Courseiva
OSPFInterface Config

ip ospf message-digest-key 1 md5 [key]

Configures OSPF MD5 authentication on an interface by defining a key ID and password to authenticate OSPF packets.

Syntax·Interface Config
ip ospf message-digest-key 1 md5 [key]

When to Use This Command

  • Securing OSPF routing updates between two directly connected routers to prevent route injection attacks.
  • Enabling OSPF authentication in a multi-access network (e.g., Ethernet) where multiple neighbors must share the same key.
  • Migrating from plain-text authentication to MD5 authentication without disrupting OSPF adjacency by adding a new key before removing the old one.
  • Complying with security policies that require authentication for all routing protocol exchanges.

Command Examples

Basic MD5 Authentication Configuration

ip ospf message-digest-key 1 md5 cisco123
Router(config-if)# ip ospf message-digest-key 1 md5 cisco123
Router(config-if)#

The command sets key ID 1 with password 'cisco123' for OSPF MD5 authentication on the interface. No output is shown if successful; the prompt returns without error.

Verifying MD5 Authentication with show ip ospf interface

show ip ospf interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet Address 192.168.1.1/24, Area 0
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 1.1.1.1, Interface address 192.168.1.1
  Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:03
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Can be protected by per-packet TTL-1 hop security
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

The output shows OSPF interface details. Key line: 'Message digest authentication enabled' confirms MD5 is active. 'Youngest key id is 1' indicates the key ID currently used for sending.

Understanding the Output

The command itself produces no output on success. To verify, use 'show ip ospf interface [interface]'. Look for 'Message digest authentication enabled' to confirm MD5 is active. The 'Youngest key id' field shows the key ID used for sending; all neighbors must have the same key ID and password. If authentication fails, the neighbor state will not progress beyond INIT or EXSTART, and 'show ip ospf neighbor' will show the neighbor as stuck in INIT or EXSTART/EXCHANGE. Use 'debug ip ospf adj' to see authentication failures.

CCNA Exam Tips

1.

CCNA exam tip: MD5 authentication is configured per interface, not per OSPF process. Remember to apply it on both sides with matching key ID and password.

2.

CCNA exam tip: The key ID is a number from 1 to 255. The password can be up to 16 characters. The exam may test that the key ID must match on both routers.

3.

CCNA exam tip: To change the password without disrupting adjacency, configure a new key with a higher ID, then remove the old key. The router uses the youngest key (highest ID) for sending.

4.

CCNA exam tip: 'ip ospf message-digest-key' is used for MD5; for plain-text authentication, use 'ip ospf authentication-key'. The exam may ask which command enables MD5.

Common Mistakes

Mistake 1: Configuring the key on only one side of the link. Consequence: OSPF adjacency fails to form or drops.

Mistake 2: Using different passwords or key IDs on neighboring routers. Consequence: Authentication mismatch, adjacency stuck in INIT.

Mistake 3: Forgetting to enable authentication with 'ip ospf authentication message-digest' after setting the key. Consequence: Key is configured but not used; OSPF packets are sent without authentication.

Related Commands

debug ip ospf adj

Use this command to debug OSPF adjacency events in real-time, helping to troubleshoot why OSPF neighbors are not forming or are flapping.

show ip ospf interface

Displays OSPF interface parameters and status, used to verify OSPF configuration and troubleshoot neighbor relationships.

show ip ospf neighbor

Displays OSPF neighbor information to verify adjacency formation and troubleshoot OSPF neighbor relationships.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions