From: Don Banyong (don_study@xxxxxxxxxxx)
Date: Fri Mar 22 2002 - 03:43:34 GMT-3
Brian,
Firstly, the fact that your configuration works does not mean that you
accomplished your lab objectives.
Secondly,
Let us take a look at your configuration below for router r1 only.
Your Router R1 Config:
interface Serial0.1 multipoint
ip address 140.100.3.1 255.255.255.0
no ip route-cache
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco
! You did correctly ASSIGN a message-digest key and a password for this
interface
! but this alone does not enable OSPF AUTHENTICATION
! The above command is used to ASSIGN the LINK authentication type and
password. You still need to ENABLE
! AUTHENTICATION. (see below under router OSPF 100)
! Also, you do not NEED to explicitly type both commands (ip ospf
authentication message-digest
! and ip ospf message-digest-key 1 md5 Cisco) Typing the later (ip ospf
message-digest-key 1 md5 Cisco)
! is sufficient to assign a message-digest-key for that interface. Hopefully,
this will save you fifteen valuable seconds in your lab.
ip ospf hello-interval 60
no ip mroute-cache
ipx network 213
frame-relay map bridge 120 broadcast
frame-relay map bridge 110 broadcast
frame-relay map ipx 213.0002.0002.0002 110 broadcast
frame-relay map ipx 213.00e0.b05a.c665 120 broadcast
frame-relay map ip 140.100.3.2 110 broadcast
frame-relay map ip 140.100.3.3 120 broadcast
bridge-group 1
!
interface Serial0.2 point-to-point
ip address 140.100.0.5 255.255.255.252
no ip route-cache
no ip mroute-cache
ipx network 14
frame-relay interface-dlci 130
!
router ospf 100
log-adjacency-changes
network 140.100.0.1 0.0.0.0 area 10
network 140.100.0.5 0.0.0.0 area 0
network 140.100.3.1 0.0.0.0 area 0
neighbor 140.100.3.3
neighbor 140.100.3.2
! If you noticed, you did not enable OSPF AUTHENTICATION.
! Clear test or message digest AUTHENTICATION must be enabled under ip ospf
! configuration mode to completely activate authentication.
! to complete your configuration, add the following command
Area 0 authentication message-digest
Lets take this to another level. BRING IN AN AUTHORITY*!!!!! MINE CCO. YOU ARE
FREE TO USE CCO - Just provide us with a link.
I will prove to you that I am correct by referring to 5 CCO pages citing with
the explanations in my previous emails to you and also to the corrections I
have provided to your configuration.
AUTHORITY - Somebody who is accepted as a source of reliable information on a
subject, or a book in which such information is given
(http://encarta.msn.com)
OSPF Authentication
Sample Configuration for Authentication in OSPF
Area Authentication
Q. Are OSPF Routing Protocol Exchanges Authnticated?
OSPF Commands -ip ospf message-digest-key
I can go on n on n on n on.... just like an energizer bunny...but I'll stop.
One last thing, YOUR CONFIGURATION MIGHT WORK....BUT THIS DOES NOT MEAN YOU
HAVE COMPLETED THE OBJECTIVE. YOU FAILED IN YOUR CONFIGURATION TO ENABLE OSPF,
HENCE YOU FAILED TO ACCOMPLISH YOUR OBJECTIVE. Do a 'debug ip ospf packet' on
r1, and look for the aut type attribute. I bet you it is 0 (authentication not
enabled!!!). After enabling OSPF using cco/my way, do this again, and you will
see aut:2 - for md5.
I SEE WHY IT IS SO EASY TO COME BACK WITH LESS THAN 20%
Please correct me if I am wrong. We are in the business of learning. No hard
feelings :). Also let us know if you have learned something.
Thanks,
Don
Below is a very workable copy of one of my routers which uses OSPF
authentication. Sorry, no print outs of 'show ip ospf neighbor' or 'debug ip
ospf packet'. I was not ready to lecture IP OSPF AUTHENTICATION 101 4 DUMMIES+
today.
r2#sh run
Building configuration...
