Table of Contents
Configuring OSPF neighbor authentication
OSPF has an authenticate neighbor feature. The authentication feature allows the router to form neighbor only with legitimate routers.
This section describes how to configure the OSPF neighbor authentication feature on Cisco routers.
There are two steps to configuring the authentication feature.
- Enabling authentication
- Configuring authentication passwords
1.Enabling authentication
There are two types of authentication: plaintext passwords and MD5 message digests. There are also three ways to enable authentication.
- Area
- interface
- virtual-link
Enable authentication for an area
When authentication is enabled for an area, all interfaces contained in that area are enabled authentication. To enable authentication for an area, enter the following command in OSPF configuration mode
(config)#router ospf < process-id >
(config-router)#area < area-id > authentication [message-digest]
< process-id > : OSPF process ID
< area-id > : area ID
Until “authentication”, the authentication is based on plaintext passwords; when “message-digest” is added, the authentication is based on MD5 message digests of passwords.
Note that if you enable authentication in area 0 (the backbone area), authentication will also be enabled on the virtual link.
Enabling authentication for an interface
If authentication is enabled on an interface, authentication will be performed only on that interface. To enable authentication on an interface, enter the following command in interface configuration mode.
(config)#interface < interface-name >
(config-if)#ip ospf authentication [message-digest]
< interface-name > : interface name
As with area-targeted authentication, up to “authentication” is plain-text password authentication, and with “message-digest” is MD5 message-digest password authentication.
Enabling authentication for virtual links
When authentication is enabled on a virtual link, authentication is performed on the virtual link. To enable authentication on the virtual link, enter the following command in OSPF configuration mode
(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > authentication [message-digest]
< process-id > : OSPF process ID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link
Note that if you enable neighbor authentication in Area 0, the authentication will also be enabled in the virtual link. This is because the virtual link is a virtual Area 0 link.
2.Configuring authentication passwords
The authentication password only needs to be configured on the interface where the neighbor exists. It is not necessary to configure the authentication password on interfaces that do not have neighbors. To configure the authentication password, enter the following command in interface configuration mode.
plaintext password
(config)#interface < interface-name >
(config-if)#ip ospf authentication-key < password >
< interface-name > : interface name
< password > : authentication password
Message Digest
(config)#interface < interface-name >
(config-if)#ip ospf message-digest-key < key-id > md5 < password >
< interface-name > : interface name
< key-id > : key ID
< password > : authentication password
Message digest authentication requires that neighbors configure the same key ID and password for each other.
Authentication password for virtual link
The virtual link is a virtual OSPF area 0 interface, and its association with the physical interface is not fixed. Therefore, the password for neighbor authentication on the virtual link cannot be configured in the interface configuration mode described above. Please configure it as an option in the virtual link configuration command.
Plain text password(virtual-link)
(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > authentication-key < password >
< process-id > : OSPF process ID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link
< password > : authentication password
Message digest(virtual-link)
(config)#router ospf < process-id >
(config-router)#area < area-id > virtual-link < router-id > message-digest-key < key-id > md5 < password >
< process-id > : OSPFプロセスID
< area-id > : area ID of virtual-link transit area
< router-id > : Router ID of the router on the other side of the virtual link
< key-id > : key ID
< password > : authentication password
Verify OSPF neighbor authentication
The following table summarizes the main commands for verifying OSPF neighbor authentication.
Command | Content |
#show ip ospf interface | You can see if neighbor authentication is enabled or not. |
#show ip ospf neighbor | If the authentication configuration is correct, you will be able to establish a neighbor successfully. |
How the OSPF works
- OSPF Overview
- OSPF process flow
- OSPF Router ID : Identify OSPF routers
- What if the router ID of the OSPF router is duplicated?
- OSPF Neighbor and Adjacency
- OSPF DR/BDR
- How show ip ospf neighbor looks on Ethernet
- OSPF Network Type : Classification of OSPF-enabled interfaces
- Synchronization process of OSPF LSDB
- Problems with large-scale OSPF network
- OSPF Area – Inside the area, in detail; outside the area, just a summary
- OSPF Router Type
- OSPF LSA Type
- OSPF Area Type
- OSPF Basic Configuration and Verification Commands
- Details of enabling OSPF on the interface
- OSPF Advertising Loopback Interface
- Configuring and Verifying OSPF Hello/Dead interval
- OSPF Cost Configuration and Verification
- Configuring and Verifying OSPF Router Priority
- Configuring OSPF Neighbor Authentication
- Neighbor Authentication over Virtual-link
- OSPF Configuring and Verifying Stub area [Cisco]
- OSPF Stub Area Configuration Example [Cisco]
- OSPF default route generation : default-information originate command
- Configuration Example of OSPF default route generation : stub area
- OSPF Virtual-Link : Virtual area 0 point-to-point link
- Configuring and Verifying OSPF Virtual-link [Cisco]
- OSPF Virtual-link Configuration Example [Cisco]
- OSPF Virtual-link for discontinuous backbone configuration example
- OSPF Route Summary and Configuration
- Cisco OSPF Route Summary Configuration Example
- OSPF Route Type Preference
- Why the OSPF neighbor state gets stuck in Exstart?
- OSPF packet type and header format
- OSPF Hello Packet
- OSPF DD(Database Description) Packet
- OSPF LSR(Link State Request) Packet
- OSPF LSU(Link State Update) Packet
- OSPF LSAck(Link State Acknowledgement) Packet
- Limitation of OSPF redistribution routes – redistribute maximum-prefix command
- Overview of LSA Filters for OSPF – Filter LSA Type 3/Type 5
- Configuration example of LSA type 3 filter
- Configuration example of LSA type 5 filter
- OSPFv3 Configuration Example [Cisco]
- Configuration Example of OSPFv3 Route Summary [Cisco]