OSPF Authentication

Unanswered Question
Jan 21st, 2008
User Badges:

To enable OSPF MD5 authentication, is it necessary to run it under all interfaces of a router.


If I don't enable it under a interface (and enable it under router process and rest of the interfaces)will that interface's network will not be advertised to the rest of the network. e.g; if a LAN switch is connected to an interface on which users are connected and I don't enable authn on that typical interface then ??


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
s.arunkumar Mon, 01/21/2008 - 01:03
User Badges:
  • Bronze, 100 points or more

Its not mandatory that all interface should run authentication even if u have configured under the ospf process,but its mandatory that it must be configured on all neighbors reached through that interface,otherwise adjacency will not be formed..


arun

massimiliano.se... Mon, 01/21/2008 - 01:04
User Badges:
  • Silver, 250 points or more

Hi,

Here is an example "Sample Configuration for Authentication in OSPF" http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

If I understand well your question, the answer is: "The network will be advertised; the method for not advertise the network is by route map...that is a selection of routes that must be advertised".

I hope this helps.

Best regards.

Massimiliano.


shrikar.dange Mon, 01/21/2008 - 01:07
User Badges:
  • Bronze, 100 points or more

hi,


The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other via OSPF. Use the ip ospf authentication-key interface command to specify this password.

If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.

To remove the authentication specification for an area, use the no form of this command with the authentication keyword.


You typically enable authentication for a area not for specific interface.The authentication affects the communication between the routers of the authenticated area,not between the users and switches.


HTH,


regards,


shri :)

Pavel Bykov Mon, 01/21/2008 - 02:01
User Badges:
  • Silver, 250 points or more

Yes, the authentication is for ESTABLISHING neighbor relations - i.e. when they see each other, they authenticate before actually exchanging the routes.


Advertising routes is process of already established neighborship relation. After it is established and neighbors are authenticated, inside that relation they exchange information in those relations. In this phase the interface authentication setting is not important and does not play a role.

Amit Singh Mon, 01/21/2008 - 03:27
User Badges:
  • Cisco Employee,

Hi Munawar,


As per the RFC, there is no area authentication in OSPF. It is Cisco who have implemented the area authentication concept. Typically as per the RFC, the authentication is done per interface and if you dont enable the authentication on an interface connected to the OSPF neighbor, the adjacency will break down. The network under the interface will still be advertised though.


regards,

-amit singh


Edison Ortiz Mon, 01/21/2008 - 09:07
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You can enable OSPF MD5 under the interface or under the OSPF routing process.


If you were to enable under the routing process, all OSPF speaking devices on that area must also have OSPF MD5 enabled.


If you were to enable under the interface, only the OSPF speaking devices on that segment need to have OSPF MD5 enabled.


Usually, when migrating from non-authenticated OSPF to authenticated OSPF, it's recommend to configure OSPF interface authentication since this migration path is more controlled. Imagine having 100+ OSPF speaking devices in one area and having to enable area authentication in all of them at once.


HTH,


__


Edison.

Actions

This Discussion