From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Thu Mar 21 2002 - 19:25:02 GMT-3
Don,
I hate to say it, but you were wrong and Nicolai was absolutely right.
I have labed this scenario up and it does work to configure the below
commands on the INTRERFACE to establish per-link authentication instead of
per-area authentication.
ip ospf authentication message-digest
ip ospf message-digest-key 2 md5 <key>
Below is my lab setup. r1, r2, and r4 are all a part of OSPF area 0 via
their Frame-Relay connection, yet authentication is only happening between
r1 and r2 and all neighbor relationships are FULL.
r2#sh run
!
interface Serial0
bandwidth 64
ip address 140.100.3.2 255.255.255.0
no ip directed-broadcast
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 2 md5 cisco
ip ospf hello-interval 60
ip ospf priority 0
no ip mroute-cache
ipx network 213
no fair-queue
clockrate 64000
frame-relay map bridge 111 broadcast
frame-relay map ipx 213.0001.0001.0001 111 broadcast
frame-relay map ipx 213.0002.0002.0002 111 broadcast
frame-relay map ipx 213.00e0.b05a.c665 111 broadcast
frame-relay map ip 140.100.3.1 111 broadcast
frame-relay map ip 140.100.3.2 111 broadcast
frame-relay map ip 140.100.3.3 111 broadcast
bridge-group 1
!
router ospf 100
redistribute eigrp 2020 subnets route-map eigrp
network 140.100.3.2 0.0.0.0 area 0
r2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
140.100.3.1 1 FULL/DR 00:03:01 140.100.3.1 Serial0
r1#sh run
!
interface Serial0.1 multipoint
ip address 140.100.3.1 255.255.255.0
no ip route-cache
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco
ip ospf hello-interval 60
no ip mroute-cache
ipx network 213
frame-relay map bridge 120 broadcast
frame-relay map bridge 110 broadcast
frame-relay map ipx 213.0002.0002.0002 110 broadcast
frame-relay map ipx 213.00e0.b05a.c665 120 broadcast
frame-relay map ip 140.100.3.2 110 broadcast
frame-relay map ip 140.100.3.3 120 broadcast
bridge-group 1
!
interface Serial0.2 point-to-point
ip address 140.100.0.5 255.255.255.252
no ip route-cache
no ip mroute-cache
ipx network 14
frame-relay interface-dlci 130
!
router ospf 100
log-adjacency-changes
network 140.100.0.1 0.0.0.0 area 10
network 140.100.0.5 0.0.0.0 area 0
network 140.100.3.1 0.0.0.0 area 0
neighbor 140.100.3.3
neighbor 140.100.3.2
r1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
155.10.6.6 0 FULL/DROTHER 00:03:21 140.100.3.3 Serial0.1
192.128.128.2 0 FULL/DROTHER 00:03:15 140.100.3.2 Serial0.1
199.199.10.1 1 FULL/ - 00:00:34 140.100.0.6 Serial0.2
199.199.10.1 1 FULL/ - 00:00:34 140.100.0.2 Serial1
r4# sh run
interface Serial0
bandwidth 64
ip address 140.100.0.6 255.255.255.252
encapsulation frame-relay
no ip route-cache
ip ospf network point-to-point
no ip mroute-cache
ipx network 14
frame-relay map ip 140.100.0.5 131 broadcast
frame-relay map ip 140.100.0.6 131 broadcast
!
router ospf 100
log-adjacency-changes
redistribute connected subnets route-map loops
network 140.100.0.2 0.0.0.0 area 10
network 140.100.0.6 0.0.0.0 area 0
r4#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
140.100.3.1 1 FULL/ - 00:00:34 140.100.0.5 Serial0
140.100.3.1 1 FULL/ - 00:00:34 140.100.0.1 Serial1
>>>Brian
>From: "Don Banyong" <Donbans@hotmail.com>
>To: "Brian Lodwick" <xpranax@hotmail.com>
>Subject: Re: RE: OSPF authentication per-link
>Date: Wed, 20 Mar 2002 10:54:35 -0500
>
>All ospf intf by default has the IP OSPF AUTHENTICATION NULL by default
>(Jeff Doyle, Routing TCP/IP Vol 1, p 550). You do not need to explicitly
>use that command on an intf which you do not want to put a password on.
