ospf part 4: ospf authentication

Hi there mate! This will be the last discussion on OSPF configuration. The rest of the OSPF topics will discuss how OSPF works and the content of Hello packet. The last topic that we had was configuring passive interfaces for security reasons. This time, we will configure OSPF with authentication using encrypted passwords. The need for configuring authentication is very simple, it is to provide security to active interfaces.  I mean active interface are those interfaces that receives and sends hello or OSPF updates. They cannot be a passive interface so authentication will be the best process to secure those interfaces.

Just come to imagine the scenario below wherein12a1

Instead that the interface serial 1/0 of router 1 is connected to router2. It was connected to hacking router so it will lead to security breach.

So let us get back to our original topology.

12a2.PNG

Authentication SYNTAX:

en 
conf t
router ospf {process#} <— process # 
area {area#} authentication message digest < — we set authentication on the entire area on specific router
exit
int serial x/x
ip ospf message-digest-key 1 md5 {password} <— the authentication used is MD5 , you can further check on google how it works 

Note: 1.) We set password on each interface since the security breach may happen on each                     interface

2.) We can set multiple passwords on each interface: the syntax will follow:

 

int serial x/x
ip ospf message-digest-key 1 md5 {password}
ip ospf message-digest-key 2 md5 {password}

Very easy configuration right? So let us try to check the configuration on each router.
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/0
ip ospf message-digest-key 1 md5 cisco

12a3

As we can see, opsf neighbor adjacency went down. It is for the reason that the neighbor router is not also configured with authentication and so they will not established neighbor relationship. Another way to verify: show ip ospf neighbor

12a4

So no neighbor relationship established. We can now continue with R2 authentication configuration:

@r2

en
conf t
router ospf 100
area 0 authentication message-digest
exit

12a5

As I go on, I can see that neighbor adjacency went down even without configuring the interfaces. It is for the reason that authentication was configured globally so it affects all the interfaces involved. We need to go by interfaces so that it would be more secured and to specify the password. How we will enter a locked door without a key? There should be a key. We need to specify the password / key-string. Below shows that no neighbor adjacency was established.

12a6

Let us continue the configuration:

int se 1/0
ip ospf message-digest-key 1 md5 cisco
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

Below is what happened when I configured authentication on R2. We can see that serial 1/0 went up since it is connected to R1 and R1 has already md5 configuration. We can see on neighbor table that only R1 exists since R3 doesnt have md5 configuration.

12a7.png

Below is the neighbor table of R1, it shows that he can now see R2

12a8

Lastly, let us configure R3:
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

12a9.png

Nothing much special with R3 configuration. We already discussed that serial 1/1 is possible to turn up since all routers has already md5 authentication and also router 2 appears on neighbor table. One thing that I can add to is that you alway see that term “from loading to FULL”. Those are stages of neighbor adjacency which we will discuss on the next topics.

I guess right now, you wonder how ospf works? We will discuss that on the next topic.

Advertisements

2.8 Configure and verify Layer 2 protocols: CDP and LLDP

Alright, so let me just introduce CDP or cisco discovery protocol. It is very obvious that CDP is a cisco proprietary protocol and the goal of this protocol is to provide a specific cisco device an insight of the topology. I have here a show command for cdp:

show cdp neighbors

R1#en
R1#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
R3 Ser 3/0 160 R PT1000 Ser 3/0
R2 Ser 2/0 122 R PT1000 Ser 2/0
Switch Fas 0/0 172 S 2960 Fas 0/1

First, let me define the terms you see above:

  1. Device ID- name of the cisco device connected on the device reference( device reference for this show command is R1) so device id refers to cisco devices connected to R1
  2. Local interface- interface of device reference ( R1 as of the moment) which is connected to neighbor devices

Let’s say , from show commands above, R1 has interface Serial 3/0 which is connected to R3, ok mate?

3. Capability–> there is a label above that says the capability of the device whether it is router or switch

4.Platform —> the model of either the switch or router or any cisco devices connected. From the figure above we can conclude that Switch model used is catalyst 2960

5. Port ID –> the interface of the neighboring device wherein the device reference is connected.

Let us conclude the show commands above:

1st. R1 which has serial interface 3/0 is connected to R3 also with serial interface 3/0 and both of them has routing capabilities and is cisco model PT1000

2nd R1 which has serial interface 2/0 is connected to R3 also with serial interface 2/0 and both of them has routing capabilities and is cisco model PT1000

3rd R1 which has fastethernet interface 0/0 is connected to switch which has fastethernet interface 0/1 and switch has switching capabilities ? hahaha and the model is cisco catalyst 2960.

And the network topology is:

eeeeeeeee

So, we conclude that using CDP, we can have a clear picture of the topology. If you want more details specially the ip address connected, you can use show  cdp  neghbors details

show cdp neighbors detail

R1#show cdp neighbors detail

Device ID: R3
Entry address(es):
IP address : 172.16.14.2
Platform: cisco PT1000, Capabilities: Router
Interface: Serial3/0, Port ID (outgoing port): Serial3/0
Holdtime: 163

Version :
Cisco Internetwork Operating System Software
IOS ™ PT1000 Software (PT1000-I-M), Version 12.2(28), RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 27-Apr-04 19:01 by miwang

advertisement version: 2
Duplex: full
—————————

Device ID: R2
Entry address(es):
IP address : 192.168.31.2
Platform: cisco PT1000, Capabilities: Router
Interface: Serial2/0, Port ID (outgoing port): Serial2/0
Holdtime: 124

Version :
Cisco Internetwork Operating System Software
IOS ™ PT1000 Software (PT1000-I-M), Version 12.2(28), RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 27-Apr-04 19:01 by miwang

advertisement version: 2
Duplex: full
—————————

Device ID: Switch
Entry address(es):
Platform: cisco 2960, Capabilities: Switch
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/1
Holdtime: 175

Version :
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team

advertisement version: 2
Duplex: full

 

show cdp neighbors detail just give you more details like the ip addresses involved and the IOS involved but it is basically almost the same. It can be helpful specially if the network topology design has lost.

Let me take first my breakfast mate!

****************************After Breakfast***************************

LLDP ( Link-Layer Discovery Protocol)

Yeah! I’m back after that heavy breakfast that I had. Seriously, I am planning to discuss LLDP and the next blog post. Upon researching, I realized that CDP is an IEEE standardized neighbor discovery protocol as a counterpart of CDP. It is registered as IEEE 802.1AB and it almost function as the same but LLDP is created to support non-cisco devices including VOIP phones and switchs.

Use show lldp to verify

Most of the cases, CDP is used to discover neighbor devices but it is a good to know thing  for further troubleshooting purposes what is LLDP just like I’ve learned it 30 minutes ago.

******************************End of Blog*******************************