The question is about ospf md5 authentication.
Based on the output md5 authentication has been enabled under the interface and not under the ospf process.
That's why it shows "Cryptographic authentication enabled" under "show ip ospf int gig 2".
This information is not displayed under the interface if authentication is enabled under the ospf process. (I labbed it.)
In this case, "C" is correct (and not "D", which enables it under the process.)
Example:
https://networklessons.com/ospf/how-to-configure-ospf-md5-authentication
interface GigabitEthernet 2
ip address 172.16.1.42 255.255.255.252
ip ospf 1 area 1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
"A" and "B" are completly wrong.
The key chain configuration shown in the output is for eigrp, and the key chain was named as "ospf" to make the question tricky.
https://community.cisco.com/t5/switching/key-chain-md5-authentication-in-ospf/td-p/1327717
"OSPF is not using key chain, it is using authentication key you configured in the OSPF process or interface level."
No A and B are valid comamnds. tested in Lab. The OCG however never used A or B it only used C or D. The output in the exhibit is from a command in C or D. So this is our choice.
why not? key chains can be configured for OSPF too...
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-10/iro-xe-16-10-book/iro-ospfv2-crypto-authen-xe.html
https://networklessons.com/cisco/ccie-routing-switching-written/ospf-hmac-sha-extended-authentication
Also, with md5 auth, interface looks like this:
Message digest authentication enabled
Youngest key id is 1
with cryptographic auth, looks like:
Cryptographic authentication enabled
Sending SA: Key 25, Algorithm HMAC-SHA-256 – key chain sample1
------
This example had sha-256 and in the output of our question 256 is not mentioned, hence they configured sha1, option B is correct
It can but the output shows this is a C or D command.
Message digest authentication enabled
Youngest key id is 1
This is a C or D command, now choose one. The OCG only uses C or D examples, although A and B is good and works, the exhibit shows C or D.
i agree, the authentication methode used is MD5, But the config seems wrong, why they mixed config "hmac-SHA" with "MD5" in the same config ? i think that there is no "key chain" with method MD5 !
Yes answer is C the only output that you can get is to configure message digest and md5 authentication.
If you configure the key chains this is the output:
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain ospf
Whit SHA1:
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-1 - key chain ospf
Here with this config:
interface Ethernet0/0
no switchport
ip address 10.10.10.254 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 05080F1C2243
ip ospf 1 area 0
end
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1
I tested all of these A B C D
D, C was the only one that produced the output in the exhibit (refer HungarianDish comment)
A and B are valid OSPF commands, but OSPF has recently been updated to include sha. It used to only include MD5 and plain text authentication (refer to OCG page 457 459 where OSPF doesn't support Keys or SHA);
The output in the image is produced with this one command:
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 7 045802150C2E
ip ospf 1 area 0
show ip ospf interface
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1
It doesn't matter if message-digest authentication is enabled in area mode or interface mode
However the answer is C
Why?
In some IOS versions you need the ip ospf authentication message-digest command to produce the output in the exhibit.
In others you don't (in my lab you don't, using IOU images)
To reproduce the output in the image we need to use C
A and B ARE valid commands, but according to OCG OSPF doesn't support SHA (which it does). So if the question is an "older" question, the answer is C.
I will make this easy for everyone.
The answer is C or D. This is the only valid solutions as A or B does not enable any kind of cryptographic algorithm. The algorithm has been enabled under the interface, and not the area, this is why we only see Youngest Key ID (reference: Advanced OSPF chapter in OCG). Now do we choose C or D? Notice in the output we have 2 other OSPF neighbors, but we do not know if we have authentication enabled for them. The safest choice is C, an applying authentication under the OSPF process
If we enable OSPF in the area mode and not under interface this is the output:
show ip ospf interface:
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
No key configured, using default key id 0
Hence it is applied to all the interfaces, and it might cause adjacency problems with other routers. Answer is C.
What I meant to say is it cannot be A or B because the output shows that C or D is already configured, but it is misconfigured. If it was A or B this is the output:
Cryptographic authentication enabled
Sending SA: Key 2, Algorithm MD5 - key chain ospf
So we choose C or D. C is best as more specific. And doesn't tear down other ospf adjacencies.
A B C D are valid commands.
The output is From C or D. Either C or D works to fix it. Tested in lab. C is best as it doesn;t enable authentication for entire OSPF area, as we have other neighbors.
A is correct
This is from cisco
Defining a Key Chain:
1. enable
2. configure terminal
3. key chain name
4. key key-id
5. key-string name
6. cryptographic-algorithm name
7. send-lifetime start-time { infinite | end-time | duration seconds }
end
Defining Authentication on an Interface:
1. enable
2. configure terminal
3. interface type number
4. ip ospf authentication key-chain name
Device(config)# key chain sample1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string string1
Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256
Device(config)# interface g0/0
Device(config-if)# ip ospf authentication key-chain sample1
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-10/iro-xe-16-10-book/iro-ospfv2-crypto-authen-xe.html#:~:text=ip%20ospf%20authentication%20key%2Dchain%20ospf1
after research, A is correct
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-10/iro-xe-16-10-book/iro-ospfv2-crypto-authen-xe.html#:~:text=ip%20ospf%20authentication%20key%2Dchain%20ospf1
C & D are wrong - we already have configured the router with md5 authentication and neighborship lost, no point to re-configure md5.
From the answers probably we need to switch back to sha.
A -> Wrong, when i tried to configure the same string i received "Invalid encrypted keystring"
B -> Correct , encrypted string "02050D480809" is decrypted string "cisco"
Both C and D work, and the message "Youngest key id is 1" has nothing to do with the key chain.
I tried both (C&D) without configuring key chain and with key chain and they worked fine
Not C or D because it's MD5, not Cryptograhpic as output states
Not A because the output should show SHA-256
So B it's correct.
It's IOS XE because is a CSR router:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-16-10/iro-xe-16-10-book/iro-ospfv2-crypto-authen-xe.html
This section is not available anymore. Please use the main Exam Page.300-410 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
HungarianDish_111
Highly Voted 1 year, 11 months agoHungarianDish_111
1 year, 11 months agoHungarianDish_111
1 year, 11 months agobk989
8 months agobuddhagaut
1 year, 2 months agobk989
8 months agoyasmiine
1 week, 1 day agosaiyuki1209
Highly Voted 2 years agoXBfoundX
Most Recent 2 months, 3 weeks agoXBfoundX
2 months, 3 weeks agoXBfoundX
2 months, 3 weeks agobk989
7 months, 3 weeks agobk989
7 months, 3 weeks agoCiscoTerminator
2 months, 2 weeks agobk989
8 months agobk989
8 months agobk989
8 months agobk989
8 months agobk989
7 months, 3 weeks ago[Removed]
8 months, 2 weeks ago[Removed]
9 months ago[Removed]
8 months, 4 weeks agobb90403
9 months, 1 week agomouin
1 year, 7 months agosal077
1 year, 8 months agobuddhagaut
1 year, 2 months agointeldarvid
1 year, 9 months ago