Cisco routers support a couple of different approaches to authenticating route advertisements received from a neighboring router:
* Plain text authentication
* Hashing authentication
Both of these approaches require routers to have matching passwords (also referred to as keys ); however, Cisco recommends the use of hashing authentication. Plain text authentication, as the name suggests, simply sends a password from one router to another in clear text. This leads to the security concern of having a malicious user capture authentication traffic containing a password and then injecting her own router, which could use the compromised password to authenticate with one of the network’s production routers.
Hashing authentication is preferred over plain text authentication, because it never sends the password over the network. Instead, a mathematical algorithm is run on the password, and the result of that algorithm (called a hash digest ) is sent from one router to its neighbor. That neighboring router also runs the hashing algorithm on its configured password, and if its hash digest matches the hash digest it receives from the first router, it can conclude that the passwords match. The two hashing algorithms that you can select from (depending on the routing protocol) include Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) . SHA is generally considered to be somewhat more secure than MD5; however, either algorithm is vastly superior to using plain text authentication.
Hashing authentication using MD5 can be configured for the following protocols within Cisco IOS:
* RIPv2
* EIGRP
* OSPFv2
* OSPFv3
* IS-IS
* BGP
SHA authentication is supported by the following protocols:
* RIP next generation (RIPng)
* Named EIGRP
* OSPFv2
* Plain text authentication
* Hashing authentication
Both of these approaches require routers to have matching passwords (also referred to as keys ); however, Cisco recommends the use of hashing authentication. Plain text authentication, as the name suggests, simply sends a password from one router to another in clear text. This leads to the security concern of having a malicious user capture authentication traffic containing a password and then injecting her own router, which could use the compromised password to authenticate with one of the network’s production routers.
Hashing authentication is preferred over plain text authentication, because it never sends the password over the network. Instead, a mathematical algorithm is run on the password, and the result of that algorithm (called a hash digest ) is sent from one router to its neighbor. That neighboring router also runs the hashing algorithm on its configured password, and if its hash digest matches the hash digest it receives from the first router, it can conclude that the passwords match. The two hashing algorithms that you can select from (depending on the routing protocol) include Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) . SHA is generally considered to be somewhat more secure than MD5; however, either algorithm is vastly superior to using plain text authentication.
Hashing authentication using MD5 can be configured for the following protocols within Cisco IOS:
* RIPv2
* EIGRP
* OSPFv2
* OSPFv3
* IS-IS
* BGP
SHA authentication is supported by the following protocols:
* RIP next generation (RIPng)
* Named EIGRP
* OSPFv2
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#interface
loop 0
R1(config-if)#
*Jul 23
10:06:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
R1(config-if)#ip
address 192.168.1.1 255.255.255.0
R1(config-if)#interface
serial 2/0
R1(config-if)#ip
address 10.1.1.1 255.255.255.252
R1(config-if)#no
shut
R1(config-if)#
*Jul 23
10:06:54.739: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R1(config-if)#
*Jul 23
10:06:55.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
R1(config-if)#end
R1#
*Jul 23
10:06:58.731: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#interface
serial 2/0
R2(config-if)#ip
address 10.1.1.2 255.255.255.252
R2(config-if)#no
shut
R2(config-if)#
*Jul 23
10:05:23.347: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R2(config-if)#
*Jul 23
10:05:24.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
R2(config-if)#do
ping 10.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
R2(config-if)#
R2(config-if)#interface
serial 2/1
R2(config-if)#ip
address 10.2.2.1 255.255.255.252
R2(config-if)#no
shut
R2(config-if)#
*Jul 23
10:06:14.075: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R2(config-if)#
*Jul 23
10:06:15.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
R2(config-if)#end
R2#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#interface
loop 0
R3(config-if)#
*Jul 23
10:06:53.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
R3(config-if)#ip
address 192.168.3.1 255.255.255.0
R3(config-if)#
R3(config-if)#interface
serial 2/1
R3(config-if)#ip
address 10.2.2.2 255.255.255.252
R3(config-if)#no
shut
R3(config-if)#
*Jul 23
10:07:18.539: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R3(config-if)#
*Jul 23
10:07:19.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
R3(config-if)#do
ping 10.2.2.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms
R3(config-if)#end
R3#
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#router
eigrp ?
<1-65535> Autonomous System
WORD
EIGRP Virtual-Instance Name
R1(config)#router
eigrp ROUTE // CONFIGURE NAMED EIGRP
R1(config-router)#?
