OSPF: Virtual Links – Part III - Authentication

OSPF: Virtual Links – Part III - Authentication

·         In the previous 2 posts, OSPF: Virtual Links - Part I and OSPF: Virtual Links – Part II, we have learnt why Virtual-links, how to create virtual-links, what scenarios we need to create virtual links etc.

·         In this post, we will see how to configure OSPF authentication for Virtual Links.

·         As we know already, Virtual-links are part of Backbone Area.

·         So, whenever we have authentication in Area 0, we have to authenticate the Virtual-links also.

·         As per the RFC, OSPF must do authentication for all the links.

·         OSPF uses 3 types of authentication:

o    By default, OSPF does Type-0 authentication, or null authentication or no authentication.

o    Type-1 or clear-text authentication

o    Type-2 or MD5 authentication

·         We can enable OSPF authentication either under the OSPF process or under the interface

·         In both the cases, we have to configure the password under the interface.

·         For MD5 authentication, Password and the key-id must match.

·         In the below example, I’m going to configure MD5 authentication.

Topology:

R1#show run | begin router ospf 1

router ospf 1

 router-id 1.1.1.1

 log-adjacency-changes

 network 1.1.1.1 0.0.0.0 area 0

 network 100.1.12.1 0.0.0.0 area 0

!

R2#show run | begin router ospf 1

router ospf 1

 router-id 2.2.2.2

 log-adjacency-changes

 area 23 virtual-link 3.3.3.3

 network 2.2.2.2 0.0.0.0 area 0

 network 100.1.12.2 0.0.0.0 area 0

 network 100.1.23.2 0.0.0.0 area 23

!

R3#show run | begin router ospf 1

router ospf 1

 router-id 3.3.3.3

 log-adjacency-changes

 area 23 virtual-link 2.2.2.2

 network 3.3.3.3 0.0.0.0 area 23

 network 100.1.23.3 0.0.0.0 area 23

 network 100.1.34.3 0.0.0.0 area 34

!

R4#show run | begin router ospf 1

router-id 4.4.4.4

 log-adjacency-changes

 network 4.4.4.4 0.0.0.0 area 34

 network 100.1.34.4 0.0.0.0 area 34

!

R1#show ip route ospf

     2.0.0.0/32 is subnetted, 1 subnets

O       2.2.2.2 [110/65] via 100.1.12.2, 00:00:38, Serial1/0

     100.0.0.0/24 is subnetted, 3 subnets

O IA    100.1.34.0 [110/192] via 100.1.12.2, 00:00:38, Serial1/0

O IA    100.1.23.0 [110/128] via 100.1.12.2, 00:00:38, Serial1/0

     3.0.0.0/32 is subnetted, 1 subnets

O IA    3.3.3.3 [110/129] via 100.1.12.2, 00:00:38, Serial1/0

     4.0.0.0/32 is subnetted, 1 subnets

O IA    4.4.4.4 [110/193] via 100.1.12.2, 00:00:38, Serial1/0

R1#

R2#show ip route ospf

     1.0.0.0/32 is subnetted, 1 subnets

O       1.1.1.1 [110/65] via 100.1.12.1, 00:00:39, Serial1/0

     100.0.0.0/24 is subnetted, 3 subnets

O IA    100.1.34.0 [110/128] via 100.1.23.3, 00:00:39, Serial1/1

     3.0.0.0/32 is subnetted, 1 subnets

O       3.3.3.3 [110/65] via 100.1.23.3, 01:22:20, Serial1/1

     4.0.0.0/32 is subnetted, 1 subnets

O IA    4.4.4.4 [110/129] via 100.1.23.3, 00:00:39, Serial1/1

R2#

R3#show ip route ospf

     1.0.0.0/32 is subnetted, 1 subnets

O       1.1.1.1 [110/129] via 100.1.23.2, 00:32:59, Serial1/1

     2.0.0.0/32 is subnetted, 1 subnets

O       2.2.2.2 [110/65] via 100.1.23.2, 00:32:59, Serial1/1

     100.0.0.0/24 is subnetted, 3 subnets

O       100.1.12.0 [110/128] via 100.1.23.2, 00:32:59, Serial1/1

     4.0.0.0/32 is subnetted, 1 subnets

O       4.4.4.4 [110/65] via 100.1.34.4, 00:32:29, Serial1/0

R3#

R4#show ip route ospf

     1.0.0.0/32 is subnetted, 1 subnets

O IA    1.1.1.1 [110/193] via 100.1.34.3, 00:32:28, Serial1/0

     2.0.0.0/32 is subnetted, 1 subnets

O IA    2.2.2.2 [110/129] via 100.1.34.3, 00:32:28, Serial1/0

     100.0.0.0/24 is subnetted, 3 subnets

O IA    100.1.12.0 [110/192] via 100.1.34.3, 00:32:28, Serial1/0

O IA    100.1.23.0 [110/128] via 100.1.34.3, 00:32:28, Serial1/0

     3.0.0.0/32 is subnetted, 1 subnets

O IA    3.3.3.3 [110/65] via 100.1.34.3, 00:32:28, Serial1/0

R4#

Observation:

