Command:

ip ospf message-digest-key


Mode:

Router(config-if)#


Syntax:

ip ospf message-digest-key key-id md5 key

no ip ospf message-digest-key key-id


Syntax Description:

 

key-id

An identifier in the range from 1 to 255

key

Alphanumeric password of up to 16 bytes

 

Command Description:

To enable OSPF Message Digest 5 (MD5) authentication, use the ip ospf message-digest-key interface configuration command. To remove an old MD5 key, use the no form of this command.

Usage Guidelines:

Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value.

The process of changing keys is as follows. Suppose the current configuration is as follows:

interface ethernet 1
 ip ospf message-digest-key 100 md5 OLD

You change the configuration to the following:

interface ethernet 1
 ip ospf message-digest-key 101 md5 NEW

The system assumes its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the system sends out two copies of the same packet�the first one authenticated by key 100 and the second one authenticated by key 101.

Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops once the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key.

After all neighbors have been updated with the new key, the old key should be removed. In this example, you would enter the following:

interface ethernet 1
 no ip ospf message-digest-key 100

Then, only key 101 is used for authentication on Ethernet interface 1.

It is good practice not to keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Removing the old key also reduces overhead during rollover.


Example:

The following example sets a new key 19 with the password 8ry4222:

Router(config)#interface ethernet 1
Router(config-if)#ip ospf message-digest-key 10 md5 xvv560qle
Router(config-if)#ip ospf message-digest-key 19 md5 8ry4222

Misconceptions:
None

Related Commands:
None

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)