cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2122
Views
0
Helpful
9
Replies

Implementing OSPF authentication on an already converged network

scottsassin
Level 1
Level 1

My company has a very complex network. We are running ospf, and wish to implement ospf with authentication. How can we do this without breaking the ospf routing we have in place currently? 

Is it possible?

In the future, we want to do the same thing with BGP.

1 Accepted Solution

Accepted Solutions

premkumarjm
Level 1
Level 1

Hi Scott,

In my Lab scenario, i have configured OSPF authentication in area 1 and add a new network in the same area 1. OSPF terminates the neighbor if dead timer has expired, it will decrements the count from 40. If the neighbor is up and it will respond before 30 and neighbor will be in active state. You have 40 sec of dead timer and you can configure the OSPF authentication in both sides to enable the authentication in respective area without any hitches. 

I have attached the logs during the configuration and ospf neighbors not disconnected.

Hope this would be useful.

BR

Prem

View solution in original post

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni

Hi

to migrate from non authenticated to authenticated ospf neighboors, best practices are to do authentication on interfaces. However if by saying without breaking means wit no disruption (down peering), it will be difficult without creating sub interfaces and doing parallel peering with password. You will have few seconds downtime if you prepare configs.

Hope this is answering your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

premkumarjm
Level 1
Level 1

Hi Scott,

In my Lab scenario, i have configured OSPF authentication in area 1 and add a new network in the same area 1. OSPF terminates the neighbor if dead timer has expired, it will decrements the count from 40. If the neighbor is up and it will respond before 30 and neighbor will be in active state. You have 40 sec of dead timer and you can configure the OSPF authentication in both sides to enable the authentication in respective area without any hitches. 

I have attached the logs during the configuration and ospf neighbors not disconnected.

Hope this would be useful.

BR

Prem

I just checked, and the Nexus switches I am using has a Dead timer of 4 seconds. 

interface Vlan996
no ip redirects
ip address 10.226.96.3/24
ip ospf hello-interval 1
ip router ospf 907 area 0.0.0.0

NMCB-DC01-R902# sho ip ospf 907 interface vlan 996

Timer intervals: Hello 1, Dead 4, Wait 4, Retransmit 5

Can I change the dead timer to 40? If so, how? Will this affect the routing?

You can change dead timer by issuing the command:

ip ospf dead-interval seconds


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Leaving the hello interval alone, I change the dead timer to 40. The dead timer then expires, even though it was previously set to 4 seconds, and the hello is still set to 1.

I am doing this on our lab equipment.

So I did a couple experiments and your method *did* work when there are only a couple routers involved.  The bigger problem is when you have a rather large OSPF network and you turn on authentication to begin with. Even if no password is defined yet, the connections break when you turn on authentication... and the breakage spreads throughout your network.

I have been unable to come up with a way to turn on authentication across a >100 router network without huge sections going dark for long periods of time (which isn't acceptable). So I'm trying to come up with something better.  At first I tried just turning on authentication without passwords, intending to do that on a per interface basis (which is still difficult when there are 10+ routers on a few segments).  So far I haven't figured out a reasonable transition mechanism.

Anyone else have any better suggestions that deal with real world networks and not a PtP lab experiment?

 

Marcos

 

"Anyone else have any better suggestions that deal with real world networks and not a PtP lab experiment?"

Possibly. We desired to change our OSPF area numbers, with minimum outage/downtime.

We used two different approaches, both worked. One approach used was we had a script that walked from device to device, telnetting between L3 routes on they adjacent interfaces. The script would work its way down from a root node to a leaf node, change the leaf, and back up. All the L3 devices fell out of the existing area, until last link on the root device interface was change, and then the whole subtree would come back into the topology.

The other approach used a scheduled script, on each L3 device to make configuration changes at the same time. In this case, all the devices would drop and come back on-line at about the same time. (Generally, this approach took much, much less time to effect the actual change, but not all devices we had supported local device scheduled scripts, so you had to change those manually. Also, with this approach, if you programmed the devices incorrectly, you generally only discovered that after the fact, and then it was much harder to correct.)

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You're asking about converting an OSPF area from not authenticated to authenticated, not just activating passwords on an OSPF interface?  If so, understand you're doing the equivalent of assigning a new area number.

By "breaking", you mean without causing any service interruption?  If so, much depends on the topology of your network.  Unless you have redundant paths, you'll likely cause brief network connectivity hits, and with brief hits, or with redundant paths, you'll may also have sub-optimal path selection.

premkumarjm
Level 1
Level 1

Hi Scott,

I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered.

Prem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco