Securing OSPF neighbour relationships with MD5 authentication is standard practice in production networks, and this video covers exactly how to configure it on Juniper logical systems. We apply MD5 authentication to all four PE-to-PE OSPF links — PE1 to PE2, PE1 to PE3, PE3 to PE4, and PE4 to PE2 — completing the fully authenticated core mesh.

OSPF MD5 authentication on JunOS is configured at the per-interface level under the protocols ospf area hierarchy. The command is set protocols ospf area 0 interface lt-0/0/0.xx authentication md5 followed by a key ID number and the key itself. The key ID must match on both ends of the adjacency, as must the key string.

One of the most instructive aspects of this video is watching what happens when authentication is only configured on one end of a neighbour relationship. After applying MD5 to PE1’s interface towards PE3, we watch the OSPF dead timer count down on PE3 in real time — from 30 seconds to zero — until the adjacency drops. The neighborship only recovers once the matching MD5 configuration is applied to PE3’s side of the link. This makes the authentication behaviour completely transparent and easy to understand.

The same process is repeated for each PE-to-PE link in turn — applying authentication to one end, observing the adjacency drop, then applying the matching configuration to the other end and confirming the adjacency comes back up in Full state. All four PE inter-connections are secured by the end of the video.

After completing the MD5 configuration across all PE links we verify full reachability using ping to confirm the authenticated OSPF topology is still exchanging routes correctly and nothing has been disrupted by the authentication changes. Loopback-to-loopback pings between PE1, PE2, PE3 and PE4 all confirm successful end-to-end connectivity.