Video: Configuring OSPF Authentication on Virtual Links

In the previous videos, I've described OSPF authentication and showed how to configure it in a lab but there is one part I've left out, which is OSPF authentication on virtual links. That is the subject for this video.

See: Configuring OSPF Authentication on Virtual Links As a brief summary, all OSPF areas must connect to the backbone area or area 0 and where a direct physical connection is not possible, a virtual link can be used to connect to the backbone through a non-backbone area. OSPF authentication can also be enabled for virtual links but it is done differently from the normal OSPF authentication. Basic OSPF authentication, as I've explained in my previous videos, is done at the area level or the interface level but the authentication key is always configured under the interface. OSPF authentication for virtual links is configured under the OSPF process. Before enabling OSPF authentication, let's quickly look at how the virtual link itself is configured. The virtual link is configured between two ABRs using their router IDs and the area is the transit area between the ABRs. NOTE: it is not area 0 or the IP address of the interface that you put in the command. Example: Configuring a Virtual Link router ospf 1 area 1 virtual-link 150.1.4.4
There are a few ways to configure authentication for virtual links. The first method is to configure the authentication type and the authentication key as optional parameters in the virtual-link command. Example: Configuring Clear Text Authentication for a Virtual Link router ospf 1 area 1 virtual-link 150.1.4.4 authentication area 1 virtual-link 150.1.4.4 authentication-key SIMPLE Example: Configuring MD5 Authentication for a Virtual Link router ospf 1 area 1 virtual-link 150.1.4.4 authentication message-digest area 1 virtual-link 150.1.4.4 message-digest-key 1 md5 MD5KEY
The second method is to enable authentication on the area and configure the authentication key in the virtual-link command. If you do it this way, pay close attention here. The virtual-link command requires the transit area between the ABRs, but... What area does the virtual link actually belong to? It belongs to backbone area. So you must enable authentication on area 0, not the transit area. Example: Configuring Clear Text Authentication for a Virtual Link (Area Level) router ospf 1 area 0 authentication area 1 virtual-link 150.1.6.6 authentication-key SIMPLE Example: Configuring MD5 Authentication for a Virtual Link (Area Level)

router ospf 1 area 0 authentication message-digest area 1 virtual-link 150.1.6.6 message-digest-key 1 md5 MD5KEY
The last method is to configure the authentication using key chains. You can enable cryptographic authentication, that is MD5 or SHA authentication, this way. Example: Configuring MD5 Authentication Using a Key Chain key chain OSPF-MD5 key 1 cryptographic-algorithm md5 key-string MD5KEY router ospf 1 area 1 virtual-link 150.1.4.4 authentication key-chain OSPF-MD5 Example: Configuring SHA Authentication Using a Key Chain key chain OSPF-SHA key 1 cryptographic-algorithm hmac-sha-256 key-string SHAKEY router ospf 1 area 1 virtual-link 150.1.4.4 authentication key-chain OSPF-SHA If you enable authentication on the virtual link is by enabling authentication on the entire area, there is a caveat. What if you don't want to use authentication on other links between other neighbors? In that case, you can use Type 0 or "null" authentication on those interfaces. The ip ospf authentication null command effectively disables authentication on selected interfaces. Example: Disabling OSPF Authentication on Selected Interfaces interface GigabitEthernet0/1 ip ospf authentication null
Thank you for watching!

Comments