From: yakout esmat (yesmat@xxxxxxxxxxxxxx)
Date: Sun Jul 28 2002 - 05:17:40 GMT-3
Kym,
If the hub and spokes are sharing the same subnet, then the hub can be
physical or multipoint subinterface.
Either way, if we use interface authentication on the hub we have to
authenticate both spokes.
The solution mentioned earlier by Eric is ok only if we have the freedom to
create two subinterfaces on the hub, one for the authenticated spoke and the
other for the non-authenticated spoke.
I can't see any difference (as far as authentication is concerned) whether
we use Non-broadcast, Broadcast or Point-multipoint OSPF network type. If we
choose Non-broadcast, we have to use neigbor command on the hub, and once
adjancy is formed I don't think there would be any authentication issues. Or
am I missing some thing here.
Yakout
-----Original Message-----
From: kym blair [mailto:kymblair@hotmail.com]
Sent: Sunday, July 28, 2002 5:38 PM
To: erickbe@yahoo.com; yesmat@iprimus.com.au; ccielab@groupstudy.com
Subject: Re: OSPF interface authentication (not area authent.)
Yakout,
Eric is right ... if the interfaces are sharing the same subnet, then the
hub must be multipoint, not subinterfaces, and ospf authentication is for
the whole area that the subnet is in. Of course, for the routers to form
adjacencies, the interfaces have to be the same ospf network type.
If you choose (or are directed) to go with network type non-broadcast,
you'll have problems with ospf authentication. They can be overcome, but
what a hassle. Given a choice, go with multipoint or broadcast network type
on the hub and spoke interfaces. Either will work, but broadcast elects
DR/BDR so requires neighbor statements on the hub.
Kym
>From: "Erick B." <erickbe@yahoo.com>
>Reply-To: "Erick B." <erickbe@yahoo.com>
>To: yakout esmat <yesmat@iprimus.com.au>, Groupstudy
><ccielab@groupstudy.com>
>Subject: Re: OSPF interface authentication (not area authent.)
>Date: Sat, 27 Jul 2002 23:28:07 -0700 (PDT)
>
>I don't know if anyone has replied yet...
>
>Hub has a multipoint subinterface. Thats 1 interface
>and interface authentication is done on the whole
>interface. If you don't want authentication on the
>other spoke then create another subinterface and
>subnet for that spoke.
>
>No way to do per-PVC OSPF authentication that I know
>of, and as far as I recall thats not part of the RFC.
>
>--- yakout esmat <yesmat@iprimus.com.au> wrote:
> > I have come across a OSPF Interface authentication
> > issue might or might not
> > be of significance.
> >
> > If we have hub and two spokes in frame relay network
> > sharing the same
> > subnet.
> >
> > If I do interface authentication between the hub and
> > one of the spokes only,
> > I lose adjancey with the other spoke understandably.
> >
> > Is there a way with which we can do interface ONLY
> > authentication (not are
> > authentication) between hub and only one of the
> > spokes without loosing the
> > other spoke??
> >
> > I would think not, but if any body has insight on
> > this issue, would be
> > appreciated.
> >
> > Cheers
> >
> > Yakout
>
>
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:47 GMT-3