Current configuration : 1301 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
ip subnet-zero
no ip finger
!
interface Serial0
no ip address
encapsulation frame-relay
frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
ip address 150.50.24.2 255.255.255.0
frame-relay interface-dlci 204
!
interface Serial0.2 multipoint
ip address 150.50.100.2 255.255.255.224
ip ospf message-digest-key 3 md5 cisco
ip ospf priority 3
frame-relay map ip 150.50.100.5 205 broadcast
frame-relay map ip 150.50.100.6 206 broadcast
!
interface Serial1
ip address 150.50.17.2 255.255.255.0
!
interface TokenRing0
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
area 1 range 10.1.0.0 255.255.0.0
area 3 nssa default-information-originate always
summary-address 150.50.200.0 255.255.252.0
network 150.50.17.0 0.0.0.255 area 3
network 150.50.24.0 0.0.0.255 area 1
network 150.50.100.2 0.0.0.0 area 0
network 200.0.0.2 0.0.0.0 area 1
neighbor 150.50.100.5
neighbor 150.50.100.6
!
ip classless
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end
----- Original Message -----
From: "Brian Lodwick" <xpranax@hotmail.com>
To: <Donbans@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, March 21, 2002 5:25 PM
Subject: Re: RE: OSPF authentication per-link
> Don,
> I hate to say it, but you were wrong and Nicolai was absolutely right.
>
> I have labed this scenario up and it does work to configure the below
> commands on the INTRERFACE to establish per-link authentication instead of
> per-area authentication.
>
> ip ospf authentication message-digest
> ip ospf message-digest-key 2 md5 <key>
>
> Below is my lab setup. r1, r2, and r4 are all a part of OSPF area 0 via
> their Frame-Relay connection, yet authentication is only happening between
> r1 and r2 and all neighbor relationships are FULL.
>
> r2#sh run
> !
> interface Serial0
> bandwidth 64
> ip address 140.100.3.2 255.255.255.0
> no ip directed-broadcast
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 2 md5 cisco
> ip ospf hello-interval 60
> ip ospf priority 0
> no ip mroute-cache
> ipx network 213
> no fair-queue
> clockrate 64000
> frame-relay map bridge 111 broadcast
> frame-relay map ipx 213.0001.0001.0001 111 broadcast
> frame-relay map ipx 213.0002.0002.0002 111 broadcast
> frame-relay map ipx 213.00e0.b05a.c665 111 broadcast
> frame-relay map ip 140.100.3.1 111 broadcast
> frame-relay map ip 140.100.3.2 111 broadcast
> frame-relay map ip 140.100.3.3 111 broadcast
> bridge-group 1
> !
> router ospf 100
> redistribute eigrp 2020 subnets route-map eigrp
> network 140.100.3.2 0.0.0.0 area 0
>
> r2#sh ip ospf nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 140.100.3.1 1 FULL/DR 00:03:01 140.100.3.1 Serial0
>
>
> r1#sh run
> !
> interface Serial0.1 multipoint
> ip address 140.100.3.1 255.255.255.0
> no ip route-cache
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 cisco
> ip ospf message-digest-key 2 md5 cisco
> ip ospf hello-interval 60
> no ip mroute-cache
> ipx network 213
> frame-relay map bridge 120 broadcast
> frame-relay map bridge 110 broadcast
> frame-relay map ipx 213.0002.0002.0002 110 broadcast
> frame-relay map ipx 213.00e0.b05a.c665 120 broadcast
> frame-relay map ip 140.100.3.2 110 broadcast
> frame-relay map ip 140.100.3.3 120 broadcast
> bridge-group 1
> !
> interface Serial0.2 point-to-point
> ip address 140.100.0.5 255.255.255.252
> no ip route-cache
> no ip mroute-cache
> ipx network 14
> frame-relay interface-dlci 130
> !
> router ospf 100
> log-adjacency-changes
> network 140.100.0.1 0.0.0.0 area 10
> network 140.100.0.5 0.0.0.0 area 0
> network 140.100.3.1 0.0.0.0 area 0
> neighbor 140.100.3.3
> neighbor 140.100.3.2
>
> r1#sh ip ospf nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 155.10.6.6 0 FULL/DROTHER 00:03:21 140.100.3.3 Serial0.1
> 192.128.128.2 0 FULL/DROTHER 00:03:15 140.100.3.2 Serial0.1
> 199.199.10.1 1 FULL/ - 00:00:34 140.100.0.6 Serial0.2
> 199.199.10.1 1 FULL/ - 00:00:34 140.100.0.2 Serial1
>
>
> r4# sh run
> interface Serial0
> bandwidth 64
> ip address 140.100.0.6 255.255.255.252
> encapsulation frame-relay
> no ip route-cache
> ip ospf network point-to-point
> no ip mroute-cache
> ipx network 14
> frame-relay map ip 140.100.0.5 131 broadcast
> frame-relay map ip 140.100.0.6 131 broadcast
> !
> router ospf 100
> log-adjacency-changes
> redistribute connected subnets route-map loops
> network 140.100.0.2 0.0.0.0 area 10
> network 140.100.0.6 0.0.0.0 area 0
>
> r4#sh ip ospf nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 140.100.3.1 1 FULL/ - 00:00:34 140.100.0.5 Serial0
> 140.100.3.1 1 FULL/ - 00:00:34 140.100.0.1 Serial1
>
> >>>Brian
>
>
>
>
>
> >From: "Don Banyong" <Donbans@hotmail.com>
> >To: "Brian Lodwick" <xpranax@hotmail.com>
> >Subject: Re: RE: OSPF authentication per-link
> >Date: Wed, 20 Mar 2002 10:54:35 -0500
> >
> >All ospf intf by default has the IP OSPF AUTHENTICATION NULL by default
> >(Jeff Doyle, Routing TCP/IP Vol 1, p 550). You do not need to explicitly
> >use that command on an intf which you do not want to put a password on.
> >
> >Just remember.... there are two things going on here.
> >The first thing is
> >For two routers to create neighborships, the hello packets must agree to a
> >couple of flags. Two of these flag are the area authentication and area
> >authentication type
> >See OSPF packet structure:
> >http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
> >It is for this reason that authentication type is a per area attribute.
> >(area x authentication message-digest for md5 or area x authentication for
> >clear text).
> >If you noticed, there is no particular password for the area........!!!
> >
> >The second thing is
> >For two routers having a link to become ospf neighbors in an ospf
> >authenticated area, the link password should be the same.
> >The same passwords can also include NULL passwords (ie no passwords) on
> >either side of the link......
> >
> >You explicitly use the cmd ip ospf authentication NULL as an alternative
> >way to turn off a previously enabled message-digest or clear test ospf
> >interface password.
> >Another way of turning of a previously used message-digest or clear test
> >ospf interface password is by using the no form of the command.
> >Using the no form of any command returns that command attribute to its
> >default (in this case NULL password)
> >
> >Feel me on this?
> >
> >
> >----- Original Message -----
> >From: "Brian Lodwick" <xpranax@hotmail.com>
> >To: <Donbans@hotmail.com>
> >Sent: Wednesday, March 20, 2002 9:49 AM
> >Subject: Re: RE: OSPF authentication per-link
> >
> >
> > > Don,
> > > Good call! You are probobaly right people often write in without much
> >thought process or experience behind their messages. It is difficult to
> >weed out the junk in here sometimes.
> > > I only know of one way to do authentication in OSPF and that is to
> >configure it on every link within an area (clear or md5). That is why I
> >asked the question. I've already got a lab setup with OSPF area 0 across 2
> >links. I am going to try using the NULL method even though it doesn't seem
> >like it will work. I am pretty sure the other way won't work, unless there
> >is some validity to what Nicolai said and now after IOS release 12.0(8) it
> >is possible? I was actually in a hurry when I received that e-mail, and I
> >figured since I got a reply so quickly it must be possible.
> > >
> > > >>>Brian
> > >
> > >
> > > >From: "Don Banyong" <Donbans@hotmail.com>
> > > >To: "Brian Lodwick" <xpranax@hotmail.com>
> > > >Subject: Re: RE: OSPF authentication per-link
> > > >Date: Wed, 20 Mar 2002 01:21:53 -0500
> > > >
> > > >The first thing is one of the guys is not so sure on what he is
talking
> >about. He is just following someone else's configuration. If I was you, I
> >will do more research.
> > > >
> > > >For example
> > > > > > >-----Original Message-----
> > > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > > >said
> > > >to configure OSPF md5 configuration under an interface, use TWO IP
OSPF
> >cmds
> > > > > > >IP ospf authentication message-digest
> > > > > > >IP ospf message-digest 1 md5 password
> > > >
> > > >This is not true. You need a single command to configure md5 on an
> >interface and this cmd is
> > > >'IP ospf message-digest 1 md5 password'
> > > >http://www.cisco.com/warp/public/104/25.shtml
> > > >
> > > >Secondly, the command 'ip ospf authentication null' does not need to
be
> >issued on an interface that has never had an 'ip ospf authentication or ip
> >ospf message-gigest' issued on. This command is the default on all OSPF
> >interfaces.
> > > >
> > > >An extract from
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r
/1rprt1/1rospf.htm#xtocid272949
> > > >Before using the ip ospf authentication command, configure a password
> >for the interface using the ip ospf authentication-key command. If you use
> >the ip ospf authentication message-digest command, configure the
> >message-digest key for the interface with the ip ospf message-digest-key
> >command.
> > > >
> > > >For backward compatibility, authentication type for an area is still
> >supported. If the authentication type is not specified for an interface,
> >the authentication type for the area will be used (the area default is
null
> >authentication).
> > > >
> > > >
> > > >
> > > >I could go on and on..... do your research....
