Skip to content

Ability to include fabric OSPF authentication on core interface p2p_links. #6653

New issue
New issue
Open
Open
Ability to include fabric OSPF authentication on core interface p2p_links.#6653
Labels
type: enhancementNew feature or request
@alexscott-arista

Description

@alexscott-arista
alexscott-arista
opened on Mar 4, 2026

Enhancement summary

Currently in a MPLS design using OSPF-LDP as the underlay there is no AVD knob to specify that the core_interface / p2p_links use the configured underlay_ospf_authentication. This request is for a way specify which links we would like to be included in that authentication scheme.

Which component of AVD is impacted

eos_designs

Use case example

Currently the fabric OSPF authentication configured like:

underlay_ospf_authentication:
  enabled: true
  message_digest_keys:
    - id: 1
      hash_algorithm: md5
      cleartext_key: Arista

Where the underlay is set as ospf-ldp for P, PE and RR types:

node_type_keys:
...
    default_underlay_routing_protocol: ospf-ldp
...

An Example of P and PE Links are constructed like:

core_interfaces:
  p2p_links_profiles:
...
    - name: p_to_pe
      mpls_ip: false
      mtu: null
      ethernet_structured_config:
        sflow:
          enable: true
        ospf_authentication: message-digest
        mpls:
          ldp:
            interface: true
...
  p2p_links:
    - nodes: [ dc1-p1, dc1-pe1 ]
      interfaces: [ Ethernet5/1, Ethernet8/1 ]
      profile: p_to_pe
      subnet: 10.10.10.10/31

    - nodes: [ dc1-p2, dc1-pe1 ]
      interfaces: [ Ethernet5/1, Ethernet8/1 ]
      profile: p_to_pe
      subnet: 10.10.10.11/31
...

In this configuration the A and Z sides are different. Using the
ospf_message_digest_keys the hash would need to be pre-calculated for the
interface name which does not work with mismatched interfaces.

  p2p_links_profiles:
...
    - name: p_to_pe
...
      ethernet_structured_config:
        ospf_message_digest_keys:
          - id: 1
            hash_algorithm: md5
            key: "PreCalulatedKey"

Describe the solution you would like

Proposal is to have a way to specify that these interfaces will use the
fabric OSPF authentication. Using the following key or something similar
in the p2p_links_profiles or in the p2p_links specifications:

      use_underlay_ospf_authentication: True

Describe alternatives you have considered

Currently we are using a custom Jinja template to populate these hashed keys. However, the rendered output places this configuration at the end of the file instead of inline where we would like them to be.

{# Combine both lists into one #}
{% set all_interfaces = (ethernet_interfaces | default([])) + (port_channel_interfaces | default([])) -%}

{% for interface in all_interfaces -%}
{% if interface.ospf_authentication is defined -%}
interface {{ interface.name }}
   ip ospf message-digest-key 1 md5 7 {{ vault.ospf_key | arista.avd.encrypt(passwd_type='ospf_message_digest', key=interface.name, hash_algorithm='md5', key_id=1) }}
{% endif -%}
{% endfor -%}

Additional context

No response

Contributing Guide

  • I agree to follow this project Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions