Neighbor relationship and authentication

1.10 Troubleshoot OSPF (v2/v3)

📘CCNP Enterprise – ENARSI (300-410)

1. OSPF Neighbor Relationship

OSPF (Open Shortest Path First) is a link-state routing protocol, meaning routers share information about network links to build a map of the network. For OSPF to share this information, routers must form neighbor relationships.

Think of neighbors in IT as routers agreeing to talk to each other to exchange network maps (LSAs – Link-State Advertisements).

1.1 How OSPF Neighbors Are Formed

OSPF uses a 5-step process to establish neighbor relationships:

  1. Down State
    • The router interface is up, but no OSPF hello packets have been sent or received.
  2. Init State
    • The router sends a Hello packet to introduce itself.
    • It waits to see if the neighbor sees it back.
    • If it sees its own Router ID in a neighbor’s Hello, it moves to the next state.
  3. Two-Way State
    • Both routers see each other in their Hello packets.
    • At this point:
      • Neighbor relationship is bi-directional.
      • They agree on whether they should be DR (Designated Router) or BDR (Backup DR) on multi-access networks like Ethernet.
  4. ExStart / Exchange State
    • Routers decide who starts the exchange of link-state databases (LSDBs).
    • They use a master/slave relationship for this process.
  5. Loading State
    • Routers exchange Link-State Requests to get the missing LSAs.
  6. Full State
    • Neighbor adjacency is complete.
    • LSDBs are synchronized.
    • Routers can now forward traffic using OSPF routes.

Key Exam Tip: For neighbor adjacency, always check interface status, Hello/Dead timers, area type, and Router IDs.

1.2 Neighbor Requirements

OSPF neighbors will only form if certain conditions match:

RequirementDescription
OSPF AreaBoth routers must belong to the same OSPF area (unless using NSSA or stub areas).
Hello/Dead TimersMust match (default Hello = 10s, Dead = 40s for broadcast networks).
SubnetBoth routers must be on the same IP subnet for that interface.
AuthenticationIf OSPF authentication is enabled, it must match (type and key).
Network TypeBroadcast, point-to-point, or NBMA type must match.
Router IDMust be unique on the OSPF domain. Duplicate Router IDs prevent adjacency.

⚠️ Exam Focus: Misconfigured timers, mismatched areas, or duplicate Router IDs are the most common reasons for neighbor failures.

2. OSPF Authentication

Authentication ensures that only trusted routers can participate in OSPF. In IT environments, this prevents a rogue router from injecting false routes.

OSPF supports 2 types of authentication:

2.1 Simple Password Authentication

  • Sends the password in plain text in every Hello packet.
  • Configuration example (IPv4 OSPFv2):
router ospf 1
 network 10.1.1.0 0.0.0.255 area 0
 area 0 authentication
!
interface GigabitEthernet0/0
 ip ospf authentication-key MyPass123
  • Pros: Easy to configure.
  • Cons: Password is sent in clear text → not secure.

2.2 MD5 Authentication (Recommended)

  • Uses Message Digest 5 (MD5) hashing.
  • More secure; password is not sent in plain text.
  • Configuration example (IPv4 OSPFv2):
router ospf 1
 network 10.1.1.0 0.0.0.255 area 0
 area 0 authentication message-digest
!
interface GigabitEthernet0/0
 ip ospf message-digest-key 1 md5 MySecureKey
  • Pros: Secure, commonly used in enterprise networks.
  • Cons: Slightly more configuration steps.

2.3 Authentication Key Points

  • Both routers must use the same authentication type.
  • Both routers must have the same key/password.
  • OSPFv3 (for IPv6) supports IPSec-based authentication or MD5.

⚠️ Exam Focus: Mismatched authentication (type or key) prevents neighbor adjacency.

3. Common Troubleshooting Commands

To check OSPF neighbors and authentication issues:

CommandPurpose
show ip ospf neighborDisplays OSPF neighbors and their states.
show ospfv3 neighborFor OSPFv3 (IPv6) neighbor status.
show ip ospf interfaceChecks OSPF settings on the interface, including timers and authentication.
debug ip ospf adjMonitors adjacency formation in real-time (careful in production!).
ping <neighbor>Ensure Layer 3 connectivity exists first.

Common Exam Scenarios:

  1. Neighbor stuck in Init → Hello packet not acknowledged.
    Check: Timers, IP subnet, network type, authentication.
  2. Neighbor stuck in 2-way (on broadcast network) → DR/BDR mismatch.
    Check: DR/BDR election process.
  3. Neighbor not forming → Authentication mismatch.
    Check: Authentication type and key.

4. Key Exam Tips / Tricks

  • Always check Router ID uniqueness; duplicate IDs prevent adjacency.
  • Timers must match: Hello, Dead, and optionally Poll timers.
  • Authentication is area-specific, so configuring it on the interface may not be enough.
  • For multi-area designs, adjacency failures are often area misconfigurations.

Summary (Easy to Remember for Exam)

  1. Neighbors need: Same area, same subnet, unique Router IDs, compatible timers, and matching authentication.
  2. States of adjacency: Down → Init → Two-way → ExStart → Loading → Full.
  3. Authentication: Simple (clear-text) or MD5 (secure, recommended).
  4. Troubleshoot: Use show ip ospf neighbor, show ip ospf interface, and check timers, authentication, and Router IDs.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by