·         OSPF has been configured as per the topology

·         Virtual-link has been configured between R2 and R3 through Area-23

Configuring OSPF authentication in Area-0:

R1(config)#router ospf 1

R1(config-router)#area 0 authentication message-digest

R1(config-router)#

R1(config-router)#int ser1/0

R1(config-if)#ip ospf authentication message-digest

R1(config-if)#ip ospf message-digest-key 10 md5 cisco123

R1(config-if)#

R2(config)#router ospf 1

R2(config-router)#area 0 authentication message-digest

R2(config-router)#area 23 virtual-link 3.3.3.3 message-digest-key 10 md5 cisco123

R2(config-router)#

R2(config-router)#int ser1/0

R2(config-if)#ip ospf authentication message-digest

R2(config-if)#ip ospf message-digest-key 10 md5 cisco123

R2(config-if)#

R3(config)#router ospf 1

R3(config-router)#area 0 authentication message-digest

R3(config-router)#area 23 virtual-link 2.2.2.2 message-digest-key 10 md5 cisco123

R3(config-router)#

R1#show ip ospf interface ser1/0

Serial1/0 is up, line protocol is up

  Internet Address 100.1.12.1/24, Area 0

  Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    oob-resync timeout 40

    Hello due in 00:00:02

  Supports Link-local Signaling (LLS)

  Index 2/2, flood queue length 0

  Next 0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 1

  Last flood scan time is 0 msec, maximum is 0 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 2.2.2.2

  Suppress hello for 0 neighbor(s)

  Message digest authentication enabled

    Youngest key id is 10

R1#

R2#show ip ospf interface ser1/0

Serial1/0 is up, line protocol is up

  Internet Address 100.1.12.2/24, Area 0

  Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    oob-resync timeout 40

    Hello due in 00:00:07

  Supports Link-local Signaling (LLS)

  Index 2/2, flood queue length 0

  Next 0x0(0)/0x0(0)

  Last flood scan length is 1, maximum is 4

  Last flood scan time is 0 msec, maximum is 4 msec

  Neighbor Count is 1, Adjacent neighbor count is 1

    Adjacent with neighbor 1.1.1.1

  Suppress hello for 0 neighbor(s)

  Message digest authentication enabled

    Youngest key id is 10

R2#

R2#show ip ospf virtual-links

Virtual Link OSPF_VL0 to router 3.3.3.3 is up

  Run as demand circuit

  DoNotAge LSA allowed.

  Transit area 23, via interface Serial1/1, Cost of using 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:06

    Adjacency State FULL (Hello suppressed)

    Index 2/3, retransmission queue length 0, number of retransmission 0

    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

    Last retransmission scan length is 0, maximum is 0

    Last retransmission scan time is 0 msec, maximum is 0 msec

  Message digest authentication enabled

    Youngest key id is 10

R2#

R3#show ip ospf virtual-links

Virtual Link OSPF_VL0 to router 2.2.2.2 is up

  Run as demand circuit

  DoNotAge LSA allowed.

  Transit area 23, via interface Serial1/1, Cost of using 64

  Transmit Delay is 1 sec, State POINT_TO_POINT,

  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

    Hello due in 00:00:01

    Adjacency State FULL (Hello suppressed)

    Index 1/3, retransmission queue length 0, number of retransmission 0

    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)

    Last retransmission scan length is 0, maximum is 0

    Last retransmission scan time is 0 msec, maximum is 0 msec

  Message digest authentication enabled

    Youngest key id is 10

R3#

R1#debug ip ospf packet

OSPF packet debugging is on

R1#

*Jul  8 18:49:09.983: OSPF: rcv. v:2 t:1 l:48 rid:2.2.2.2

      aid:0.0.0.0 chk:0 aut:2 keyid:10 seq:0x4FF9D50E from Serial1/0

R1#

*Jul  8 18:49:19.983: OSPF: rcv. v:2 t:1 l:48 rid:2.2.2.2

      aid:0.0.0.0 chk:0 aut:2 keyid:10 seq:0x4FF9D518 from Serial1/0

R1#

R2#debug ip ospf packet

OSPF packet debugging is on

R2#

*Jul  8 18:49:09.643: OSPF: rcv. v:2 t:1 l:48 rid:3.3.3.3

      aid:0.0.0.23 chk:E279 aut:0 auk: from Serial1/1

*Jul  8 18:49:10.179: OSPF: rcv. v:2 t:1 l:48 rid:1.1.1.1

      aid:0.0.0.0 chk:0 aut:2 keyid:10 seq:0x4FF9D50E from Serial1/0

R2#

*Jul  8 18:49:19.607: OSPF: rcv. v:2 t:1 l:48 rid:3.3.3.3

      aid:0.0.0.23 chk:E279 aut:0 auk: from Serial1/1

*Jul  8 18:49:20.187: OSPF: rcv. v:2 t:1 l:48 rid:1.1.1.1

      aid:0.0.0.0 chk:0 aut:2 keyid:10 seq:0x4FF9D518 from Serial1/0

R2#

R1#ping 4.4.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/87/124 ms

R1#

R4#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/96/124 ms

R4#

Observations:

·         OSPF authentication successfully configured for Area-0.