From: Chuck Ryan (chuckster_31@xxxxxxxxx)
Date: Fri Dec 07 2001 - 21:40:43 GMT-3
Tu,
The minute you configure "area x authentication message-digest" or "area x
authentication" under the ospf routing process, you are required to
configure ospf authentication on the interfaces, otherwise you will not be
able to establish adjacencies, just as you suspected. A quick "debug ip
ospf adjacencies" will verify this for you.
I've got this set up in my own home lab, and if I configure ospf
authentication on the interface, but NOT under the ospf routing process,
then it does not affect my adjacencies.
Config snippet for R1:
!
interface Serial0
ip address 199.9.9.1 255.255.255.0
no ip redirects
encapsulation frame-relay IETF
ip ospf message-digest-key 1 md5 cisco
ip ospf network point-to-multipoint
ip ospf priority 255
clockrate 64000
frame-relay lmi-type ansi
!
!
router ospf 1
redistribute connected
network 199.9.9.1 0.0.0.0 area 0
network 1.0.0.0 0.255.255.255 area 0
!
term_server#show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
7.7.7.7 0 FULL/ - 00:01:41 199.9.9.3 Serial0
2.2.2.2 0 FULL/ - 00:01:51 199.9.9.2 Serial0
term_server#
Now, I'll remove the ospf authentication command from the interface, enable
it under the routing process, and see what happens to my adjacencies.
!
interface Serial0
ip address 199.9.9.1 255.255.255.0
no ip redirects
encapsulation frame-relay IETF
ip ospf network point-to-multipoint
ip ospf priority 255
clockrate 64000
frame-relay lmi-type ansi
!
router ospf 1
redistribute connected
network 199.9.9.1 0.0.0.0 area 0
network 1.0.0.0 0.255.255.255 area 0
area 0 authentication message-digest
!
term_server#show ip ospf nei
term_server#
term_server#show ip ospf int s0
Serial0 is up, line protocol is up
Internet Address 199.9.9.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:11
Neighbor Count is 0, Adjacent neighbor count is 0 <------- no
adjacencies established
Message digest authentication enabled <-----MD5 authentication
configured (globally)
No key configured, using default key id 0
term_server#
OSPF: Rcv pkt from 199.9.9.2, Serial0 : Mismatch Authentication type. Input
packet specified type 0, we use type 2
OSPF: Rcv pkt from 199.9.9.2, Serial0 : Mismatch Authentication type. Input
packet specified type 0, we use type 2
OSPF: Rcv pkt from 199.9.9.3, Serial0 : Mismatch Authentication type. Input
packet specified type 0, we use type 2
OSPF: Rcv pkt from 199.9.9.3, Serial0 : Mismatch Authentication type. Input
packet specified type 0, we use type 2
OSPF: Send with youngest Key 0
So you see, once you've enabled ospf authentication under the routing
process, you are required to cofigure it on your interfaces in your
respective area(s), otherwise you can not establish adjacencies. Hope this
clears up any questions you may have had.
-Chuck
At 01:52 PM 12/7/01 -0800, Tu Nguyen wrote:
>I have a quick question, hopefully someone can shine some light.
>
>If an interface have ip ospf authentication activate.
>Does this mean any router directly connected to this interface running
>ospf must need to enable ip ospf authentication in order for ospf to
>establish adjacency, right? Here is the example:
>
>
>R1-----------------R2 & R3 (Point-Multipoint)
>R1 is connected to R2 and R3 via a frame-relay, sharing the same sub
>interface (point-multipoint)
>If R1 and R2 is enable for ip ospf authentication, does this mean R1 and
>R3 must have the same requirement?
>
>In my opinion, I believe in this case all routers will need to configure
>with ip ospf authentication and no other option. Unless, Cisco allow ip
>ospf authentication per neighbor; which I don't think there is.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:40 GMT-3