05-17-2016 03:07 PM - edited 03-08-2019 05:48 AM
My company has a very complex network. We are running ospf, and wish to implement ospf with authentication. How can we do this without breaking the ospf routing we have in place currently?
Is it possible?
In the future, we want to do the same thing with BGP.
Solved! Go to Solution.
05-18-2016 11:12 PM
Hi Scott,
In my Lab scenario, i have configured OSPF authentication in area 1 and add a new network in the same area 1. OSPF terminates the neighbor if dead timer has expired, it will decrements the count from 40. If the neighbor is up and it will respond before 30 and neighbor will be in active state. You have 40 sec of dead timer and you can configure the OSPF authentication in both sides to enable the authentication in respective area without any hitches.
I have attached the logs during the configuration and ospf neighbors not disconnected.
Hope this would be useful.
BR
Prem
05-17-2016 05:37 PM
Hi
to migrate from non authenticated to authenticated ospf neighboors, best practices are to do authentication on interfaces. However if by saying without breaking means wit no disruption (down peering), it will be difficult without creating sub interfaces and doing parallel peering with password. You will have few seconds downtime if you prepare configs.
Hope this is answering your question.
05-18-2016 11:12 PM
Hi Scott,
In my Lab scenario, i have configured OSPF authentication in area 1 and add a new network in the same area 1. OSPF terminates the neighbor if dead timer has expired, it will decrements the count from 40. If the neighbor is up and it will respond before 30 and neighbor will be in active state. You have 40 sec of dead timer and you can configure the OSPF authentication in both sides to enable the authentication in respective area without any hitches.
I have attached the logs during the configuration and ospf neighbors not disconnected.
Hope this would be useful.
BR
Prem
05-19-2016 11:16 AM
I just checked, and the Nexus switches I am using has a Dead timer of 4 seconds.
interface Vlan996
no ip redirects
ip address 10.226.96.3/24
ip ospf hello-interval 1
ip router ospf 907 area 0.0.0.0
NMCB-DC01-R902# sho ip ospf 907 interface vlan 996
Timer intervals: Hello 1, Dead 4, Wait 4, Retransmit 5
Can I change the dead timer to 40? If so, how? Will this affect the routing?
05-19-2016 12:51 PM
You can change dead timer by issuing the command:
ip ospf dead-interval seconds
05-27-2016 04:24 PM
Leaving the hello interval alone, I change the dead timer to 40. The dead timer then expires, even though it was previously set to 4 seconds, and the hello is still set to 1.
I am doing this on our lab equipment.
03-19-2019 09:11 AM
So I did a couple experiments and your method *did* work when there are only a couple routers involved. The bigger problem is when you have a rather large OSPF network and you turn on authentication to begin with. Even if no password is defined yet, the connections break when you turn on authentication... and the breakage spreads throughout your network.
I have been unable to come up with a way to turn on authentication across a >100 router network without huge sections going dark for long periods of time (which isn't acceptable). So I'm trying to come up with something better. At first I tried just turning on authentication without passwords, intending to do that on a per interface basis (which is still difficult when there are 10+ routers on a few segments). So far I haven't figured out a reasonable transition mechanism.
Anyone else have any better suggestions that deal with real world networks and not a PtP lab experiment?
Marcos
03-19-2019 03:39 PM
05-19-2016 05:16 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You're asking about converting an OSPF area from not authenticated to authenticated, not just activating passwords on an OSPF interface? If so, understand you're doing the equivalent of assigning a new area number.
By "breaking", you mean without causing any service interruption? If so, much depends on the topology of your network. Unless you have redundant paths, you'll likely cause brief network connectivity hits, and with brief hits, or with redundant paths, you'll may also have sub-optimal path selection.
05-19-2016 09:49 AM
Hi Scott,
I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered.
Prem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: