OSPF Authentication


Scenario:

The local zoo needs your help with their OSPF network. Since a recent animal breakout the security department decides all routing protocols need authentication. You decide to implement OSPF authentication in any way you can.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure OSPF on all routers. Achieve full connectivity. Ensure area 2 is directly connected by using a virtual link.
  • Configure MD5 authentication for Area 0. Do not use any interface commands to activate it.
  • Configure plaintext authentication in Area 1. Use interface commands to achieve this.
  • Configure MD5 authentication for the virtual link.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the protocols for CCNA.

Would you like to be a master of networking too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of CCNA.

You will learn all the secrets about OSPF, authentication, virtual links and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNA!

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

OSPF Authentication Network Topology

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by RenΓ© Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

RenΓ© - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

12 Comments

  1. When configuring md5 authentication without assigning an authentication-key at the interface level – The ospf packet contents is NOT encrypted the OSPF header gets an Auth Type = Cryptographic but the LSA’s are sent in clear text.

    IE noone should use this setup in real life πŸ˜‰

  2. Hello Uffe,

    Good point. If you read closely the task says [b]Do not use any interface commands to activate it.[/b]

    You can activate authentication for the entire area under the OSPF process and configure a key on the interface level πŸ˜‰ That’s the goal of this task.

    Thanks for your comment!

    Rene

  3. Hi Rene – yeah it’s that exact statement that I feel is a little misleading as you cannot configure MD5 authentication without configuring it at the interface level.

    Thanks alot for your hard work with this site and the labs – I’m prepping for ROUTE and fine them excellent in that regard.

  4. Hi Uffe,

    No worries. I’m trying to create tasks that look a bit similar to Cisco exams or the way you get questions at the CCIE exam. It’s better to have questions where people have to think about the solution instead of just telling them what to do (or so I hope/believe ;D)

    Good luck with your CCNP!

    Rene

  5. Hey guys here is my question. If i use [b]area X authentication command[/b] and then i create virtual link that go trough that area and i have configured authentication on virtual link. witch one will take precedence or will virtual link work at all?

    1. Hmm if I’m correct authentication for the area is only between routers for the OSPF neighbor adjacency. This does not effect the virtual link, you need a different command to active authentication for the virtual link.

  6. The scenario description made me chuckle. Beware of animals using protocol sniffers. πŸ˜›

  7. Hi Rene,
    Thanks a million for these labs. I am preparing for CCIE and I find them very helpful.
    On the 3rd bullet for this lab, you said “do not use any interface command to activate it” Yet after you typed :
    area 0 authentication message-digest

    the next thing you did was to type:
    interface f 0/0
    ip ospf message-digest-key 1 mds VAULT

    Please can you explain this?

    1. Hi Nkem,

      Glad to hear you like it πŸ™‚ The requirement is not to use an interface command to “activate” it. I only configured the password on the interface and activated it by using the global area command…so the requirement is met.

      Rene

  8. Hi Rene

    Following your configuration commands for virtual link authentication :

    Giraffe(config-router)#area 1 virtual-link 2.2.2.2 authentication …….

    However 2.2.2.2 i rid for source not remote router of the virtual-link which is Giraffe.
    Is it correct ?
    When we are going to configure virtual link only, we are allocating rid of the of remote router which is Gorilla. on the Giraffes configuration line.

    Giraffe(config-router)#area 1 virtual-link 3.3.3.3

  9. Hi Rene

    I would really thank for all the LABs you made

    When I did this LAB I have got the Virtual link always down.

    I tried to change the key number (in Giraffe & Gorilla) as Key 1 was used for md5 authentication in area 0 (Giraffe & Elephant)

    Her is my OSPF config and Virtual link status

    Giraffe(config-router)#do sh run | section ospf
    ip ospf message-digest-key 1 md5 VAULT
    ip ospf authentication
    ip ospf authentication-key VAULT
    router ospf 1
    log-adjacency-changes
    area 0 authentication message-digest
    area 1 virtual-link 3.3.3.3 authentication message-digest
    area 1 virtual-link 3.3.3.3 message-digest-key 2 md5 VAULT
    network 2.2.2.0 0.0.0.255 area 0
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.23.0 0.0.0.255 area 1
    Giraffe(config-router)#

    Gorilla(config-router)#do sh run | section ospf
    ip ospf authentication
    ip ospf authentication-key VAULT
    router ospf 1
    log-adjacency-changes
    area 1 virtual-link 2.2.2.2 authentication message-digest
    area 1 virtual-link 2.2.2.2 message-digest-key 2 md5 VAULT
    network 3.3.3.0 0.0.0.255 area 1
    network 192.168.23.0 0.0.0.255 area 1
    network 192.168.34.0 0.0.0.255 area 2
    Gorilla(config-router)#

    Giraffe(config-router)#do show ip ospf virtual-links
    Virtual Link OSPF_VL0 to router 3.3.3.3 is down
    Run as demand circuit
    DoNotAge LSA allowed.
    Transit area 1, Cost of using 65535
    Transmit Delay is 1 sec, State DOWN,
    Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Giraffe(config-router)#

    Gorilla(config-router)#do show ip ospf virtual-links
    Virtual Link OSPF_VL0 to router 2.2.2.2 is down
    Run as demand circuit
    DoNotAge LSA allowed.
    Transit area 1, Cost of using 65535
    Transmit Delay is 1 sec, State DOWN,
    Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Gorilla(config-router)#

    Any advise would be much appreciated

    Thanks
    Aref

Comments are closed.