From: Chua, Parry (Parry.Chua@xxxxxxxxxx)
Date: Sat Mar 23 2002 - 00:24:42 GMT-3
This is what I understand so far :-
In the older version of IOS, only area x authentification and you cannot overri
de it. Once you enable a area x authentification. All routers that participate
in area x has to enable
area x authentification and the associated interfaces.
In the latest version of IOS, per-interface(link) ospf authentification is allo
w. You can disable the link(s) within the area authenifcation as well.
Let said R1 has 3 interfaces all in area 2, if we configure area 2 authentifica
tion, this imply that all 3 interfaces should have setup authentification type.
Now said R4 has a link to R1. We decide not to configure authentication at R4,
so at R1 interface that link to R4,
we configure (R1-4_if#) ip ospf auth null.
What about multi-access media, there is a DR, BDR and Dother, I think, authenti
fication is per subnet, you have little control who may be the DR/BDR/Dother, i
t should be enable on the whole subnet either it is per-interface or per area a
uthentification.
Any comment ?
Regards
Parry
//////////////////////////////////////////////////
-----Original Message-----
From: Brian Lodwick [mailto:xpranax@hotmail.com]
Sent: Saturday, March 23, 2002 1:54 AM
To: don_study@hotmail.com
Cc: ccielab@groupstudy.com; Charles.Conte@NASD.com; contec@nasdaq.com
Subject: Definitive Source: OSPF authentication per-link
Clipped from CCO. Notice this is a new command as of 12.0 code as Nicolai
originally said, and notice it does say it is applied to the interface, and
also says that it is backward compatible and that "authentication type for
an area is still supported". So the books and articles you were referrencing
Don were probobaly out of date.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1r
prt1/1rospf.htm
ip ospf authentication
To specify the authentication type for an interface, use the ip ospf
authentication interface configuration command. To remove the authentication
type for an interface, use the no form of this command.
ip ospf authentication [message-digest | null]
no ip ospf authentication
Syntax Description message-digest
(Optional) Specifies that message-digest authentication will be used.
null
(Optional) No authentication is used. Useful for overriding password or
message-digest authentication if configured for an area.
Defaults
The area default is no authentication (null authentication).
Command Modes
Interface configuration
Command History Release Modification
12.0
This command was introduced.
Usage Guidelines
Before using the ip ospf authentication command, configure a password for
the interface using the ip ospf authentication-key command. If you use the
ip ospf authentication message-digest command, configure the message-digest
key for the interface with the ip ospf message-digest-key command.
For backward compatibility, authentication type for an area is still
supported. If the authentication type is not specified for an interface, the
authentication type for the area will be used (the area default is null
authentication).
Examples
The following example enables message digest authentication:
ip ospf authentication message-digest
Related Commands Command Description
area authentication
Enables authentication for an OSPF area.
ip ospf authentication-key
Assigns a password to be used by neighboring routers that are using the
simple password authentication of OSPF.
ip ospf message-digest-key
Enables OSPF MD5 authentication.
//////////////////////////////////////
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:19 GMT-3