From: Joe Higgins (netsat@xxxxxxxxxxxxx)
Date: Sat Aug 17 2002 - 10:58:32 GMT-3
As I understand it starting in ios 12.0 Cisco implemented the latest ospf
rfc which includes additions to ospf authentication. In the earlier
ospf rfc the only way to configure ospf authentication was globally. For
example, if you configured area 0 for message digest authentication then
all interfaces in area 0 had to be configured for message digest
authentication including virtual interfaces. The latest rfc additionally
allows one to configure authentication on an interface basis either
independently or in conjunction with global authentication. In the event
that both are configured then the interface authentication overrides the
global configuration on that interface. As an example if area 0 was
configured for plain authentication on a global basis and you wanted to
configure one of its connected links for message-digest authentication,
you can do so with the latest ospf rfc. This scenario also applies to
virtual links. There are many other combinations that can be
implemented. Two of the commands that have made this possible is the
interface command "ip ospf auth message-digest" and the router ospf
command " area X virt X.X.X.X authentication message-digest. " These
are the extra commands necessary to implement the latest rfc in addition
to normal key/password authentication on the interface. There are also
new similar interface commands for implementing plain authentication.
Any criticism of this interpretation is welcome.
Hunt Lee wrote:
> Having a bad day, could someone please help me figure this out?
>
> RTA ----- RTB ----- RTC
>
> RTA's interface to RTB:- 10.1.1.1
> RTB's interface back to RTA:- 10.1.1.2
> RTB's interface to RTC:- 10.1.1.5
> RTC's interface back to RTB:- 10.1.1.6
>
> Each router also has it's own Loopback interface, where RTA has
> 1.1.1.1/32, RTB has 2.2.2.2/32 & RTC has 3.3.3.3/32
>
> All 3 routers are running OSPF only:-
>
> Area 0 - between RTA & RTB (MD5 Authentication)
> Area 1 - between RTB & RTC
> Area 2 - just RTC's loopback interface (3.3.3.3/32)
>
> Here is the config. of RTA for Area 0 Authentication
>
> At RTA:-
>
> router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> network 1.1.1.1 0.0.0.0 area 0
> network 10.1.1.0 0.0.0.3 area 0
>
> interface Serial0
> ip address 10.1.1.1 255.255.255.252
> ip ospf message-digest-key 2 md5 ciscoab
>
> Since Area 2 does not have a direct connection to Area 0, I have
> created a virtual link between RTB & RTC.
>
> I realised that by default, when authentication is enabled in Area 0,
> then this authentication type will be automatically applied to all
> interfaces in Area 0, including the virtual link that I have created
> between RTB & RTC.
>
> And hence, I will need the virtual link to be running MD5 too (coz
> RTB is already using MD5 for the Area 0 authentication). 2 commands
> are needed. Apart from the first command "area 1 virtual-link
> 3.3.3.3 message-digest-key 2 md5 cisco" to specify the MD5 key &
> password for the Virtual-Link, the second command is where I am
> confused about. I have searched the CCO and books for this, they
> only mentioned to use "area 0 authentication message-digest" command
> on both RTB & RTC. But I found that it also works if you used
> "area 1 virtual-link 3.3.3.3 authentication message-digest" command
> on both RTB & RTC. Is this ok to use? Is there any gotcha on this??
>
> At RTB:-
>
> router ospf 2
> log-adjacency-changes
> area 0 authentication message-digest
> area 1 virtual-link 3.3.3.3 authentication message-digest
> area 1 virtual-link 3.3.3.3 message-digest-key 5 md5 haha
> network 2.2.2.2 0.0.0.0 area 0
> network 10.1.1.0 0.0.0.3 area 0
> network 10.1.1.4 0.0.0.3 area 1
>
> At RTC:-
>
> router ospf 3
> log-adjacency-changes
> area 1 virtual-link 2.2.2.2 authentication message-digest
> area 1 virtual-link 2.2.2.2 message-digest-key 5 md5 haha
> network 3.3.3.3 0.0.0.0 area 2
> network 10.1.1.4 0.0.0.3 area 1
>
> I also found it similar for the "Simple Password" Authentication.
> While CCO and many Cisco books suggest to use the following 2
> commands on both RTB & RTC:-
>
> Area 0 authentication
> area 1 virtual-link 3.3.3.3 authentication-key bus
>
> I found that I could also get the virtual-link to work by just one
> command (on both RTB & RTC as well):-
>
> area 1 virtual-link 3.3.3.3 authentication authentication-key bus
>
> Any ideas will be greatly appreciated.
>
> Thanks!!!
>
> Hunt
>
> http://digital.yahoo.com.au - Yahoo! Digital How To
> - Get the best out of your PC!
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:27 GMT-3