MD5 authentication supports multiple keys, requiring that a key number be associated with a key.Note
See OSPF Authentication Message Digest Management, on page 432.
Authentication Strategies
Authentication can be specified for an entire process or area, or on an interface or a virtual link. An interface
or virtual link can be configured for only one type of authentication, not both. Authentication configured for
an interface or virtual link overrides authentication configured for the area or process.
If you intend for all interfaces in an area to use the same type of authentication, you can configure fewer
commands if you use the authentication command in the area configuration submode (and specify the
message-digest keyword if you want the entire area to use MD5 authentication). This strategy requires fewer
commands than specifying authentication for each interface.
Key Rollover
To support the changing of an MD5 key in an operational network without disrupting OSPF adjacencies (and
hence the topology), a key rollover mechanism is supported. As a network administrator configures the new
key into the multiple networking devices that communicate, some time exists when different devices are using
both a new key and an old key. If an interface is configured with a new key, the software sends two copies
of the same packet, each authenticated by the old key and new key. The software tracks which devices start
using the new key, and the software stops sending duplicate packets after it detects that all of its neighbors
are using the new key. The software then discards the old key. The network administrator must then remove
the old key from each the configuration file of each router.
Neighbors and Adjacency for OSPF
Routers that share a segment (Layer 2 link between two interfaces) become neighbors on that segment. OSPF
uses the hello protocol as a neighbor discovery and keep alive mechanism. The hello protocol involves receiving
and periodically sending hello packets out each interface. The hello packets list all known OSPF neighbors
on the interface. Routers become neighbors when they see themselves listed in the hello packet of the neighbor.
After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates
an adjacency. On broadcast and NBMA networks all neighboring routers have an adjacency.
OSPF strict-mode Support for BFD Dampening
Strict-mode is an OSPF BFD operation mode which keeps the neighbor in a down state until the BFD session
is up. The status of the neighbor node shows as awaiting BFD session up in the output of the show ospf
neighbor command. This will ensure that client protocols do not operate independent of the declared state of
BFD.
Restrictions
•
Strict-mode and non-strict-mode modes of operation are incompatible and will cause OSPF to never
form a neighbor relationship. Strict-mode can not be configured on one node and default/non-strict mode
on the other. Both BFD neighbors must run IOS-XR images that support strict-mode. However, if by
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
414
Implementing OSPF
Neighbors and Adjacency for OSPF
To Next Page
Loading...
Need help?
General
