Differences between interface authentication and area authentication for OSPF on S series switches

24

Rules for OSPF authentication on S series switches supporting OSPF are as follows:
If an interface is configured with authentication, the authentication method configured on the interface is used. If the authentication is set to null, the interface is not authenticated. If the interface is not configured with authentication (null does not indicate no configuration), area authentication is used. If the area is not configured with authentication either, no authentication is performed.

Other related questions:
What is the relationship between OSPF interface authentication and area authentication
The basic principles of OSPF authentication are as follows: If authentication is configured on the interface, use the authentication on the interface. If null is configured on the interface, no authentication is performed on the interface. If no authentication is performed on the interface (Null does not mean that no authentication is configured), the authentication configured on the area is used. If no authentication is configured on the area, either, no authentication will be performed.

Can I configure OSPF authentication on an interface of an S series switch
Two S series switches supporting OSPF can only use primary interface IP addresses to establish an OSPF adjacency relationship. If secondary interface IP addresses are added to the OSPF configuration, corresponding routes can be advertised.

Configure OSPF neighbor authentication on an S series switch
OSPF authentication of S series switches includes area authentication and interface authentication. 1. Area authentication Run the authentication-mode command in an OSPF area view to set the authentication mode and password for the OSPF area. For example: [HUAWEI] ospf 100 [HUAWEI-ospf-100] area 0 [HUAWEI-ospf-100-area-0.0.0.0] authentication-mode simple cipher huawei To configure MD5 authentication, run the following command: [HUAWEI-ospf-100-area-0.0.0.0] authentication-mode md5 1 cipher huawei 2. Interface authentication The interface authentication mode is used among neighbor switches to set the authentication mode and password. Its priority is higher than that of the area authentication mode. Run the ospf authentication-mode command in the interface view to set the authentication mode and password for adjacent switches. For example: [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] ospf authentication-mode simple cipher huawei To configure MD5 authentication, run the following command: [HUAWEI-Vlanif100]ospf authentication-mode md5 1 cipher huawei Note: When configuring area authentication or interface authentication, all switches involved must have the same authentication mode and password. If not, the switches may fail to set up an OSPF neighbor relationship.

Differences between port authentication and MAC address authentication on S series switches
The 802.1x protocol is a port-based network access control protocol that authenticates access users on ports of an access control device to control access to network resources. As a result, 802.1x authentication is also called port authentication. MAC address authentication controls a user's network access rights based on the access port and the user's MAC address. After MAC address authentication is enabled on a port, the device starts authentication for a user when it detects the MAC address of the user on the port. For S series switches (except the S1700), differences between port authentication and MAC address authentication are as follows: - Port authentication requires secure 802.1x client software, but MAC address authentication does not require any client software. - Port authentication requires a user to enter the user name and password in the 802.1x client, but MAC address authentication does not require the user to enter the user name or password. - MAC address authentication is mainly used for access authentication of dumb terminals where clients cannot be installed, such as printers and scanners.

Configure OSPF special areas on S series switches
1. Configure a stub area. A stub area is a special area where ABRs do not flood received AS external routes, significantly reducing the routing table size and transmitted routing information of routers. A border area on an OSPF network is often configured as a stub area. For example, configure Area1 as a stub area. [SwitchA] ospf 1 [SwitchA-ospf-1] area 1 [SwitchA-ospf-1-area-0.0.0.1] stub [SwitchA-ospf-1-area-0.0.0.1] quit [SwitchA-ospf-1] quit Precautions: 1. To configure an area as a stub area, you must run the stub command on all the devices in this area. 2. To configure an area as a totally stub area, run the stub no-summary command on the ABR in this area and run the stub command on other devices in this area. This prevents the ABR from transmitting Type 3 LSAs to the stub area, making the area a totally stub area. 2. Configure an NSSA area. In an NSSA, an ABR does not flood AS external routes received from other areas, similar to the situation in a stub area. The difference is that an ABR can import and flood AS external routes to the entire OSPF domain. A border area connected to another AS on an OSPF network is often configured as an NSSA. For example, configure Area2 as an NSSA. [SwitchB] ospf 1 [SwitchB-ospf-1] area 2 [SwitchB-ospf-1-area-0.0.0.2] nssa [SwitchB-ospf-1-area-0.0.0.2] quit [SwitchB-ospf-1] quit Precautions: 1. To configure an area as an NSSA, you must run the nssa command on all the devices in this area. 2. To configure an area as a totally NSSA, run the nssa no-summary command on the ABR in this area and run the nssa command on other devices in this area. This prevents the ABR from transmitting Type 3 LSAs to the NSSA, making the area a totally NSSA.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top