 172.16.1.2 255.255.255.0   !   interface Serial0   ip address 10.1.1.2 255.255.255.252   !   router ospf 1   network 10.1.1.0 0.0.0.3 area 0   network 172.16.1.0 0.0.0.255 area 0   network 2.2.2.2 0.0.0.0 area 2

Verify that Routers A and B have established a FULL OSPF neighbor relationship over the serial and Ethernet networks. 

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1  FULL/BDR  00:00:32    172.16.1.2      Ethernet0/0 2.2.2.2           1  FULL/  -  00:00:35    10.1.1.2        Serial0/1

Verify that authentication is not being used in Area 0. 

 rtrA#  show ip ospf  Routing Process "ospf 1" with ID 1.1.1.1  Supports only single TOS(TOS0) routes  It is an area border router  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 2. 2 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 2  Area has no authentication  SPF algorithm executed 8 times         Area ranges are         Number of LSA 5. Checksum Sum 0x23C8C         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0     Area 1         Number of interfaces in this area is 1         Area has no authentication         SPF algorithm executed 5 times         Area ranges are         Number of LSA 4. Checksum Sum 0x22672         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0

Modify the configurations on Routers A and B so that simple password authentication is used on the Ethernet network. Use the clear-text password laura . 

 Router A  interface Ethernet0/0   ip address 172.16.1.1 255.255.255.0    ip ospf authentication     ip ospf authentication-key laura   _________________________________________________________________ Router B  interface Ethernet0   ip address 172.16.1.2 255.255.255.0    ip ospf authentication     ip ospf authentication-key laura
Verification

Verify that Routers A and B have a FULL OSPF neighbor relationship over both the serial and Ethernet networks. 

 rtrB#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 1.1.1.1           1  FULL/BDR  00:00:36    172.16.1.1      Ethernet0 1.1.1.1           1  FULL/  -  00:00:30    10.1.1.1        Serial0

Configuration Example 2: MD5 Authentication on an OSPF Network

Change the authentication type on the Ethernet network to MD5. Use the password laura and a key ID of 1. 

 Router A  interface Ethernet0/0   ip address 172.16.1.1 255.255.255.0    ip ospf authentication message-digest     ip ospf message-digest-key 1 md5 laura   _________________________________________________________________ Router B  interface Ethernet0   ip address 172.16.1.2 255.255.255.0    ip ospf authentication message-digest     ip ospf message-digest-key 1 md5 laura
Verification

Verify that message digest authentication is being used on the Ethernet network. 

 rtrA#  show ip ospf interface Ethernet0/0  Ethernet0/0 is up, line protocol is up   Internet Address 172.16.1.1/24, Area 0   Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10   Transmit Delay is 1 sec, State BDR, Priority 1   Designated Router (ID) 2.2.2.2, Interface address 172.16.1.2   Backup Designated router (ID) 1.1.1.1, Interface address 172.16.1.1   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:02   Neighbor Count is 1, Adjacent neighbor count is 1     Adjacent with neighbor 2.2.2.2  (Designated Router)   Suppress hello for 0 neighbor(s)  Message digest authentication enabled   Youngest key id is 1

Also, verify that Routers A and B have established FULL OSPF neighbor relationships over the serial and Ethernet networks. 

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1  FULL/DR  00:00:39    172.16.1.2      Ethernet0/0 2.2.2.2           1  FULL/  -  00:00:32    10.1.1.2        Serial0/1

Configuration Example 3: Changing Keys and Passwords

For additional security, you may choose to periodically change the key and password. With clear-text authentication, when you change passwords there will be a loss of OSPF connectivity from the time you change the password on one router's interface until you change the password on the remaining interfaces attached to the network. With MD5 authentication, you can configure a new key and password on an interface while leaving the old key and password in place. The old key and password will continue to be used until the new key and password are configured on the other interfaces attached to the network. Modify the key and password on the Ethernet network between Routers A and B. First add a new key and password to Router A in order to observe the behavior when the new key and password have been configured on only one interface. 

 Router A  interface Ethernet0/0   ip address 172.16.1.1 255.255.255.0   ip ospf authentication message-digest   ip ospf message-digest-key 1 md5 laura    ip ospf message-digest-key 2 md5 elvis

Examine the effect of adding a new key and password on only one interface. 

 rtrA#  show ip ospf interface e0/0  Ethernet0/0 is up, line protocol is up   Internet Address 172.16.1.1/24, Area 0   Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10   Transmit Delay is 1 sec, State BDR, Priority 1   Designated Router (ID) 2.2.2.2, Interface address 172.16.1.2   Backup Designated router (ID) 1.1.1.1, Interface address 172.16.1.1   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:07   Neighbor Count is 1, Adjacent neighbor count is 1     Adjacent with neighbor 2.2.2.2  (Designated Router)   Suppress hello for 0 neighbor(s)  Message digest authentication enabled   Youngest key id is 2   Rollover in progress, 1 neighbor(s) using the old key(s):   key id 1

Notice that both keys are being used for authentication. Configure the new key and password on Router B while leaving the old key and password in place. 

 Router B  interface Ethernet0/0   ip address 172.16.1.2 255.255.255.0   ip ospf authentication message-digest   ip ospf message-digest-key 1 md5 laura    ip ospf message-digest-key 2 md5 elvis
Verification

Verify that Router B is now using the new key and password. 

 rtrB#  show ip ospf interface ethernet 0  Ethernet0 is up, line protocol is up   Internet Address 172.16.1.2/24, Area 0   Process ID 1, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 10   Transmit Delay is 1 sec, State DR, Priority 1   Designated Router (ID) 2.2.2.2, Interface address 172.16.1.2   Backup Designated router (ID) 1.1.1.1, Interface address 172.16.1.1   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:05   Neighbor Count is 1, Adjacent neighbor count is 1     Adjacent with neighbor 1.1.1.1  (Backup Designated Router)   Suppress hello for 0 neighbor(s)  Message digest authentication enabled   Youngest key id is 2

You can now remove the old key and password from Routers A and B. 

 Router A  interface Ethernet0/0    no ip ospf message-digest-key 1   _________________________________________________________________ Router B  interface Ethernet0    no ip ospf message-digest-key 1

Configuration Example 4: Null Authentication

Prior to Cisco IOS Software Release 12.0, if authentication was configured for an OSPF area then the same authentication type had to be enabled on all interfaces in the area. In Cisco IOS Software Release 12.0 and later, if authentication is not required on an interface, NULL authentication can be employed to override the authentication that has been con-figured for the area. Configure the routers in Figure 19-1 with simple password authentication in Area 0 and on the Ethernet network. Do not configure authentication on the serial link. 

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Ethernet0/0   ip address 172.16.1.1 255.255.255.0    ip ospf authentication-key laura    !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252    ip ospf authentication null    clockrate 64000   !   router ospf 1    area 0 authentication    network 1.1.1.1 0.0.0.0 area 1   network 10.1.1.0 0.0.0.3 area 0   network 172.16.1.0 0.0.0.255 area 0  _________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Ethernet0   ip add 172.16.1.2 255.255.255.0    ip ospf authentication-key laura    !   interface Serial0   ip address 10.1.1.2 255.255.255.252    ip ospf authentication null    !   router ospf 1    area 0 authentication    network 2.2.2.2 0.0.0.0 area 2   network 10.1.1.0 0.0.0.3 area 0   network 172.16.1.0 0.0.0.255 area 0
Verification

Verify that Routers A and B have formed FULL OSPF neighbor relationships over the Ethernet and serial networks. 

 rtrA#  show ip ospf neighbor  Neighbor ID     Pri   State           Dead Time   Address         Interface 2.2.2.2           1  FULL/DR  00:00:31    172.16.1.2      Ethernet0/0 2.2.2.2           1  FULL/  -  00:00:35    10.1.1.2        Serial0/1
Troubleshooting
Step 1. If using simple password authentication, verify that the same password is being used on every interface attached to the network.

Step 2. If using MD5 authentication, verify that the same key and password are being used on every interface attached to the network.

Step 3. Mismatched keys and passwords can be found by enabling OSPF debugging. A sample session is shown in the following output where simple password authentication is used and the passwords assigned to the interfaces do not match. 

 rtrA#  debug ip ospf adj  OSPF adjacency events debugging is on rtrA# 00:47:55: OSPF: Rcv pkt from 172.16.1.2, Ethernet0/0 :  Mismatch Authentication Key - Clear Text  00:47:55: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial0/1 10.1.1.2 00:47:55: OSPF: End of hello processing

The following output is for message digest authentication when the keys match but the passwords do not. 

 rtrB#  debug ip ospf adj  OSPF adjacency events debugging is on rtrB# 00:51:37: OSPF: Rcv pkt from 10.1.1.1, Serial0 :  Mismatch Authentication Key   Message Digest Key 1

The final debug output is for message digest authentication with a key mismatch. One interface has been configured with a key ID of 1 and the other interface has a key ID of 2. 

 rtrA#  debug ip ospf adj  OSPF adjacency events debugging is on rtrA# 00:53:31: OSPF: Send with youngest Key 1 00:53:36: OSPF: Rcv pkt from 10.1.1.2, Serial0/1 :  Mismatch Authentication Key -   No message digest key 2 on interface  00:53:41: OSPF: Send with youngest Key 1
 <  Free Open Study  >  

Previous page
Table of content
Next page
Cisco[r] OSPF Command and Configuration Handbook
Cisco OSPF Command and Configuration Handbook (paperback)
ISBN: 1587055406
EAN: 2147483647
Year: 2002
Pages: 236
Authors: William R. Parkhurst
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Java How to Program (6th Edition) (How to Program (Deitel))
The Java Tutorial: A Short Course on the Basics, 4th Edition
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy