Chapter 6: OSPF Authentication and Default Route Injection

Chapter 6: OSPF Authentication and Default Route Injection


Objective

This lab focuses on configuring OSPF authentication across different router interfaces and implementing default route injection into OSPF. By the end of this lab, participants will understand different authentication mechanisms in OSPF and how to ensure network security while maintaining connectivity.


Key Features Implemented

  • Configuring OSPF authentication (Null, Simple Password, MD5, and HMAC-SHA-256)
  • Implementing default route injection into OSPF
  • Ensuring end-to-end reachability

Topology

The lab utilizes the OSPF topology as shown in the diagram from page 1 of the "Chapter 6: OSPF Authentication and Default Route Injection" PDF.

OSPF Authentication and Default Route Injection Topology Diagram

Configuration Tasks

  1. Configure IP addresses as shown in the topology.
  2. Ensure that R2, R3, R4, R5, and R6 are part of OSPF Area 0.
  3. Configure OSPF authentication as per the following:
    • Between R2 and R3: No OSPF authentication.
    • Between R3 and R4: Simple password authentication (cisco@123).
    • Between R3 and R5: MD5 authentication with one key (cisco@123).
    • Between R3 and R6: HMAC-SHA-256 authentication with key-chain:
      • Key 1: cisco@123 (Send Lifetime: Jan to Jun, Accept Lifetime: Jan to Jun)
      • Key 2: catalyst@123 (Send Lifetime: Jul to Dec, Accept Lifetime: Jul to Dec)
  4. Configure NAT on R2:
    • Set up NAT with an inside and outside interface. 
      ! On R2
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.252
 ip nat outside
!
interface Ethernet0/1
 ip address 23.1.1.1 255.255.255.252
 ip nat inside
    • Configure NAT to translate internal addresses using an IP NAT pool. 
      ! On R2
ip nat pool mypool 12.1.1.2 12.1.1.2 prefix-length 30
    • Apply access control to allow NAT translation for all internal traffic. 
      ! On R2
access-list 1 permit any
!
ip nat inside source list 1 pool mypool overload
  5. Configure Default Route Injection:
    • Configure R2 with a default route pointing to 12.1.1.1 as the next hop.
    • Inject this default route into OSPF to propagate it across the network.
    • Ensure OSPF injects the default route even if the static default route on R2 is removed.
  6. Verify End-to-End Connectivity:
    • Ensure connectivity throughout the enterprise, all routers (R2, R3, R4, R5, and R6) must be able to successfully ping each other's loopback addresses.
    • Ensure that all routers (R2, R3, R4, R5, and R6) can successfully ping 1.1.1.1 from their loopback interfaces.

Base Configurations

Ready to get started? Here, you'll find the initial configurations for each device to begin this lab.
hostname R1

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.252
hostname R2

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 2 area 0
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.252
interface Ethernet0/1
 ip address 23.1.1.1 255.255.255.252
 ip ospf 2 area 0

router ospf 2
hostname R3

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 3 area 0
interface Ethernet0/0
 ip address 23.1.1.2 255.255.255.252
 ip ospf 3 area 0
interface Ethernet0/1
 ip address 34.1.1.1 255.255.255.252
 ip ospf 3 area 0
interface Ethernet0/2
 ip address 35.1.1.1 255.255.255.252
 ip ospf 3 area 0
interface Ethernet0/3
 ip address 36.1.1.1 255.255.255.252
 ip ospf 3 area 0

router ospf 3
hostname R4

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 4 area 0
interface Ethernet0/0
 ip address 34.1.1.2 255.255.255.252
 ip ospf 4 area 0

router ospf 4
hostname R5

interface Loopback0
 ip address 5.5.5.5 255.255.255.255
 ip ospf 5 area 0
interface Ethernet0/0
 ip address 35.1.1.2 255.255.255.252
 ip ospf 5 area 0

router ospf 5
hostname R6

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
 ip ospf 6 area 0
interface Ethernet0/0
 ip address 36.1.1.2 255.255.255.252
 ip ospf 6 area 0

router ospf 6

Verification Commands

  • show ip ospf neighbor
    • Confirm OSPF neighbor relationships.
  • show ip ospf database
    • Verify LSAs related to authentication and default routes.
  • show ip ospf interface
    • Check authentication settings applied to OSPF interfaces.
  • show ip route ospf
    • Ensure that the default route is being advertised and learned correctly.
  • show ip nat translations
    • Verify NAT translation entries.
  • debug ip ospf adj
    • Debug authentication mismatches, if any.

Expected Outcomes

  • OSPF authentication should be correctly applied per the topology.
  • The default route should be successfully injected into OSPF.
  • All routers should learn the default route and maintain connectivity.
  • Secure authentication mechanisms should ensure integrity in OSPF adjacencies.
  • NAT should properly translate internal addresses for external communication.

Final Configurations

Want to take a look for yourself? Here, you will find the final configurations of each device required for this lab.
hostname R1

interface Loopback0
 ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
 ip address 12.1.1.1 255.255.255.252
hostname R2

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 2 area 0
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.252
 ip nat outside
interface Ethernet0/1
 ip address 23.1.1.1 255.255.255.252
 ip nat inside
 ip ospf 2 area 0

ip route 0.0.0.0 0.0.0.0 12.1.1.1
ip nat pool mypool 12.1.1.2 12.1.1.2 prefix-length 30
ip nat inside source list 1 pool mypool overload
access-list 1 permit any

router ospf 2
 default-information originate always
hostname R3

interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 3 area 0
interface Ethernet0/0
 ip address 23.1.1.2 255.255.255.252
 ip ospf 3 area 0
interface Ethernet0/1
 ip address 34.1.1.1 255.255.255.252
 ip ospf authentication
 ip ospf authentication-key cisco@123
 ip ospf 3 area 0
interface Ethernet0/2
 ip address 35.1.1.1 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco@123
 ip ospf 3 area 0
interface Ethernet0/3
 ip address 36.1.1.1 255.255.255.252
 ip ospf authentication key-chain OSPF-KEYS
 ip ospf 3 area 0

key chain OSPF-KEYS
 key 1
  key-string cisco@123
  accept-lifetime 00:00:00 Jan 1 2025 23:59:59 Jun 30 2025
  send-lifetime 00:00:00 Jan 1 2025 23:59:59 Jun 30 2025
  cryptographic-algorithm hmac-sha-256
 key 2
  key-string catalyst@123
  accept-lifetime 00:00:00 Jul 1 2025 23:59:59 Dec 31 2025
  send-lifetime 00:00:00 Jul 1 2025 23:59:59 Dec 31 2025
  cryptographic-algorithm hmac-sha-256

router ospf 3
hostname R4

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 4 area 0
interface Ethernet0/0
 ip address 34.1.1.2 255.255.255.252
 ip ospf authentication
 ip ospf authentication-key cisco@123
 ip ospf 4 area 0

router ospf 4
hostname R5

interface Loopback0
 ip address 5.5.5.5 255.255.255.255
 ip ospf 5 area 0
interface Ethernet0/0
 ip address 35.1.1.2 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco@123
 ip ospf 5 area 0

router ospf 5
hostname R6

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
 ip ospf 6 area 0
interface Ethernet0/0
 ip address 36.1.1.2 255.255.255.252
 ip ospf authentication key-chain OSPF-KEYS
 ip ospf 6 area 0

key chain OSPF-KEYS
 key 1
  key-string cisco@123
  accept-lifetime 00:00:00 Jan 1 2025 23:59:59 Jun 30 2025
  send-lifetime 00:00:00 Jan 1 2025 23:59:59 Jun 30 2025
  cryptographic-algorithm hmac-sha-256
 key 2
  key-string catalyst@123
  accept-lifetime 00:00:00 Jul 1 2025 23:59:59 Dec 31 2025
  send-lifetime 00:00:00 Jul 1 2025 23:59:59 Dec 31 2025
  cryptographic-algorithm hmac-sha-256

router ospf 6
Linked Image Example Become a Network Expert for Top Product Companies
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x