Is it necessary to disable OSPF authentication on interfaces in Area 0 when enabling OSPF Authentication on a Virtual Link? I’ve heard arguments on both sides, so I decided to try it out and I discovered that Authentication wasn’t automatically enabled on my Area 0 links when Authentication was enabled on the Virtual-link. Therefore I didn’t have to specify “ip ospf authentication null” on the Area 0 interfaces:
Topology – R3 —————————– R1 —————————- SW1
Transit area 134 Area 0
R1 OSPF Interfaces:
OSPF_VL0 is up, line protocol is up ———————————————————————————— Virtual-link facing R3
Internet Address 187.29.134.1/24, Area 0
Process ID 1, Router ID 150.29.1.1, Network Type VIRTUAL_LINK, Cost: 65
Configured as demand circuit.
Run as demand circuit.
DoNotAge LSA allowed.
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/2, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.29.3.3 (Hello suppressed)
Suppress hello for 1 neighbor(s)
Simple password authentication enabled ——————————————————- OSPF Simple Auth enabled
FastEthernet0/0 is up, line protocol is up —————————————————————————————— Facing SW1
Internet Address 187.29.17.1/24, Area 0
Process ID 1, Router ID 150.29.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.29.1.1, Interface address 187.29.17.1
Backup Designated router (ID) 150.29.7.7, Interface address 187.29.17.7
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/3, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 0, maximum is 9
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1 ————————————————————————-No indication that Auth is enabled
Adjacent with neighbor 150.29.7.7 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
R1 Config:
router ospf 1
router-id 150.29.1.1
area 134 virtual-link 150.29.3.3 authentication authentication-key CISCO
network 150.29.1.1 0.0.0.0 area 0
network 187.29.17.1 0.0.0.0 area 0
network 187.29.134.1 0.0.0.0 area 134
interface FastEthernet0/0
ip address 187.29.17.1 255.255.255.0
ip ospf mtu-ignore
R1 Debugs:
Debugs:
Jan 27 15:56:07.550: OSPF: rcv. v:2 t:1 l:48 rid:150.29.7.7
aid:0.0.0.0 chk:3014 aut:0 auk: from FastEthernet0/0 ————————– No Auth received from SW1 on fa0/0 in Area 0
Jan 27 16:00:00.518: OSPF: rcv. v:2 t:1 l:48 rid:150.29.3.3
aid:0.0.0.0 chk:9B5B aut:1 auk: from Serial0/0/0.134 ————————— Simple (1) Auth received from R3 on the Virtual-link
SW1 Config:
interface Vlan17
ip address 187.29.17.7 255.255.255.0
ip pim sparse-mode
Vlan17 is up, line protocol is up
Internet Address 187.29.17.7/24, Area 0
Process ID 1, Router ID 150.29.7.7, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.29.1.1, Interface address 187.29.17.1
Backup Designated router (ID) 150.29.7.7, Interface address 187.29.17.7
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/1, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1 ———————————————— No indication of Authentication
Adjacent with neighbor 150.29.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
Rack29SW1#show ip ospf
Routing Process “ospf 1″ with ID 150.29.7.7
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border router
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 9. Checksum Sum 0x02BAB4
Number of opaque AS LSA 0. Checksum Sum 0×000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication <——————————————————-No Authentication
SPF algorithm executed 20 times
Area ranges are
Number of LSA 16. Checksum Sum 0x102F28
Number of opaque link LSA 0. Checksum Sum 0×000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 9
Flood list length 0
Any thoughts ?