ospf part 4: ospf authentication

Hi there mate! This will be the last discussion on OSPF configuration. The rest of the OSPF topics will discuss how OSPF works and the content of Hello packet. The last topic that we had was configuring passive interfaces for security reasons. This time, we will configure OSPF with authentication using encrypted passwords. The need for configuring authentication is very simple, it is to provide security to active interfaces.  I mean active interface are those interfaces that receives and sends hello or OSPF updates. They cannot be a passive interface so authentication will be the best process to secure those interfaces.

Just come to imagine the scenario below wherein12a1

Instead that the interface serial 1/0 of router 1 is connected to router2. It was connected to hacking router so it will lead to security breach.

So let us get back to our original topology.

12a2.PNG

Authentication SYNTAX:

en 
conf t
router ospf {process#} <— process # 
area {area#} authentication message digest < — we set authentication on the entire area on specific router
exit
int serial x/x
ip ospf message-digest-key 1 md5 {password} <— the authentication used is MD5 , you can further check on google how it works 

Note: 1.) We set password on each interface since the security breach may happen on each                     interface

2.) We can set multiple passwords on each interface: the syntax will follow:

 

int serial x/x
ip ospf message-digest-key 1 md5 {password}
ip ospf message-digest-key 2 md5 {password}

Very easy configuration right? So let us try to check the configuration on each router.
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/0
ip ospf message-digest-key 1 md5 cisco

12a3

As we can see, opsf neighbor adjacency went down. It is for the reason that the neighbor router is not also configured with authentication and so they will not established neighbor relationship. Another way to verify: show ip ospf neighbor

12a4

So no neighbor relationship established. We can now continue with R2 authentication configuration:

@r2

en
conf t
router ospf 100
area 0 authentication message-digest
exit

12a5

As I go on, I can see that neighbor adjacency went down even without configuring the interfaces. It is for the reason that authentication was configured globally so it affects all the interfaces involved. We need to go by interfaces so that it would be more secured and to specify the password. How we will enter a locked door without a key? There should be a key. We need to specify the password / key-string. Below shows that no neighbor adjacency was established.

12a6

Let us continue the configuration:

int se 1/0
ip ospf message-digest-key 1 md5 cisco
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

Below is what happened when I configured authentication on R2. We can see that serial 1/0 went up since it is connected to R1 and R1 has already md5 configuration. We can see on neighbor table that only R1 exists since R3 doesnt have md5 configuration.

12a7.png

Below is the neighbor table of R1, it shows that he can now see R2

12a8

Lastly, let us configure R3:
en
conf t
router ospf 100
area 0 authentication message-digest
exit
int se 1/1
ip ospf message-digest-key 1 md5 cisco
exit

12a9.png

Nothing much special with R3 configuration. We already discussed that serial 1/1 is possible to turn up since all routers has already md5 authentication and also router 2 appears on neighbor table. One thing that I can add to is that you alway see that term “from loading to FULL”. Those are stages of neighbor adjacency which we will discuss on the next topics.

I guess right now, you wonder how ospf works? We will discuss that on the next topic.

Advertisements

OSPF part 2: Router-ID

Hi mate, good morning!  We will be dealing back with our network topology that we configured before.o7a

You wonder what is router-id right? Router-id is the identifier of router on the perception of another router. I am sorry if it is a little bit confusing. Here’s how it goes, R1 would identify R2 by R2’s router-id and R2 would identify R1 by R1’s router ID.

I hope that your GNS3 is now ready. Kindly input ” show ip protocols”

12a.PNG

Router-ID is an important concept in each routing protocols specially with OSPF and EIGRP. When R1 would like to connect to R2, of course R1 should introduce himself and R1 will introduce his router-id as his name. On the figure above, you would see ROUTING INFORMATION SOURCES and the ip address written on the gateway column is the router-id. So how would we know the router-id which should be listed? There are hierarchy to know the router-id and these are the following from the top priority to the least priority.

1.) Hard-coded router-id – this is the router-id that we manually configure.

2.) Highest loopback address- very self-explanatory, the loopback address which has highest numerical value

3.)Highest ip address-   very self-explanatory, the ip address which has highest numerical value

If ever you wonder why there are two router-ids on the “show ip protocols” command, it was because there are two neighbor routers.

12b

Before we proceed with manually configuring the IP address, let us try to remove the loopback addresses, to know if removing the loopback address would lead us that the highest IP address will be the last resort if there are no loopback address and no hard-coded router-id. Since it is very obvious on the figure above that highest loopback address was used instead of hard coded router-id and highest IP address.

Let us try to implement:

on R2

conf t

int lo 0
ip address 192.168.91.1 255.255.255.0
shut
int lo 1
ip address 192.168.92.1 255.255.255.0
shut
int lo 2
ip address 192.168.93.1 255.255.255.0
shut
exit
do sh ip int br

 

on R3

en
conf t

int lo 0
ip address 10.0.0.1 255.255.255.0
shut
int lo 1
ip address 20.0.0.1 255.255.255.0
shut
exit
do sh ip int br

 

As you observed, the router-ids are not changed. Why is it happening? because R1 already knows R2 as 192.168.93.1 and R1 already knows R3 as 20.0.0.1 and so in the event there are changes with R2 and R3, R1 would still identify R2 and R3 as their original router-ids unless R2 and R3 reintroduce themselves to R1.  In order that R2 and R3 will reintroduce themselves to R1, we need to restart the routers.

12c

 

Alright, the routers just got restarted, and let us check sh ip protocols command,

12d

You would see that 201.52.30.2 which is not a loopback nor hard-coded router-id on the routing information sources. Due to incorrect configuration, only one router-is is known by R1 and  R3’s router-id is not known by R1. Also, you will see above the the router-id of R1 still remain as 172.16.17.1 since we did not touch that.So let us retrieve the loopback addresses.

12e.PNG

***********************************************************************Configuration of Router-IDs

Mate, it is very clear that the reason why we consider hard-coded router-ids as top of the hierarchy is because it is something stable or meaning to say it will not vary. What I mean is that in the event that the interface with highest ip address went down or the loopback address was accidentally went to administratively down, it may cause misconfiguration which will lead to network disruption.So it is advisable in the industry, to configure router-id. So let us take note that router-id doesnt necessarily mean that it is an ip address though it looks like ip address.

Let us designate the router-ids of routers:

R1 1.1.1.1

R2 2.2.2.2

R3 3.3.3.3

SYNTAX:

en
conf t
router ospf  {process#}
router-id x.x.x.x
do clear ip ospf process  —> it will appear and it is your discretion whether to restart router or clear the router-ids, then type  YES
do wr
exit
do sh ip protocols

@R1

en
conf t
router ospf 100
router-id 1.1.1.1
do clear ip ospf process  ; type YES
do wr
exit
do sh ip protocols

 

@r2

en
conf t
router ospf 100
router-id 2.2.2.2
do clear ip ospf process; type YES
do wr
exit

 

@R3

en
conf t
router ospf 100
router-id 3.3.3.3
do clear ip ospf process; type YES
do wr
exit

 

And there you go, we will check the router-id of R1, please take note that old router-ids may take time to be removed on the sh ip protocols table

12f

Let’s check R2

12g

 

Let’s check R3

12h

And there dyou go! We are able to at least configure router id on OSPF protocol. Next ospf process that we will configure is passive inteface and security features of OSPF. After that, we will explain how OSPF works. Stay tuned!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.8 Configure, verify, and troubleshoot IPv4 and IPv6 static routing

Good morning! We’ll proceed with static routing with the network topology below:

1226

The primary configurations are below:

@ BPO_MAIN_BLDG_1

enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_MAIN_BLDG_1
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr

@BPO_MAIN_BLDG_2

enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_MAIN_BLDG_2
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr
@BPO_MAIN

enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_MAIN
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr

@BPO_BRANCH
enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_BRANCH
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr
@BPO_BRANCH_ANNEX_1
enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_BRANCH_ANNEX_1
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr
@BPO_BRANCH_ANNEX-2
enable
conf t
line console 0
password cisco
logging sync
exec-timeout 20 30
login
exit
line vty 0 15
password cisco
logging sync
exec-timeout 20 30
login
exit
hostname BPO_BRANCH_ANNEX-2
enable secret class
service password-encryption
no ip domain-lookup
banner motd “AUTHORIZED ACCESS ONLY”
do wr
***************************
@ main bldg 1

en
conf t
int se 3/0
ip add 200.0.0.1 255.255.255.252
no shut
exit
int se 2/0
ip address 200.0.0.17 255.255.255.252
no shut
exit

@main bldg 2
en
conf t
int se 2/0
ip add 200.0.0.18 255.255.255.252
shut
no shut
exit
int se 3/0
ip add 200.0.0.5 255.255.255.252
shut
no shut
exit

@ BPO_MAIN

en
conf t
int se 6/0
ip add 200.0.0.2 255.255.255.252
no shut
exit
int se 7/0
ip add 200.0.0.6 255.255.255.252
no shut
exit
int se 2/0
ip add 200.0.0.25 255.255.255.252
no shut
exit
int se 3/0
ip add 200.0.0.29 255.255.255.252
no shut
exit
int fa 0/0
no shut
exit

@ BPO_BRANCH

en
conf t
int se 2/0
ip add 200.0.0.26 255.255.255.252
no shut
exit
int se 3/0
ip add 200.0.0.30 255.255.255.252
no shut
exit
int se 6/0
ip add 200.0.0.9 255.255.255.252
no shut
exit
int se 7/0
ip add 200.0.0.13 255.255.255.252
no shut
exit
int fa 0/0
no shut
exit
@bpo annex 1

en
conf t
int se 2/0
ip add 200.0.0.10 255.255.255.252
no shut
exit
int se 3/0
ip add 200.0.0.21 255.255.255.252
no shut
exit
int gigabitEthernet7/0
no shut
exit

@bpo annex 2

en
conf t
int se 2/0
ip add 200.0.0.14 255.255.255.252
no shut
exit
int se 3/0
ip add 200.0.0.22 255.255.255.252
no shut
exit
int gigabitEthernet 8/0
no shut
exit

**********************************************************************

Game!

Let us verify:

 

1226b

1226c

1226e

1226f

1226g.PNG

Alright, so we’ll begin the discussion focusing on BPO_MAIN:

1226h

BPO_MAIN has next hop IP addresses:

200.0.0.1

200.0.0.5

200.0.0.26

200.0.0.30

which means  that succesful ping from BPO_MAIN to those ip addresses can be guaranteed.Let’s verify:

1226i.PNG

1226j

Let us try to get a response from remote network address, let’s say  200.0.0.10 and 200.0.0.13

1226k

So an aspiring network engineer, it is our task to provide routing or successful ping on remote network addresses. It is reasonable that we are not going to get a response because those ip addresses are not listed on the routing table of the BPO_MAIN. Let us verify:

1226l

We got possible to  200.0.0.1,200.0.0.5,200.0.0.26,200.0.0.30 because it is part of the network which is directly connected. So since we are only limited with those directly connected networks, we can add other ip address so that we can have ping response from BPO_MAIN. There are multiple ways to add it, but let us start first with static routing.

Drawbacks of Static Routing:

1.) In the event of network changes, we must manually configured static routing again

2.) It is not advisable for large networks

3.) It takes time to implement since it is manually configured.

*********************************************************************

Syntax for STATIC route

ip route (network destination) (subnet mask) (next hop ip address)

1.) Network destination is the network address of the route you want to reach

2.)Subnet mask of the network destination

3.) next hop IP address- it is the ip address of the neighbor to which you need to pass the packet to  reach the network destination.

