Sunday, November 7, 2010


Authentication in EIGRP uses a key-chain during authentication to do auto-key-changing and so on. OSPF is much simpler, in which authentication is enabled on a per-interface basis.
OSPF supports two types of password authentication: Clear-text, or MD5. Every OSPF packet is keyed with the password. This includes Hellos, and so on. Neighbor relationships will be immediately severed if a packet has the wrong password.

The primary way to debug authentication in OSPF is:
debug ip ospf adj

To enable authentication, go under the interface pointing towards the neighbor, and type in:
ip ospf authentication message-digest
ip ospf message-digest-key 1 cisco md5

Beware. Using "ip ospf authentication-key" is actually for clear-text. No matter what you set for authentication-key, as long as both sides have no message-digest keys, authentication will go through if you have message-digest mode set.

When debugging, you would encounter a type 0, type 1 or a type 2 authentication method. Type 0 simply means no authentication, while type 1 is for clear-text and type 2 is for message-digest is set.

Recall that previously ASBR routes show up as E1 and E2 routes. E2 is the default type, in which the cost doesn't increment throughout the OSPF domain. If there is only 1 exit to that route, this makes sense.

The only time when E1 routes are useful is when there are multiple exits to that route. This helps the routers calculate which exit it would want to go out through.

To change a route to E1 when redistributing, you use the metric-type keyword. For example:
redistribute rip subnets metric 1 metric-type 1

The cost is actually calculated based on a reference speed. The default reference speed is FastEthernet which is 100Mbps. The formula to calculate the cost of a link is:
Reference/Link Speed

So anything faster than FastEthernet would give you a cost of 1. To change the refernce speed, you can use this under the OSPF context:
auto-cost reference-bandwidth 100000

The above is entered in Mbps. You need to make sure that all the routers have the same reference cost.

Now, if you wish to generate a warning after a number of LSAs a router receives per minute, you can use:
max-lsa 100 warning-only

OSPF can send a default route to the whole domain with the default-information command. There are two different ways you can use this. If you already have a default route, you can simply type this under the OSPF context:
default-information originate

Now, if you do not have a default-route, but still want to advertise a default-route to itself throughout the OSPF domain, you can use:
default-information originate always

The route will be propagated as an E2 route by default.

No comments :

Post a Comment