OSPF ‘authentication-type’ deprecated or showing as hidden on different versions.
In different versions of Junos OS, the command authentication-type shows a warning that it is deprecated, or else when trying to configure it, the command is not even shown as available. Use of the context-sensitive help command (“?”) does not show the command either. This article will explain the behavior.
In Junos OS version 11.4 and earlier, when reviewing the configuration, or when doing a commit check, a message is displayed warning that the command is being deprecated:
router@lab_11.4> show configuration protocols ospf area 0.0.0.0 { authentication-type md5; ## Warning: 'authentication-type' is deprecated interface lo0.0; interface ge-0/2/1.101; }
OSPF interface authentication configuration is the best practice. OSPF authentication at the area level should be avoided.
Revised in the following Junos versions:
14.1R1
13.3R3
12.3R6
12.1R5
11.4R1
In Junos OS version 11.4 and earlier, when reviewing the configuration, or when doing a commit check, a message is displayed warning that the command is being deprecated:
router@lab_11.4> show configuration protocols ospf area 0.0.0.0 { authentication-type md5; ## Warning: 'authentication-type' is deprecated interface lo0.0; interface ge-0/2/1.101; } [edit] router@lab_11.4# commit check [edit protocols ospf area 0.0.0.0 interface lt-0/0/0.1] 'authentication' area authentication-type incompatible with interface key error: configuration check-out failed
When attempting to configure authentication at the area level the <authentication-type> is not offered as an option choice:
router@lab_13.3R3# set protocols ospf area 0 ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > area-range Configure area ranges > context-identifier Configure context identifier in support of edge protection > interface Include an interface in this area > label-switched-path Configuration for advertisement of a label-switched path + network-summary-export Export policy for Type 3 Summary LSAs + network-summary-import Import policy for Type 3 Summary LSAs no-context-identifier-advertisement Disable context identifier advertisments in this area > peer-interface Configuration for peer interface > virtual-link Configure virtual links
Nevertheless once you have typed the keyword you can verify the possible completions:
router@lab_13.3R3# set protocols ospf area 0 authentication-type ? Possible completions: md5 MD5 authentication none No authentication simple Simple password authentication
When you do a commit check, you will not get the warning message as you did on version 11.4.
Below, you will find an example configuration for two logical systems that have configured authentication-type at the area level:
Configuration:
router@lab# show | display set set logical-systems D1 interfaces lt-0/0/0 unit 1 encapsulation ethernet set logical-systems D1 interfaces lt-0/0/0 unit 1 peer-unit 2 set logical-systems D1 interfaces lt-0/0/0 unit 1 family inet address 10.10.10.1/24 set logical-systems D1 protocols ospf area 0.0.0.0 authentication-type md5 set logical-systems D1 protocols ospf area 0.0.0.0 interface lt-0/0/0.1 set logical-systems D2 interfaces lt-0/0/0 unit 2 encapsulation ethernet set logical-systems D2 interfaces lt-0/0/0 unit 2 peer-unit 1 set logical-systems D2 interfaces lt-0/0/0 unit 2 family inet address 10.10.10.2/24 set logical-systems D2 protocols ospf area 0.0.0.0 authentication-type md5 set logical-systems D2 protocols ospf area 0.0.0.0 interface lt-0/0/0.2
Next, we will show the output from three different show commands:
- show ospf neighbor
- show ospf overview
- show ospf interface
First, you will find that neighborship is up and full between both neighbors, using the command show ospf neighbor:
router@lab# run show ospf neighbor logical-system D2 Address Interface State ID Pri Dead 10.10.10.1 lt-0/0/0.2 Full 10.10.10.1 128 34 [edit] router@lab# run show ospf neighbor logical-system D1 Address Interface State ID Pri Dead 10.10.10.2 lt-0/0/0.1 Full 10.10.10.2 128 37
Second, the overview shows that the authentication type does meet our configuration for message-digest algorithm (MD5). Use the command show ospf overview:
[edit] router@lab# run show ospf overview logical-system D1 Instance: master Router ID: 10.10.10.1 Route table index: 23 LSA refresh time: 50 minutes Area: 0.0.0.0 Stub type: Not Stub Authentication Type: MD5 Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 1 Topology: default (ID 0) Prefix export count: 0 Full SPF runs: 6 SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3 Backup SPF: Not Needed [edit] router@lab# run show ospf overview logical-system D2 Instance: master Router ID: 10.10.10.2 Route table index: 25 LSA refresh time: 50 minutes Area: 0.0.0.0 Stub type: Not Stub Authentication Type: MD5 Area border routers: 0, AS boundary routers: 0 Neighbors Up (in full state): 1 Topology: default (ID 0) Prefix export count: 0 Full SPF runs: 4 SPF delay: 0.200000 sec, SPF holddown: 5 sec, SPF rapid runs: 3 Backup SPF: Not Needed
Third, notice that if you check the authentication at the interface level, it will show as None. This is expected, as the configuration was performed at the OSPF area level. Use the command show ospf interface:
router@lab# run show ospf interface lt-0/0/0.91 detail logical-system D2 Interface State Area DR ID BDR ID Nbrs lt-0/0/0.91 BDR 0.0.0.0 10.10.10.1 10.10.10.2 1 Type: LAN, Address: 10.10.10.2, Mask: 255.255.255.0, MTU: 1500, Cost: 1 DR addr: 10.10.10.1, BDR addr: 10.10.10.2, Priority: 128 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Protection type: None Topology default (ID 0) -> Cost: 1 router@lab# run show ospf interface lt-0/0/0.90 detail logical-system D1 Interface State Area DR ID BDR ID Nbrs lt-0/0/0.90 DR 0.0.0.0 10.10.10.1 10.10.10.2 1 Type: LAN, Address: 10.10.10.1, Mask: 255.255.255.0, MTU: 1500, Cost: 1 DR addr: 10.10.10.1, BDR addr: 10.10.10.2, Priority: 128 Adj count: 1 Hello: 10, Dead: 40, ReXmit: 5, Not Stub Auth type: None Protection type: None Topology default (ID 0) -> Cost: 1