Configure OSPF neighbor authentication on an S series switch

2

OSPF authentication of S series switches includes area authentication and interface authentication.
1. Area authentication
Run the authentication-mode command in an OSPF area view to set the authentication mode and password for the OSPF area.
For example:
[HUAWEI] ospf 100
[HUAWEI-ospf-100] area 0
[HUAWEI-ospf-100-area-0.0.0.0] authentication-mode simple cipher huawei
To configure MD5 authentication, run the following command:
[HUAWEI-ospf-100-area-0.0.0.0] authentication-mode md5 1 cipher huawei
2. Interface authentication
The interface authentication mode is used among neighbor switches to set the authentication mode and password. Its priority is higher than that of the area authentication mode. Run the ospf authentication-mode command in the interface view to set the authentication mode and password for adjacent switches.
For example:
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ospf authentication-mode simple cipher huawei
To configure MD5 authentication, run the following command:
[HUAWEI-Vlanif100]ospf authentication-mode md5 1 cipher huawei
Note: When configuring area authentication or interface authentication, all switches involved must have the same authentication mode and password. If not, the switches may fail to set up an OSPF neighbor relationship.

Other related questions:
Check OSPF neighbor information on S series switches
You can run the display ospf peer command on an S series switch with OSPF configured to check whether the OSPF neighbor status is normal. For example: [HUAWEI] display ospf peer OSPF Process 1 with Router ID 10.1.1.2 Neighbors Area 0.0.0.0 interface 10.1.1.2(Vlanif100)'s neighbors Router ID: 10.1.1.1 Address: 10.1.1.1 GR State: Normal GR State: Normal State: Full Mode:Nbr is Slave Priority: 1 DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0 Dead timer due in 35 sec Retrans timer interval: 5 Neighbor is up for 00:00:05 Authentication Sequence: [ 0 ] Note: If Full is displayed in State, LSDB synchronization has been completed and the two switches have set up the full adjacency relationship.

Can I configure OSPF authentication on an interface of an S series switch
Two S series switches supporting OSPF can only use primary interface IP addresses to establish an OSPF adjacency relationship. If secondary interface IP addresses are added to the OSPF configuration, corresponding routes can be advertised.

Differences between interface authentication and area authentication for OSPF on S series switches
Rules for OSPF authentication on S series switches supporting OSPF are as follows: If an interface is configured with authentication, the authentication method configured on the interface is used. If the authentication is set to null, the interface is not authenticated. If the interface is not configured with authentication (null does not indicate no configuration), area authentication is used. If the area is not configured with authentication either, no authentication is performed.

Can an OSPF neighbor relationship be established if the network types of the two S series switches are different
Question: Can a Full neighbor relationship be established if the network types of the two ends of an OSPF link are different? Answer: Yes. For example, two devices are interconnected through an Ethernet link. On one end of the link, the default broadcast network type is adopted. The other end is configured as OSPF peer-to-peer (P2P). Neighbor relationship can be established between these two devices, which reach the Full state by exchanging their Link State Databases (LSDBs). However, no route can be learned because OSPF devices need LSDBs to construct a Shortest Path Tree (SPT). The LSDBs, however, are problematic. That is, the link-state advertisements (LSAs) generated by one end consider the peer a broadcast neighbor, while the other end considers its peer a P2P neighbor. Therefore, no SPT can be constructed correctly and the Shortest Path First (SPF) algorithm cannot calculate the right routes either.

Why is the setup of an OSPF neighbor relationship between S series switches on a broadcast network slow
On a broadcast network, when two devices establish a 2-Way OSPF neighbor relationship, they elect the DR and BDR. Generally, the DR and BDR are elected after the Waiting timer expires, and the default value of the Waiting timer is 40s. Therefore, the setup of a Full OSPF neighbor relationship requires about 1 minute. Advertising a route to a loopback interface is useless. This is because a loopback interface cannot connect to a physical network, and traffic to a network segment cannot be routed to a loopback interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top