>
>Just remember.... there are two things going on here.
>The first thing is
>For two routers to create neighborships, the hello packets must agree to a
>couple of flags. Two of these flag are the area authentication and area
>authentication type
>See OSPF packet structure:
>http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
>It is for this reason that authentication type is a per area attribute.
>(area x authentication message-digest for md5 or area x authentication for
>clear text).
>If you noticed, there is no particular password for the area........!!!
>
>The second thing is
>For two routers having a link to become ospf neighbors in an ospf
>authenticated area, the link password should be the same.
>The same passwords can also include NULL passwords (ie no passwords) on
>either side of the link......
>
>You explicitly use the cmd ip ospf authentication NULL as an alternative
>way to turn off a previously enabled message-digest or clear test ospf
>interface password.
>Another way of turning of a previously used message-digest or clear test
>ospf interface password is by using the no form of the command.
>Using the no form of any command returns that command attribute to its
>default (in this case NULL password)
>
>Feel me on this?
>
>
>----- Original Message -----
>From: "Brian Lodwick" <xpranax@hotmail.com>
>To: <Donbans@hotmail.com>
>Sent: Wednesday, March 20, 2002 9:49 AM
>Subject: Re: RE: OSPF authentication per-link
>
>
> > Don,
> > Good call! You are probobaly right people often write in without much
>thought process or experience behind their messages. It is difficult to
>weed out the junk in here sometimes.
> > I only know of one way to do authentication in OSPF and that is to
>configure it on every link within an area (clear or md5). That is why I
>asked the question. I've already got a lab setup with OSPF area 0 across 2
>links. I am going to try using the NULL method even though it doesn't seem
>like it will work. I am pretty sure the other way won't work, unless there
>is some validity to what Nicolai said and now after IOS release 12.0(8) it
>is possible? I was actually in a hurry when I received that e-mail, and I
>figured since I got a reply so quickly it must be possible.
> >
> > >>>Brian
> >
> >
> > >From: "Don Banyong" <Donbans@hotmail.com>
> > >To: "Brian Lodwick" <xpranax@hotmail.com>
> > >Subject: Re: RE: OSPF authentication per-link
> > >Date: Wed, 20 Mar 2002 01:21:53 -0500
> > >
> > >The first thing is one of the guys is not so sure on what he is talking
>about. He is just following someone else's configuration. If I was you, I
>will do more research.
> > >
> > >For example
> > > > > >-----Original Message-----
> > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > >said
> > >to configure OSPF md5 configuration under an interface, use TWO IP OSPF
>cmds
> > > > > >IP ospf authentication message-digest
> > > > > >IP ospf message-digest 1 md5 password
> > >
> > >This is not true. You need a single command to configure md5 on an
>interface and this cmd is
> > >'IP ospf message-digest 1 md5 password'
> > >http://www.cisco.com/warp/public/104/25.shtml
> > >
> > >Secondly, the command 'ip ospf authentication null' does not need to be
>issued on an interface that has never had an 'ip ospf authentication or ip
>ospf message-gigest' issued on. This command is the default on all OSPF
>interfaces.
> > >
> > >An extract from
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1
rprt1/1rospf.htm#xtocid272949
> > >Before using the ip ospf authentication command, configure a password
>for the interface using the ip ospf authentication-key command. If you use
>the ip ospf authentication message-digest command, configure the
>message-digest key for the interface with the ip ospf message-digest-key
>command.
> > >
> > >For backward compatibility, authentication type for an area is still
>supported. If the authentication type is not specified for an interface,
>the authentication type for the area will be used (the area default is null
>authentication).
> > >
> > >
> > >
> > >I could go on and on..... do your research....
> > >
> > >
> > >
> > >----- Original Message -----
> > >From: "Brian Lodwick" <xpranax@hotmail.com>
> > >To: <Donbans@hotmail.com>
> > >Sent: Tuesday, March 19, 2002 9:33 PM
> > >Subject: Fwd: RE: OSPF authentication per-link
> > >
> > >
> > > > Parry says it is possible if you use the keyword NULL on the
>interfaces of the links you do not want to require authentication within an
>area.
> > > > I'm going to try both and see what works and what doesn't.
> > > >
> > > > >>>Brian
> > > >
> > > >
> > > >
> > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > >Reply-To: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > >To: "Brian Lodwick" <xpranax@hotmail.com>, <nicolai@cisco.com>,
> <ccielab@groupstudy.com>
> > > > >Subject: RE: OSPF authentication per-link
> > > > >Date: Wed, 20 Mar 2002 10:13:01 +0800
> > > > >
> > > > >Extract from 12.1 CD doc :
> > > > >
> > > > >ip ospf authentication
> > > > >======================
> > > > >To specify the authentication type for an interface, use the ip
>ospf authentication interface configuration command.
> > > > >To remove the authentication type for an interface, use the no form
>of this command.
> > > > >
> > > > >ip ospf authentication [message-digest | null]
> > > > > *****
> > > > >no ip ospf authentication
> > > > >
> > > > >Syntax Description
> > > > >====================
> > > > >+ message-digest
> > > > > -(Optional) Specifies that message-digest authentication will be
>used.
> > > > >
> > > > >+ null
> > > > > -(Optional) No authentication is used. Useful for overriding
>password or message-digest
> > > > > authentication if configured for an area.
> > > > >
> > > > >Parry Chua
> > > > >
> > > > >-----Original Message-----
> > > > >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> > > > >Sent: Wednesday, March 20, 2002 9:47 AM
> > > > >To: Chua, Parry; nicolai@cisco.com; ccielab@groupstudy.com
> > > > >Subject: RE: OSPF authentication per-link
> > > > >
> > > > >
> > > > >Parry,
> > > > >Could you please expound upon your reply a little for me?
> > > > >I don't quite understand what you mean by using the keyword NULL
>within OSPF
> > > > >authentication.
> > > > >Thanks,
> > > > > >>>Brian
> > > > >
> > > > >
> > > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > >To: "Nicolai Gersbo Solling" <nicolai@cisco.com>, "Brian Lodwick"
> > > > > ><xpranax@hotmail.com>, <ccielab@groupstudy.com>
> > > > > >Subject: RE: OSPF authentication per-link
> > > > > >Date: Wed, 20 Mar 2002 09:17:20 +0800
> > > > > >
> > > > > >I belive you can still use per area authentification, for the
>links that
> > > > > >belong to this area and not authentification using the keyword
>NULL.
> > > > > >
> > > > > >Parry Chua
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > > > > >Sent: Wednesday, March 20, 2002 6:08 AM
> > > > > >To: Brian Lodwick; ccielab@groupstudy.com
> > > > > >Subject: RE: OSPF authentication per-link
> > > > > >
> > > > > >
> > > > > >Yes...first of all you need IOS coed 12.0(8) or later!
> > > > > >
> > > > > >next thing is the following commands on the interface
> > > > > >
> > > > > >IP ospf authentication message-digest
> > > > > >IP ospf message-digest 1 md5 password
> > > > > >
> > > > > >Where 1 is the key and password is your password....Password an
>key must
> > > > > >match in boith ends!
> > > > > >
> > > > > >
> > > > > >Nic
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>Behalf Of
> > > > > >Brian Lodwick
> > > > > >Sent: 19. marts 2002 21:49
> > > > > >To: ccielab@groupstudy.com
> > > > > >Subject: OSPF authentication per-link
> > > > > >
> > > > > >
> > > > > >List,
> > > > > > Does anyone know if there is a way to use authentication for a
>single
> > > > > >link
> > > > > >within an area, but have all of the other links not use
>authentication?
> > > > > >
> > > > > > >>>Brian
> > > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:16 GMT-3