Wired Intelligent Edge (Campus Switching and Routing)

How To Configure MD5 Authentication For OSPF In Multi-OS Environment

MVP
MVP
Requirement:

The major requirement here is to demonstrate the OSPF deployment in Multi-Vendor or Multi-OS environment to exchange routes from one site to other after they build a neighborship with each other using  Message Digest (MD5) authentication for enhanced encryption. 

There are various methods of configuring MD5 authentication in Provision, Comware, Cisco and Aruba OS-CX Switches which is being demonstrated here in this document.

Below is the topology of Cisco 3750, HPE Comware 5800, Aruba 6300, and Aruba 5400R Provision Switch connected to each other and exchanging routes via OSPF protocol:-

 



Solution:

Routing protocols are used to exchange reach ability information between routers.

Routing information learned from peers is used to determine the next hop towards the destination.

To route traffic correctly, it is necessary to prevent malicious or incorrect routing information from getting introduced into the routing table.

This can be done by authenticating the routing updates exchanged between routers.

Open Shortest Path First (OSPF) supports plain text authentication and Message Digest 5 (MD5) authentications.

 

Configuration overview:

Only three key points need to be remembered while configuring authentication in OSPF

A) Types of Authentication:

There are three different types of authentication available for OSPF version 2:
1) Null authentication: Null authentication means that there is no authentication, which is the default on Cisco routers.
2) Clear text authentication: In this method of authentication, passwords are exchanged in clear text on the network
3) Cryptographic authentication: The cryptographic method uses the open standard MD5 (Message Digest type 5) encryption.

B) Enabling OSPF Authentication:

OSPF authentication can be enabling in two ways:
1) Per interface: Authentication is enabling per interface using the "ip ospf authentication" command.
2) Area authentication: Authentication for area can enable using "area authentication" command.

C) Configuring Authentication Key:

In either case a password must be configure at the interface using "ip ospf authentication-key" or "ip ospf message-digest-key" command.

In this document, we are only concentrating on Interface Level Configuration, NOT area level authentication as we are using only a Single Area for our Topology.

Above commands are mostly common on the Cisco Switches and Aruba Provision and OS-CX Switches. However, check the device specific command line Guide to get more information.

 

Topology Information:

Cisco 3750 is a L3 Switch, which is representing one site with two loopback interfaces that has to be advertised via OSPF. In the Cisco Switch, we have to enable routing manually using "ip routing" and LLDP as well using the command: "lldp run", it is a Global command.

In the above diagram, you see the Cisco device is connected to two more devices:

1. Gi1/0/1 is connected to the Comware Switch at Port # GigabitEthernet1/0/1.

1. Gi1/0/2 is connected to the ProCurve Switch at Port # A1.

 

Again both the Comware and ProCurve Switches are connected to Aruba 6300 Switches in below output:

1. Port # 1/1/1 is connected to ProCurve at Port # A2.

2. Port # 1/1/2 is connected to Comware at Port # GigabitEthernet1/0/2.

 



Configuration:

Cisco Switch Configuration:

Cisco#show running-config
Building configuration...

Current configuration : 1994 bytes


!! Output Omitted!!

 

hostname Cisco

 

!! Output Omitted!!

 

ip routing

 

!! Output Omitted!!

lldp run
!
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1/0/1
 no switchport
 ip address 11.11.11.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 aruba123
!
interface GigabitEthernet1/0/2
 no switchport
 ip address 12.12.12.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 aruba123
!


!!Output Omitted!!

!
interface Vlan1
 no ip address
!
router ospf 1
 router-id 0.0.0.1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0


!! Output Omitted!!

 

For Cisco Switches:

1. ip ospf authentication message-digest - To enable MD5 authentication on the interface
2. ip ospf message-digest-key 1 md5 aruba123 -  To set the password for MD5 authentication

 

Comware Switch Configuration:-

[Comware]display current-configuration
 

version 5.20.105, Release 1810P13
#
 sysname Comware


!!Output Omitted!!

vlan 1
#
vlan 11
#
vlan 21
#
interface NULL0
#
interface LoopBack1
 ip address 3.3.3.3 255.255.255.255
#
interface LoopBack2
 ip address 4.4.4.4 255.255.255.255
#
interface Vlan-interface11
 ip address 11.11.11.2 255.255.255.0
 ospf authentication-mode md5 1 cipher $c$3$LJf/TLGVf4EF/iS8kGtzuv/BlXx5J0YFFO8H
#
interface Vlan-interface21
 ip address 21.21.21.2 255.255.255.0
 ospf authentication-mode md5 1 cipher $c$3$DdsWQXCpXzzwiD7aKay1RnZtLn1DXZZgZzyw
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 11
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port access vlan 21


!!Output Omitted!!

#
ospf 1 router-id 0.0.0.2
 area 0.0.0.0
  network 0.0.0.0 255.255.255.255


!!Output Omitted!!

