From: Brian Lodwick (xpranax@xxxxxxxxxxx)
Date: Fri Mar 22 2002 - 10:14:51 GMT-3
Good Stuff Parry! Lots of effort and good information in your reply. I would
also agree with your remark saying that using the 2 authentication commands
on the interface requires all interfaces within that subnet to be also
configured the same way. In my example I did this on a multipoint
frame-relay connection and all routers within that subnet were configured
this way in order to get it to work. I plan to reconfigure this today using
the NULL method so that I can more fully understand how to implement this
method.
If a requirement said to not have authentication on one link, and you used
the NULL method it is questionable that authentication is still configured
on that link, but the password is NULL?
Any comments on this thought?
>>>Brian
>From: "Chua, Parry" <Parry.Chua@compaq.com>
>To: "Don Banyong" <don_study@hotmail.com>, "Brian Lodwick"
><xpranax@hotmail.com>
>CC: <ccielab@groupstudy.com>, "Conte, Charles" <Charles.Conte@NASD.com>,
><contec@nasdaq.com>
>Subject: RE: RE: OSPF authentication per-link *****OSPF AUTHENTICATION 4
>DUMMIES plus******
>Date: Fri, 22 Mar 2002 17:24:24 +0800
>
>I just conduct some test again using IOS 12.1(9) and this what I get :
>
>1. Per-interface autheniifcation
>--------------------------------
>All links in the subnet must enable and set up the same else no neigh will
>form.
>Two ip ospf command per interface
>2. Per-area authenification
>----------------------------
>You can override or disable the interfaces authenification by using the
>keyword null.
>One command in ospf process and one in interface.
>
>(R2)-(DR)-Hub---(R1)[spoke], (R5)[spoke]
>
>1. Per-interface authentification
>- all interface in the same subnet's must enable and setup
> to the same kind of authentification.
>- verify method, clear ip ospf process and ensure neigh is up.
>
>r5#s ip ospf
> Area 1
> Number of interfaces in this area is 2
> Area has no authentication
> SPF algorithm executed 31 times
>
>r5#
>r5#s ip ospf int s1/0.1
>Serial1/0.1 is up, line protocol is up
> Internet Address 135.1.125.5/28, Area 1
> Process ID 1, Router ID 135.1.5.5, Network Type NON_BROADCAST, Cost: 64
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 135.1.2.2 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
>====================================================
>
>2.0 Per area authification
>2.1 enable area authification
>2.2 To disable authentification on link in that area
>2.2.1 - In interface config, ip ospf auth null
>
>R2:
>!
>router ospf 1
> area 1 authentication message-digest
>!
>interface Serial0/0.1 multipoint
> ip address 135.1.125.2 255.255.255.240
> no ip directed-broadcast
> ip pim sparse-dense-mode
> ip ospf authentication null
>-------------------------------
>r2#s ip ospf
> Area 1
> Number of interfaces in this area is 2
> Area has message digest authentication
> SPF algorithm executed 21 times
>
>R2#s ip ospf int s0/0.1
>Serial0/0.1 is up, line protocol is up
> Internet Address 135.1.125.2/28, Area 1
> Process ID 1, Router ID 135.1.2.2, Network Type NON_BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 255
> Designated Router (ID) 135.1.2.2, Interface address 135.1.125.2
> No backup designated router on this network
> Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
> Hello due in 00:00:00
> Neighbor Count is 2, Adjacent neighbor count is 2
> Adjacent with neighbor 135.1.5.5
> Adjacent with neighbor 135.1.1.1
> Suppress hello for 0 neighbor(s)
>
>r1#s ip ospf
> Routing Process "ospf 1" with ID 135.1.1.1
>
> Area 1
> Number of interfaces in this area is 2
> Area has no authentication
> SPF algorithm executed 13 times
>
>r1#s ip ospf neig
>
>Neighbor ID Pri State Dead Time Address Interface
>135.1.2.2 255 FULL/DR 00:01:42 135.1.125.2 Serial0
>
>r5#s ip os
> Area 1
> Number of interfaces in this area is 2
> Area has no authentication
> SPF algorithm executed 35 times
>Parry Chua
>/////////////////////////////////////////////////////////
>-----Original Message-----
>From: Don Banyong [mailto:don_study@hotmail.com]
>Sent: Friday, March 22, 2002 2:44 PM
>To: Brian Lodwick
>Cc: ccielab@groupstudy.com; Conte, Charles; contec@nasdaq.com
>Subject: Re: RE: OSPF authentication per-link *****OSPF AUTHENTICATION 4
>DUMMIES plus******
>//////////////////////////////////////////////////////////
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:17 GMT-3