1226m.png

Game, let us start configuring static route.

Technique:It may be going to be hard to know the remote network addresses of other routers, because it may require us subnetting techniques, but we can easily know the remote network addresses by making a telnet session to the branch router and make a show ip route to that branch router.

1226n

Configuration:

Let us try to reach BPO_MAIN_BLDG_1 first:
en
conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.1
ip route 200.0.0.16 255.255.255.252 200.0.0.1
exit

Let us try to get a ping to 200.0.0.17 and 200.0.0.1

1226o

Verify:

1226p

There you go! We’ve seen that the network 200.0.0.16 was learned via static configuration by the help of next hop ip address: 200.0.0.1

Let us try to reach BPO_MAIN_BLDG 2
en
conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.5
ip route 200.0.0.16 255.255.255.252 200.0.0.5
exit

Verify:

12261.PNG

Check ping:

ping 200.0.0.18

ping 200.0.0.5

1226q.PNG

Alright, so BPO_MAIN  is now reaching the left side of the network . I’ll get back to you once I finished the entire configuration for all the routers.

Yup, I took my breakfast and finally done with the static configuration:

Static Route
@ BPO MAIN

en
conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.1
ip route 200.0.0.16 255.255.255.252 200.0.0.1
exit
en
conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.5
ip route 200.0.0.16 255.255.255.252 200.0.0.5
exit

en
conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.26
ip route 200.0.0.8 255.255.255.252 200.0.0.30
exit
ip route 200.0.0.12 255.255.255.252 200.0.0.26
ip route 200.0.0.12 255.255.255.252 200.0.0.30
exit
conf t
ip route 200.0.0.24 255.255.255.252 200.0.0.26
ip route 200.0.0.28 255.255.255.252 200.0.0.30
exit
conf t
ip route 200.0.0.24 255.255.255.252 200.0.0.30
ip route 200.0.0.28 255.255.255.252 200.0.0.26
exit

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.26
ip route 200.0.0.20 255.255.255.252 200.0.0.26
exit
conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.30
ip route 200.0.0.20 255.255.255.252 200.0.0.30
exit

@BPO MAIN BLDG 1

conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.18
ip route 200.0.0.16 255.255.255.252 200.0.0.18
exit
conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.2
ip route 200.0.0.14 255.255.255.252 200.0.0.2
ip route 200.0.0.24 255.255.255.252 200.0.0.2
ip route 200.0.0.28 255.255.255.252 200.0.0.2
exit
conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.2
ip route 200.0.0.12 255.255.255.252 200.0.0.2
ip route 200.0.0.24 255.255.255.252 200.0.0.2
ip route 200.0.0.28 255.255.255.252 200.0.0.2
exit
conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.2
ip route 200.0.0.20 255.255.255.252 200.0.0.2
exit
conf t
ip route 200.0.0.12 255.255.255.252 200.0.0.2
ip route 200.0.0.20 255.255.255.252 200.0.0.2
exit
*************************************

@ BPO MAIN BLDG 2

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.17
ip route 200.0.0.16 255.255.255.252 200.0.0.7
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.6
ip route 200.0.0.4 255.255.255.252 200.0.0.6
ip route 200.0.0.24 255.255.255.252 200.0.0.6
ip route 200.0.0.28 255.255.255.252 200.0.0.6
exit

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.6
ip route 200.0.0.12 255.255.255.252 200.0.0.6
ip route 200.0.0.24 255.255.255.252 200.0.0.6
ip route 200.0.0.28 255.255.255.252 200.0.0.6
exit

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.6
ip route 200.0.0.20 255.255.255.252 200.0.0.6
exit

conf t
ip route 200.0.0.12 255.255.255.252 200.0.0.6
ip route 200.0.0.20 255.255.255.252 200.0.0.6
exit