#
return

 

For Comware Switches:

ospf authentication-mode md5 1 plain aruba123 - To enable authentication on vlan-interface

 

Aruba OS-CX 6300 Switch Configuration:

OS-CX# show running-config

Current configuration:
!
!Version ArubaOS-CX FL.10.04.0010
!export-password: default
hostname OS-CX
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
!
!
!
!
!
router ospf 1
    router-id 0.0.0.4
    area 0.0.0.0
vlan 1
spanning-tree
interface mgmt
    no shutdown
    ip dhcp
interface 1/1/1
    no shutdown
    routing
    ip address 22.22.22.3/24
    ip ospf 1 area 0.0.0.0
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+
interface 1/1/2
    no shutdown
    routing
    ip address 21.21.21.3/24
    ip ospf 1 area 0.0.0.0
    ip ospf authentication message-digest
    ip ospf message-digest-key 1 md5 ciphertext AQBapVWcNJavUClNBQenFaJwwRrR+nWcJUvsQlHUbuaiOvlDCAAAAMCnYwT2Ful+

 

!!Output Omitted!!

 

interface loopback 1
    ip address 7.7.7.7/24
    ip ospf 1 area 0.0.0.0
interface loopback 2
    ip address 8.8.8.8/24
    ip ospf 1 area 0.0.0.0
interface vlan1
    ip dhcp
https-server vrf default
https-server vrf mgmt
vsf member 1
    type jl661a
 

For OS-CX Switches:

1. ip ospf authentication message-digest - To enable MD5 on the interface 

2. ip ospf message-digest-key 1 md5 plaintext aruba123 - To set the password for the MD5
 

 

ProCurve Switch Configuration:

ProCurve# show running-config

Running configuration:

; J9850A Configuration Editor; Created on release #KB.16.08.0011
; Ver #14:2f.6f.f8.1d.fb.7f.bf.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:40
hostname "ProCurve"
module A type j9990a
module B type j9986a
module C type j9996a
module D type j9550a
ip router-id 0.0.0.3
ip routing
key-chain "OSPF"
key-chain "OSPF" key 1 key-string "aruba123"
interface loopback 1
   ip address 5.5.5.5
   ip ospf 5.5.5.5 area backbone
   exit
interface loopback 2
   ip address 6.6.6.6
   ip ospf 6.6.6.6 area backbone
   exit
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   ipv6 enable
   ipv6 address dhcp full
   exit
router ospf
   area backbone
   enable
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged A1-A2
   untagged A3-A24,B1-B24,C1-C2,D1-D24
   ip address dhcp-bootp
   ipv6 enable
   ipv6 address dhcp full
   exit
vlan 12
   name "VLAN12"
   untagged A1
   ip address 12.12.12.2 255.255.255.0
   ip ospf 12.12.12.2 area backbone
   ip ospf 12.12.12.2 md5-auth-key-chain "OSPF"
   exit
vlan 22
   name "VLAN22"
   untagged A2
   ip address 22.22.22.2 255.255.255.0
   ip ospf 22.22.22.2 area backbone
   ip ospf 22.22.22.2 md5-auth-key-chain "OSPF"
   exit
 

For ProCurve Switch, we have to create a manual key chain for MD5 and call that in individual VLANs:

ProCurve(config)# key-chain OSPF
ProCurve(config)# key-chain OSPF key 1 key-string aruba123 accept-lifetime infinite send-lifetime infinite

VLAN-Context:

ip ospf 22.22.22.2 md5-auth-key-chain "OSPF"

 



Verification

In the verification part, we just need to remove any of the authentication command from the direct interface or the VLAN interfaces.

We would see the neighborship go down immediately as the dead timer (30 seconds) expires.

Below is the demonstration when we take off the authentication configuration from the individual interfaces of the Cisco Switch. You will see the neighborship to both Comware and ProCurve devices go down as soon as the dead timer expires.

 

Cisco(config)#interface gigabitEthernet 1/0/1

Cisco(config-if)#no ip ospf authentication

*Mar  1 09:34:25.534: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.2 on GigabitEthernet1/0/1 from FULL to DOWN, Neighbor Down: Dead timer expired

Cisco(config-if)#interface gigabitEthernet 1/0/2

Cisco(config-if)#no ip ospf authentication

*Mar  1 09:35:20.219: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on GigabitEthernet1/0/2 from FULL to DOWN, Neighbor Down: Dead timer expired

 

Below, once it is enabled we can see the neighborship gets loaded to FULL (The above output has been taken from Cisco while removing the OSPF Authentication).

 

Cisco(config)#interface gigabitEthernet 1/0/1

Cisco(config-if)#ip ospf authentication message-digest
*Mar  1 09:46:45.678: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.2 on GigabitEthernet1/0/1 from LOADING to FULL, Loading Done

Cisco(config-if)#interface gigabitEthernet 1/0/2
Cisco(config-if)#ip ospf authentication message-digest

*Mar  1 09:47:10.223: %OSPF-5-ADJCHG: Process 1, Nbr 0.0.0.3 on GigabitEthernet1/0/2 from LOADING to FULL, Loading Done
 

We may test the same taking off the authentication from individual interfaces and verify the neighborship between the routers.

 

Points to remember:

1. Removing the authentication from the interface while the other is still running (or if there is any mismatch in password on the interfaces where authentication enabled), neighborship cannot be formed.

2. The interfaces with authentication would only wait for the dead timer to expire. Once it stops receiving the authentication information in its "Hello Packet" it deletes the OSPF neighborship information from the table.

Version history
Revision #:
1 of 1
Last update:
‎04-30-2020 12:15 PM
Updated by: