IOS to Junos (I2J) Tips
IOS to Junos (I2J) Tips

OSPF authentication

[ Edited ]
‎04-06-2012 03:14 AM

 

 

   There is two types of ospf authentication, simple text (type 1) and md5 (type 2), and of course a third, none (type 0).

 

   Under IOS you could configure ospf authentication at the ospf area level and interface level. Under JunOS could configure only at the interface level. There is virtual link authentication also.

 
    Here you have some examples. Will use ¨ospf¨ as key, and md5 key id 1.

-------------------------------------------------------------------------------------
IOS
-------------------------------------------------------------------------------------

.- MD5 authentication.

interface FastEthernet0/0
 ip address 172.16.12.1 255.255.255.0
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 ospf

 

router ospf 1
 router-id 172.17.2.1
 area 2.2.2.2 virtual-link 10.3.1.1 authentication message-digest message-digest-key 1 md5 ospf

 

.- Simple text authentication.

interface FastEthernet0/0
 ip address 172.16.23.2 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key ospf

 

router ospf 1
 router-id 172.17.2.1
 area 2.2.2.2 virtual-link 10.3.3.3 authentication authentication-key ospf

 

 

Area authentication should be translated to JunOS interface configuration. In this IOS configuration,
under the ospf hierarchy, the area 2.2.2.2 authentication apply to all interfaces in that area. There is no ospf authentication configuration under the interfaces.


interface FastEthernet0/0
 ip address 172.16.23.2 255.255.255.0

 ip ospf authentication-key ospf

router ospf 1

 area 2.2.2.2 authentication

 


interface FastEthernet0/0
 ip address 172.16.12.1 255.255.255.0
 ip ospf message-digest-key 1 md5 ospf

 
router ospf 1

 area 1.1.1.1 authentication message-digest

 

 

 


-------------------------------------------------------------------------------------
JunOS
-------------------------------------------------------------------------------------

 Junos encrypt configured passwords as shown below.
 

.- MD5 authentication.


  Interface authentication

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key ospf

  ---

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 1 key "$9$VdYoGikPfQnYg"

 

  virtual link authentication

set protocols ospf area 0.0.0.0 virtual-link neighbor-id 10.3.3.3 transit-area 2.2.2.2 authentication md5 1 key ospf


  ---

set protocols ospf area 0.0.0.0 virtual-link neighbor-id 10.3.3.3 transit-area 2.2.2.2 authentication md5 1 key "$9$g6JDkP5F3/tJG"

 

 

.- Simple text authentication.


  Interface authentication

set protocols ospf area 1.1.1.1 interface ge-0/0/1.0 authentication simple-password ospf

  ---

set protocols ospf area 1.1.1.1 interface ge-0/0/1.0 authentication simple-password "$9$RyuSeWxNbw2aSr"

 

  virtual link authentication

set protocols ospf area 0.0.0.0 virtual-link neighbor-id 10.3.1.1 transit-area 2.2.2.2 authentication simple-password ospf

  ---

set protocols ospf area 0.0.0.0 virtual-link neighbor-id 10.3.1.1 transit-area 2.2.2.2 authentication simple-password "$9$U5HmT36At0IHq"

 

 

 


-------------------------------------------------------------------------------------
MD5 key changes.

-------------------------------------------------------------------------------------

 

  Under JunOS, for md5 authentication there is a start-time option, in case you want to swap your authentication key, you could configure the start time that key will be used. Easy.

 

  Under IOS have to be carefull. All keys are immediately used, so router send a hello for every configured key. Routers will prefer  the youngest key (last configured), but it the youngest key dont match, will use all keys until this match.

  If there is a configuration mismatch will be lot of authentication and key mismatch syslogs errors, for every key not configured on both sides, or not configured in the same order.

   As soon the same key is configured last under the interface configuration, adjacency will become established, will prefer that key so will not use the oldest keys. But if the same youngest key is not configured in the same order, routers will use all keys, lots of syslogs msg, etc, etc.

 

  This is the way to configure this under JunOS :

 

set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 authentication md5 10 start-time 2012-01-21.09:00 key ospf

 


-------------------------------------------------------------------------------------
Verifications.

-------------------------------------------------------------------------------------

 

The following commands will show if authentication is enabled.

 

IOS

  If interface has authentication enabled :

 

     show ip ospf interface

 

  If area have authentication enabled :

 

     show ip ospf

 

JunOS

 

   show ospf interface detail


 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.