> > > >
> > > >
> > > >
> > > >----- Original Message -----
> > > >From: "Brian Lodwick" <xpranax@hotmail.com>
> > > >To: <Donbans@hotmail.com>
> > > >Sent: Tuesday, March 19, 2002 9:33 PM
> > > >Subject: Fwd: RE: OSPF authentication per-link
> > > >
> > > >
> > > > > Parry says it is possible if you use the keyword NULL on the
> >interfaces of the links you do not want to require authentication within
an
> >area.
> > > > > I'm going to try both and see what works and what doesn't.
> > > > >
> > > > > >>>Brian
> > > > >
> > > > >
> > > > >
> > > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > >Reply-To: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > >To: "Brian Lodwick" <xpranax@hotmail.com>, <nicolai@cisco.com>,
> > <ccielab@groupstudy.com>
> > > > > >Subject: RE: OSPF authentication per-link
> > > > > >Date: Wed, 20 Mar 2002 10:13:01 +0800
> > > > > >
> > > > > >Extract from 12.1 CD doc :
> > > > > >
> > > > > >ip ospf authentication
> > > > > >======================
> > > > > >To specify the authentication type for an interface, use the ip
> >ospf authentication interface configuration command.
> > > > > >To remove the authentication type for an interface, use the no
form
> >of this command.
> > > > > >
> > > > > >ip ospf authentication [message-digest | null]
> > > > > > *****
> > > > > >no ip ospf authentication
> > > > > >
> > > > > >Syntax Description
> > > > > >====================
> > > > > >+ message-digest
> > > > > > -(Optional) Specifies that message-digest authentication will
be
> >used.
> > > > > >
> > > > > >+ null
> > > > > > -(Optional) No authentication is used. Useful for overriding
> >password or message-digest
> > > > > > authentication if configured for an area.
> > > > > >
> > > > > >Parry Chua
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: Brian Lodwick [mailto:xpranax@hotmail.com]
> > > > > >Sent: Wednesday, March 20, 2002 9:47 AM
> > > > > >To: Chua, Parry; nicolai@cisco.com; ccielab@groupstudy.com
> > > > > >Subject: RE: OSPF authentication per-link
> > > > > >
> > > > > >
> > > > > >Parry,
> > > > > >Could you please expound upon your reply a little for me?
> > > > > >I don't quite understand what you mean by using the keyword NULL
> >within OSPF
> > > > > >authentication.
> > > > > >Thanks,
> > > > > > >>>Brian
> > > > > >
> > > > > >
> > > > > > >From: "Chua, Parry" <Parry.Chua@compaq.com>
> > > > > > >To: "Nicolai Gersbo Solling" <nicolai@cisco.com>, "Brian
Lodwick"
> > > > > > ><xpranax@hotmail.com>, <ccielab@groupstudy.com>
> > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > >Date: Wed, 20 Mar 2002 09:17:20 +0800
> > > > > > >
> > > > > > >I belive you can still use per area authentification, for the
> >links that
> > > > > > >belong to this area and not authentification using the keyword
> >NULL.
> > > > > > >
> > > > > > >Parry Chua
> > > > > > >
> > > > > > >-----Original Message-----
> > > > > > >From: Nicolai Gersbo Solling [mailto:nicolai@cisco.com]
> > > > > > >Sent: Wednesday, March 20, 2002 6:08 AM
> > > > > > >To: Brian Lodwick; ccielab@groupstudy.com
> > > > > > >Subject: RE: OSPF authentication per-link
> > > > > > >
> > > > > > >
> > > > > > >Yes...first of all you need IOS coed 12.0(8) or later!
> > > > > > >
> > > > > > >next thing is the following commands on the interface
> > > > > > >
> > > > > > >IP ospf authentication message-digest
> > > > > > >IP ospf message-digest 1 md5 password
> > > > > > >
> > > > > > >Where 1 is the key and password is your password....Password an
> >key must
> > > > > > >match in boith ends!
> > > > > > >
> > > > > > >
> > > > > > >Nic
> > > > > > >
> > > > > > >-----Original Message-----
> > > > > > >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> >Behalf Of
> > > > > > >Brian Lodwick
> > > > > > >Sent: 19. marts 2002 21:49
> > > > > > >To: ccielab@groupstudy.com
> > > > > > >Subject: OSPF authentication per-link
> > > > > > >
> > > > > > >
> > > > > > >List,
> > > > > > > Does anyone know if there is a way to use authentication for
a
> >single
> > > > > > >link
> > > > > > >within an area, but have all of the other links not use
> >authentication?
> > > > > > >
> > > > > > > >>>Brian
> > > > > > >
> > > > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:17 GMT-3