Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring a Transition of MD5 Keys on an OSPFv2 Interface

This example shows how to configure a transition of MD5 keys on an OSPFv2 interface.

Requirements

Before you begin:

Overview

MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key.

You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts OSPFv2 packets sent using the same key identifier (ID) that is defined for that interface.

For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the OSPF packet uses the ID to determine which key to use for authentication.

In this example, you configure new keys to take effect at 12:01 AM on the first day of the next three months on OSPFv2 interface fe-0/0/1 in the backbone area (area 0.0.0.0), and you configure the following MD5 authentication settings:

  • md5—Specifies the MD5 authentication key ID. The key ID can be set to any value between 0 and 255, with a default value of 0. The routing device only accepts OSPFv2 packets sent using the same key ID that is defined for that interface.
  • key—Specifies the MD5 key. Each key can be a value from 1 through 16 characters long. Characters can include ASCII strings. If you include spaces, enclose all characters in quotation marks (“ “).
  • start-time—Specifies the time to start using the MD5 key. This option enables you to configure a smooth transition mechanism for multiple keys. The start time is relevant for transmission but not for receiving OSPF packets.

Note: You must set the same passwords and transition dates and times on all devices in the area so that OSPFv2 adjacencies remain active.

Configuration

CLI Quick Configuration

To quickly configure multiple MD5 keys on an OSPFv2 interface, copy the following commands, remove any line breaks, and then paste the commands into the CLI.

[edit]set protocols ospf area 0.0.0.0 interface fe-0/1/0 authentication md5 1 key $2010HaL set protocols ospf area 0.0.0.0 interface fe-0/1/0 authentication md5 2 key NeWpsswdFEB start-time 2011-02-01.00:01 set protocols ospf area 0.0.0.0 interface fe-0/1/0 authentication md5 3 key NeWpsswdMAR start-time 2011-03-01.00:01set protocols ospf area 0.0.0.0 interface fe-0/1/0 authentication md5 4 key NeWpsswdAPR start-time 2011-04-01.00:01

Step-by-Step Procedure

To configure multiple MD5 keys on an OSPFv2 interface:

  1. Create an OSPF area.
    [edit]user@host# edit protocols ospf area 0.0.0.0
  2. Specify the interface.
    [edit protocols ospf area 0.0.0.0]user@host# edit interface fe-0/1/0
  3. Configure MD5 authentication and set an authentication password and key ID.
    [edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 1 key $2010HaL
  4. Configure a new key to take effect at 12:01 AM on the first day of February, March, and April.

    You configure a new authentication password and key ID for each month.

    1. For the month of February, enter the following:
      [edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 2 key NeWpsswdFEB start-time 2011-02-01.00:01
    2. For the month of March, enter the following:
      [edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 3 key NeWpsswdMAR start-time 2011-03-01.00:01
    3. For the month of April, enter the following:
      [edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# set authentication md5 4 key NeWpsswdAPR start-time 2011-04-01.00:01
  5. If you are done configuring the device, commit the configuration.
    [edit protocols ospf area 0.0.0.0 interface fe-0/1/0.0]user@host# commit

    Note: Repeat this entire configuration on all peer OSPFv2 routing devices.

Results

Confirm your configuration by entering the show protocols ospf command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Note: After you configure the password, you do not see the password itself. The output displays the encrypted form of the password you configured.

user@host# show protocols ospf area 0.0.0.0 {interface fe-0/1/0.0 {authentication {md5 1 key "$9$wzs24JGDjk.2gfTQ3CAp0B1hy"; ## SECRET-DATAmd5 2 key "$9$Q9gz39t1IcML7EcwgJZq.RhSylMN-b4oZDi" start-time "2011-2-1.00:01:00 -0800"; ## SECRET-DATAmd5 3 key "$9$zjo2nCpIRSWXNhSs4ZG.mEcyreW2gaZGjCt" start-time "2011-3-1.00:01:00 -0800"; ## SECRET-DATAmd5 4 key "$9$fQn90OReML1Rds4oiHBIEhSevMLXNVqm" start-time "2011-4-1.00:01:00 -0700"; ## SECRET-DATA}}}

Verification

Confirm that the configuration is working properly.

Verifying the Configured Authentication Method

Purpose

Verify that the authentication method for sending and receiving OSPF protocol packets is configured. When configured for MD5 authentication with a transition of keys, the Auth type field displays MD5, the Active key ID field displays the unique number you entered that identifies the MD5 key, and the Start time field displays the time at which the routing device starts using an MD5 key to authenticate OSPF packets transmitted on the interface you configured.

Action

From operational mode, enter the show ospf interface and the show ospf overview commands.

 

Related Documentation

 

Published: 2012-12-08

Previous Page Next Page