******************************************

@ BPO branch

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.10
ip route 200.0.0.20 255.255.255.252 200.0.0.10
exit

conf t
ip route 200.0.0.12 255.255.255.252 200.0.0.14
ip route 200.0.0.20 255.255.255.252 200.0.0.14
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.25
ip route 200.0.0.4 255.255.255.252 200.0.0.25
ip route 200.0.0.24 255.255.255.252 200.0.0.25
ip route 200.0.0.28 255.255.255.252 200.0.0.25
ip route 200.0.0.0 255.255.255.252 200.0.0.29
ip route 200.0.0.4255.255.255.252 200.0.0.29
ip route 200.0.0.24 255.255.255.252 200.0.0.29
ip route 200.0.0.28 255.255.255.252 200.0.0.29
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.25
ip route 200.0.0.16 255.255.255.252 200.0.0.25
ip route 200.0.0.0 255.255.255.252 200.0.0.29
ip route 200.0.0.16 255.255.255.252 200.0.0.29
exit
conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.25
ip route 200.0.0.16 255.255.255.252 200.0.0.25
ip route 200.0.0.4 255.255.255.252 200.0.0.29
ip route 200.0.0.16 255.255.255.252 200.0.0.29
exit

*********************
@ ANNEX 1

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.9
ip route 200.0.0.12 255.255.255.252 200.0.0.9
ip route 200.0.0.24 255.255.255.252 200.0.0.9
ip route 200.0.0.28 255.255.255.252 200.0.0.9
exit

conf t
ip route 200.0.0.12 255.255.255.252 200.0.0.14
ip route 200.0.0.20 255.255.255.252 200.0.0.14
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.9
ip route 200.0.0.4 255.255.255.252 200.0.0.9
ip route 200.0.0.24 255.255.255.252 200.0.0.9
ip route 200.0.0.28 255.255.255.252 200.0.0.9
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.9
ip route 200.0.0.16 255.255.255.252 200.0.0.9
exit
conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.9
ip route 200.0.0.16 255.255.255.252 200.0.0.9
exit

@ Annex 2

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.21
ip route 200.0.0.20 255.255.255.252 200.0.0.21
exit

conf t
ip route 200.0.0.8 255.255.255.252 200.0.0.13
ip route 200.0.0.12 255.255.255.252 200.0.0.13
ip route 200.0.0.24 255.255.255.252 200.0.0.13
ip route 200.0.0.28 255.255.255.252 200.0.0.13
exit

conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.13
ip route 200.0.0.4 255.255.255.252 200.0.0.13
ip route 200.0.0.24 255.255.255.252 200.0.0.13
ip route 200.0.0.28 255.255.255.252 200.0.0.13
exit
conf t
ip route 200.0.0.0 255.255.255.252 200.0.0.13
ip route 200.0.0.16 255.255.255.252 200.0.0.13
exit
conf t
ip route 200.0.0.4 255.255.255.252 200.0.0.13
ip route 200.0.0.16 255.255.255.252 200.0.0.13
exit

PING TEST @ BPO MAIN BLDG 1

1226r.PNG

PING TEST @  BPO MAIN

1226s.PNG

At last we are getting succesful ping response whether we are on the side or at the middle of the topology.

Let’s check  and analyze the routing table of each  routers:

1226t

We are getting successful route from upper left router to either middle right, top or bottom routers because we configured it manually. We can verify that on the picture above. Let’s say that network address 200.0.0.8, though it is not directly connected to BPO MAIN BLDG 1 but it was learned manually by the help of 200.0.0.2. Also, let us check the highlighted [1/0] which represents the administrative distance and the metric which serves as the reference of what is the best path.

Other routing table shows:

1226ta

1226tb.PNG

1226tc

1226td.PNG

1226te

Alright, I’m challenging everyone to interpret how each routers learned the route to the network destination. It will be just easy to explain here but will take time because there are 6 routers. But seriously, it is just easy interpreting the routing table.

 

************************END OF BLOG**********************************