OSPF - Enabling authentication

When applying authentication for OSPF, it is possible to enable authentication either globally or on a per-interface basis. This is the case for both OSPFv2 and OSPFv3.

Per-area configuration for OSPFv2 and OSPFv3

For OSPFv2, to configure authentication globally (on a per-area basis), you can issue the following command in OSPF router configuration mode:

R1(config)#router ospf 1 R1(config-router)#area 0 authentication

In the above example, Area 0 has authentication enabled. That is, all OSPF routers that connect to the local router on Area 0 must have authentication configured. The command is similar for global authentication configuration for OSPFv3, but requires additional parameters in order to specify the type of authentication as well as a key (password):

R1(config)#ipv6 router ospf 1 R1(config-rtr)#area 0 authentication

Per-interface configuration for OSPFv2

Alternatively, you can enable authentication on a per interface basis for OSPFv2 like so:

R1(config)#interface fastEthernet 0/0 R1(config-if)#ip ospf authentication

Per-interface configuration for OSPFv3

For OSPFv3, a similar command is used, but like the global configuration, it requires additional parameters to specify the type of authentication as well as the key to be used. An example of such a configuration is found below:

R1(config)#interface FastEthernet 0/0 R1(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 A5DEC4DD155A695A8B983AACEAA5A97C6AECB6D1


Note that for OPSFv2, for both per-area and per-interface configurations, authentication is enabled using a single command. The parameters for that authentication are a separate command, and must always be applied to the interface.

Conversely, for OSPFv3, there is only a single command that both enables and configures authentication. This can be placed either on the interface or configured on a per area basis. However, if configured globally, all OSPFv3 neighbors must use the same key.