OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.
Two types of authentication can be used:
1. clear text authentication – clear text passwords are used
2. MD5 authentication – MD5 authentication is used. This type of authentication is more secure because the password doesn’t go in clear-text over the network.
With OSPF authentication turned on, routers must pass the authentication process before becoming OSPF neighbors.
To configure clear text authentication, the following steps are required:
- configure the OSPF password on the interface by using the ip ospf authentication-key PASSWORD interface command
- configure the interface to use OSPF clear-text authentication by using the ip ospf authentication interface command
In the following example, we will configure OSPF clear-text authentication.
Both routers are running OSPF. On R1, we need to enter the following commands:
The same commands have to be entered on R2:
Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are also used:
- First you need to configure the MD5 value on an interface by using the ip ospf message-digest-key 1 md5 VALUE interface command
- Next, you need to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command
Here is an example configuration on R1:
You can verify that R1 is using OSPF MD5 authentication by typing the show ip ospf INTERFACE/INTERFACE_TYPE command:
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This is done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.
Prerequisites for 200-301
200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.
The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.
Full Version 200-301 Dumps