From: Kevin M. Woods (kev@xxxxxxx)
Date: Fri Jun 02 2000 - 01:08:02 GMT-3
You don't need MD5 authentication configured on the VL itself, just
area 0 defined as having MD5 authentication as you described below.
The reason why is because MD5 keys are per segment. If no keys are
defined on an interface (an unnumbered p2p in the case of VLs) then
it will use the default of 0.
You also don't need MD5 authentication configured for area 1 to use
it as transit for VLs to an authenticated area 0.
As a side note to this, as of 12.0(8) you can define the auth types
per interface as per RFC 2328. So one interface in area 0 may send
packets with aut:0 while another sends with aut:2 (including VLs).
An example:
int e0
ip addr 1.1.1.1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCIE
!
int e1
ip addr 2.2.2.2
!
! This does not even need to be here.
ip ospf authentication null
!
router ospf 1
net 0.0.0.0 255.255.255.255 area 0
You would use `ip ospf authentication null' when you defined area 0
as `area 0 authentication message-digest' but wanted e1 to be null.
Kevin
// Hi All,
//
// I know this has been discussed many times in the past.
//
// By going through the archives I saw varied answers for
// this issue. I have now no time and equipment to test.
//
// area 0------area1-----area2
//
// Virtual line between area 0 and area 2 with area1 as
// transit area.
//
// MD5 authentication on Area 0. I know that area 2 ABR
// should also have area 0 auth... command. Fine
//
// The question is, do I have to use MD5 authentication
// on the virtuak link. ( I don't think so, but can
// someone confirm). Also I don't think I need
// authenticaion on area1, the transit area.
//
// Any help would be appreciated..
//
// Mohan.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:40 GMT-3