I have few routers on OSPF Area 0. Currently no OSPF authentication is configured.
I'm going to enable OSPF MD5 authentication on only a few routers and selected interfaces only, with the following interface config commands:
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 testkey
My question is, do I also need to configure the router config command "area 0 authentication message-digest" on the routers? Without this command, OSPF adjacency seems to be successfully established between two neighboring routers enabled with MD5 authentication (on interface-basis).
"The area authentication message-digest command in this configuration enables authentication for all of the router interfaces in a particular area. You can also use the ip ospf authentication message-digest command under the interface to configure MD5 authentication for the specific interface. This command can be used if a different authentication method or no authentication method is configured under the area to which the interface belongs. It overrides the authentication method configured for the area. This is useful if different interfaces that belong to the same area need to use different authentication methods."
Let's say, a router currently is not configured to do any OSPF authentication and it successfully establishes adjacencies with other neighbor routers.
If I add the router config command "area 0 authentication message-digest" on the above router but have not configured "ip ospf authentication message-digest" and "ip ospf message-digest-key" on interfaces, will existing adjacencies on Area 0 be torn down?
I don't have routers with me now to test it but I need to know in theory.
if you add the 'area 0 authentication message-digest", you have to configure all routers on area 0, or "in theory" the adjacencies with routers no authenticated will go down.
The interface command overrides the area command, that is you could have an area 0 without auth, and a specific link on it with auth plain or MD5, or an area 0 with auth plain/MD5 and a specific link with auth MD5/plain ... It depends on your topology, and your goals.
Pay a special attention with virtual links ;) For a particolar nature of VL, if you have an area 0 authenticated, you have to use authentication on your VLs too.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...