Router
configuration commands:
address-family Enter Address Family command mode
default Set a command to its defaults
exit Exit from routing protocol
configuration mode
no Negate a command or set its
defaults
service-family Enter Service Family command mode
shutdown Shutdown this instance of EIGRP
R1(config-router)#address-family
?
ipv4
Address family IPv4
ipv6
Address family IPv6
R1(config-router)#address-family
ipv4 ?
autonomous-system Specify Address-Family Autonomous System
Number
multicast Address Family Multicast
unicast Address Family Unicast
vrf Specify a specific virtual
routing/forwarding instance
R1(config-router)#address-family
ipv4 autonomous-system ?
<1-65535> Autonomous System
R1(config-router)#address-family
ipv4 autonomous-system 1
R1(config-router-af)#network
10.1.1.0 0.0.0.3
R1(config-router-af)#network
192.168.1.0 0.0.0.255
R1(config-router-af)#end
R1#
*Jul 23 10:14:08.843:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is up: new
adjacency
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#router
eigrp ROUTE
R2(config-router)#address-family
ipv4 autonomous-system 1
R2(config-router-af)#network
10.1.1.0 0.0.0.3
R2(config-router-af)#
*Jul 23 10:11:08.475:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is up: new
adjacency
R2(config-router-af)#network
10.2.2.0 0.0.0.3
R2(config-router-af)#end
R2#
*Jul 23 10:12:02.783:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is up: new
adjacency
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#router
eigrp ROUTE
R3(config-router)#address-family
ipv4 autonomous-system 1
R3(config-router-af)#network
10.2.2.2 0.0.0.3
R3(config-router-af)#
*Jul 23 10:12:12.347:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is up: new
adjacency
R3(config-router-af)#network
192.168.3.0 0.0.0.255
R3(config-router-af)#end
R3#
R1#show
ip route eigrp // VERIFY EIGRP ROUTES
Codes: L
- local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded static
route, H - NHRP, l - LISP
+ - replicated route, % - next hop
override
Gateway
of last resort is not set
10.0.0.0/8 is variably subnetted, 3
subnets, 2 masks
D 10.2.2.0/30 [90/23796062] via 10.1.1.2,
00:02:22, Serial2/0
D 192.168.3.0/24 [90/23796702] via 10.1.1.2,
00:01:28, Serial2/0
R1#
R1#tclsh // VERIFY CONNECTIVTY
R1(tcl)#foreach
address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#}
{ ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/16/20 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/34/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/34/72 ms
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#router
eigrp ROUTE // SECURE NAMED EIGRP PROCESS
R1(config-router)#address-family
ipv4 autonomous-system 1
R1(config-router-af)#?
Address
Family configuration commands:
af-interface Enter Address Family interface
configuration
default Set a command to its defaults
eigrp EIGRP Address Family specific
commands
exit-address-family Exit Address Family configuration mode
help Description of the interactive
help system
maximum-prefix Maximum number of prefixes acceptable in
aggregate
metric Modify metrics and parameters
for address advertisement
neighbor Specify an IPv4 neighbor router
network Enable routing on an IP network
no Negate a command or set its
defaults
shutdown Shutdown address family
timers Adjust peering based timers
topology Topology configuration mode
R1(config-router-af)#af-interface
?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
GMPLS MPLS interface
Group-Async Async Group interface
LISP Locator/ID Separation Protocol
Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle
interface
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
default Address-family default interface
configuration
vmi Virtual Multipoint Interface
R1(config-router-af)#af-interface
serial 2/0
R1(config-router-af-interface)#?
Address
Family Interfaces configuration commands:
authentication authentication subcommands
bandwidth-percent Set percentage of bandwidth percentage limit
bfd Enable Bidirectional
Forwarding Detection
dampening-change Percent interface metric must change to
cause update
dampening-interval Time in seconds to check interface metrics
default Set a command to its defaults
exit-af-interface Exit from Address Family Interface
configuration mode
hello-interval Configures hello interval
hold-time Configures hold time
next-hop-self Configures EIGRP next-hop-self
no Negate a command or set its
defaults
passive-interface Suppress address updates on an interface
shutdown Disable Address-Family on interface
split-horizon Perform split horizon
summary-address Perform address summarization
R1(config-router-af-interface)#authentication
?
key-chain
key-chain
mode
authentication mode
R1(config-router-af-interface)#authentication
mode ?
hmac-sha-256
HMAC-SHA-256 Authentication
md5
Keyed message digest
R1(config-router-af-interface)#authentication
mode hmac-sha-256 ?
<0-7>
Encryption type (0 to disable encryption, 7 for proprietary)
LINE
password
R1(config-router-af-interface)#authentication
mode hmac-sha-256 cisco123 // ENABLE SHA 256
R1(config-router-af-interface)#
*Jul 23 10:19:57.471:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is down:
authentication HMAC-SHA-256 configured
R1(config-router-af-interface)#end
R1#
*Jul 23 10:25:41.283:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is up: new
adjacency
*Jul 23 10:16:57.079:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is down: Auth
failure
R2#
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#router
eigrp ROUTE
R2(config-router)#address-family
ipv4 autonomous-system 1
R2(config-router-af)#af-interface
serial 2/0
R2(config-router-af-interface)#authentication
mode hmac-sha-256 cisco123
R2(config-router-af-interface)#
*Jul 23 10:22:40.859:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is up: new
adjacency
R2(config-router-af-interface)#exit
R2(config-router-af)#af-interface
serial 2/1
R2(config-router-af-interface)#authentication
mode hmac-sha-256 cisco456
R2(config-router-af-interface)#
*Jul 23 10:23:57.835:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is down:
authentication HMAC-SHA-256 configured
R2(config-router-af-interface)#end
R2#
*Jul 23 10:26:31.195:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is up: new
adjacency
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#router
eigrp ROUTE
R3(config-router)#address-family
ipv4 autonomous-system 1
R3(config-router-af)#af-interface
serial 2/1
R3(config-router-af-interface)#authentication
mode hmac-sha-256 cisco456
R3(config-router-af-interface)#
*Jul 23 10:26:40.727:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is up: new
adjacency
R3(config-router-af-interface)#end
R3#
R1#show
ip route eigrp
Codes: L
- local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded static
route, H - NHRP, l - LISP
+ - replicated route, % - next hop
override
Gateway
of last resort is not set
10.0.0.0/8 is variably subnetted, 3
subnets, 2 masks
D 10.2.2.0/30 [90/23796062] via 10.1.1.2,
00:05:35, Serial2/0
D 192.168.3.0/24 [90/23796702] via 10.1.1.2,
00:01:43, Serial2/0
R1#
R1#tclsh
R1(tcl)#foreach
address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#}
{ ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 20/26/32 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#no
router eigrp ROUTE
R1(config)#
R1(config)#router
ospf 1
R1(config-router)#network
192.168.1.0 0.0.0.255 area 0
R1(config-router)#network
10.1.1.0 0.0.0.3 area 0
R1(config-router)#end
R1#
*Jul 23 10:39:23.735:
%OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/0 from LOADING to FULL,
Loading Done
*Jul 23 10:29:31.807:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is down:
Interface PEER-TERMINATION received
R2#
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#no
router eigrp ROUTE // REMOVE EIGRP ROUTING PROTOCOL
R2(config)#
R2(config)#router
ospf 1 // CONFIGURE OSPF ROUTING PROTOCOL
R2(config-router)#network
10.1.1.0 0.0.0.3 area 0
R2(config-router)#
*Jul 23 10:36:23.351:
%OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial2/0 from LOADING to FULL,
Loading Done
R2(config-router)#network
10.2.2.0 0.0.0.3 area 0
R2(config-router)#end
R2#
*Jul 23 10:37:56.143:
%OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial2/1 from LOADING to FULL,
Loading Done
*Jul 23 10:29:56.123:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is down:
Interface PEER-TERMINATION received
R3#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#no
router eigrp ROUTE
R3(config)#
R3(config)#router
ospf 1
R3(config-router)#network
192.168.3.0 0.0.0.255 area 0
R3(config-router)#network
10.2.2.0 0.0.0.3 area 0
R3(config-router)#
*Jul 23 10:38:05.703:
%OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/1 from LOADING to FULL,
Loading Done
R3(config-router)#end
R3#
R1#tclsh
R1(tcl)#foreach
address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#}
{ ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 36/42/48 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/40/72 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/36/64 ms
R1#conf t
R1(config)#interface
serial 2/0
R1(config-if)#ip
ospf ?
<1-65535> Process ID
authentication Enable authentication
authentication-key Authentication password (key)
bfd Enable BFD on this interface
cost Interface cost
database-filter Filter OSPF LSA during synchronization
and flooding
dead-interval Interval after which a neighbor is
declared dead
demand-circuit OSPF Demand Circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
lls Link-local Signaling (LLS)
support
message-digest-key Message digest authentication password (key)
mtu-ignore Ignores the MTU in DBD packets
network Network type
prefix-suppression OSPF prefix suppression
priority Router priority
resync-timeout Interval after which adjacency is reset
if oob-resync is
not started
retransmit-interval Time between retransmitting lost link state
advertisements
shutdown Set OSPF protocol's state to
disable under current
interface
transmit-delay Link state transmit delay
ttl-security TTL security check
R1(config-if)#ip
ospf authentication ?
message-digest Use message-digest authentication
null Use no authentication
<cr>
R1(config-if)#ip ospf
authentication message-digest // IOS 15.4(1)T OSPFv2 SUPPORTS SHA AUTHENTICATION
R1(config-if)#
*Jul 23 10:48:25.099:
%OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/0 from FULL to DOWN,
Neighbor Down: Dead timer expired
R1(config-if)#ip
ospf message-digest-key ?
<1-255>
Key ID
R1(config-if)#ip
ospf message-digest-key 1 ?
md5
Use MD5 algorithm
R1(config-if)#ip
ospf message-digest-key 1 md5 ?
<0-7>
Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE
The OSPF password (key) (maximum 16 characters)
R1(config-if)#ip ospf
message-digest-key 1 md5 cisco123
R1(config-if)#end
R1#
*Jul 23 10:51:02.715:
%OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/0 from LOADING to FULL,
Loading Done
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#interface
serial 2/0
R2(config-if)#ip ospf
authentication message-digest
R2(config-if)#ip ospf
message-digest-key 1 md5 cisco123
R2(config-if)#
*Jul 23 10:48:02.303:
%OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial2/0 from LOADING to FULL,
Loading Done
R2(config)#interface
serial 2/1
R2(config-if)#ip ospf
authentication message-digest
R2(config-if)#ip ospf
message-digest-key 1 md5 cisco456
R2(config-if)#
*Jul 23 10:49:40.915:
%OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial2/1 from FULL to DOWN,
Neighbor Down: Dead timer expired
R2(config-if)#end
R2#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#interface
serial 2/1
R3(config-if)#
*Jul 23
10:49:57.731: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/1 from FULL to
DOWN, Neighbor Down: Dead timer expired
R3(config-if)#ip ospf
authentication message-digest
R3(config-if)#ip ospf
message-digest-key 1 md5 cisco456
R3(config-if)#
*Jul 23 10:50:25.515:
%OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/1 from LOADING to FULL,
Loading Done
R3(config-if)#end
R3#
R1#show
ip route ospf // VERIFY OSPF ROUTING TABLE
Codes: L
- local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O -
OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 -
OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF
external type 2
i - IS-IS, su - IS-IS summary, L1 -
IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate
default, U - per-user static route
o - ODR, P - periodic downloaded static
route, H - NHRP, l - LISP
+ - replicated route, % - next hop
override
Gateway
of last resort is not set
10.0.0.0/8 is variably subnetted, 3
subnets, 2 masks
O 10.2.2.0/30 [110/128] via 10.1.1.2,
00:02:57, Serial2/0
192.168.3.0/32 is subnetted, 1 subnets
O 192.168.3.1 [110/129] via 10.1.1.2,
00:00:33, Serial2/0
R1#show
ip ospf interface serial 2/0 // VERIFY OSPF INTERFACE CONFIG
Serial2/0
is up, line protocol is up
Internet Address 10.1.1.1/30, Area 0,
Attached via Network Statement
Process ID 1, Router ID 192.168.1.1, Network
Type POINT_TO_POINT, Cost: 64
Topology-MTID Cost
Disabled Shutdown Topology Name
0 64 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead
40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4
msec
Neighbor Count is 1, Adjacent neighbor count
is 1
Adjacent with neighbor 10.2.2.1
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
R1#tclsh // VERIFY FULL CONNECTIVITY
R1(tcl)#foreach
address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#}
{ ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/17/24 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/17/20 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/35/48 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 20/28/44 ms
No comments:
Post a Comment