OSPF Authentication in Enterprise Network

Unanswered Question
Mar 25th, 2009


I have a network of 150 offices connected to my core routers. Routing protocol used is OSPF but no authentication is enabled so far.

Now I am planning to enable ospf authentication. Please let me know how should I plan this activity since the neighborship will be down as soon as I enable authentication on the core.

Please help me out how to plan this activity.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joseph W. Doherty Thu, 03/26/2009 - 04:40

First, work from the outside in. I.e., change the outermost routers first, and work in hop by hop layers. As you change each router, it will drop off (from OSPF) toward the center by should reconnect with routers further out. When you get to the center, all routers should be good.

Process can be sped up if you have some type of scripting tool or management tool that can change configs. Again, imporant you change routers in such away that any and all further out routers downstream of router being changed have already been changed.

If you want to minimize impact to whole OSPF domain, you can target one OSPF area at a time since authenication is per area.

You could also consider whether to just convert to authentication or authentication and passwords at the same time.

waridtel.com Thu, 03/26/2009 - 05:33

Dear Joseph,

Thanks for the reply. You mean to say that first of all configuration will start from the access sites and then configuration will start changing from the core. Please correct me if I am wrong.

Yes, I will start from one OSPF area initially.



Joseph W. Doherty Thu, 03/26/2009 - 06:06

Unclear to me your statement "You mean to say that first of all configuration will start from the access sites and then configuration will start changing from the core."

When you change the router's OSPF area attributes, that router will no longer OSPF connect with unlike routers. If you change the core/inner first, you'll be unable to easily connect to any further out routers, until they too are changed. (You should be able to connect from immediately connected OSPF routers.)

If you start with the most distant, first. They will drop off (OSPF with the core), but you should still be able to easily connect to those yet not changed.


(OSPF core) R1-R2-R3 (OSPF edge)

If you change R1 first, it makes it difficult to connect to R2 or R3. But if you change R3 first, you can still easily connect to R2. Change it, and you still can connect to R1. Change R1, and R2 and R3 should be reachable again.

waridtel.com Thu, 03/26/2009 - 07:59

Yes I meant to say the same thing that is start from distant routers first then go towards core.



This Discussion