OSPF area Authentication - Cisco Community

1044

Views

0

Helpful

3

Replies

Hi,

I am new in implementing ospf routing, i am bit confused on network statement and redistribute connected subnets advetisement my objective here is only authenticate or secure ospf neighbor. Say for example, I have 4 vlans configure its with HSRP and i would like all four network be advertise in shall we say area 0. I will illustrate it below, and implement an authentication.

Scene1:

router ospf 100

router-id 172.16.1.1

area 0 authentication message-digest

network 172.16.1.0 0.0.0.3 area 0 - connected to ospf neighbor 172.16.1.2

network 192.168.5.0 0.0.0.255 area 0 - vlan 10

network 192.168.6.0 0.0.0.255 area 0 -vlan 20

network 192.168.7.0 0.0.0.255 area 0 -vlan 30

network 192.168.8.0 0.0.0.255 area 0 -vlan 40

Scene2:

router ospf 100

router-id 172.16.1.1

network 172.16.1.0 0.0.0.3 area 0 - connected to ospf neighbor 172.16.1.2

redistribute connected subnets

Which Scenario's above is best to implement?

BR,

Elly.

3 Replies 3

Hi,

in scenario 1 the prefixes will be intra-area prefixes( O routes) and in second scenario they will be external prefixes( OE2 routes).

in scenario 2 the router will be an ASBR so you will be able to summarize the prefixes with the summary-address command.

the preferred scenario will depend upon your constraints and what you want to achieve and how you want it to.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Elizer,

Scenario 3:

router ospf 100

router-id 172.16.1.1

area 0 authentication message-digest

passive-interface default

no passive-interface interface_XYZ

interface XYZ

desc ospf neighbor

ip add 172.16.0.1 255.255.255.252

ip ospf 100 area 0

ip ospf message-digest-key 1 md5 PASSWORD

interface VLAN10

ip add 192.168.5.1 255.255.255.0

ip ospf 100 area 0

ip ospf message-digest-key 1 md5 PASSWORD

interface VLAN20

ip add 192.168.6.1 255.255.255.0

ip ospf 100 area 0

ip ospf message-digest-key 1 md5 PASSWORD

interface VLAN30

ip add 192.168.7.1 255.255.255.0

ip ospf 100 area 0

ip ospf message-digest-key 1 md5 PASSWORD

interface VLAN40

ip add 192.168.8.1 255.255.255.0

ip ospf 100 area 0

ip ospf message-digest-key 1 md5 PASSWORD

Maybe the configuration is little bit longer, but you have more control over OSPF process, advertisement (hello, subnets...)

If you do not like this config, I would choose scenario 1, cause if you do redistribution, your LAN subnets will become external OSPF routes.

But it all depends on your requirements.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Hello,

Authentication is for securing adjacencies, you need to verify that authentication has been enabled on

every router which has a interface in the specific area you have enabled it on.

Also each interface with authenticartion has have the correct password.

Inn your case in sence 1, you have enabled authentication in the backbone area 0 with the most secure method of MD5, so any interfaces with neighboring routers will also require authentication applied.

int x/x

ip ospf message-digest key X md5 "password"

router ospf 100

area 0 authentication message-digest

Sence 2 have no authentication

You can check this by -

sh ip ospf | in auth

As for the redistribute connected subnets:

Sence 1 is advertising as internal intra-area routes
Secne 2 is advertising your routes into ospf as external type 2 routes

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card