From: jsaxe@xxxxxxxxxxxxxxx
Date: Wed Aug 21 2002 - 01:04:31 GMT-3
Seems to me the Ethernet authentication key commands are completely
unnecessary. Authentication mismatches (either one router believing we need
to authenticate and the other not, or one having one key and the other
another key) certainly prevent neighbor formation, so two routers which
would normally form an adjacency do not. But the LSA's that are passed
around describing each router's network links don't have an authentication
magically attached to them based on their source; they are just information
that gets passed around. If there are no other routers on the Ethernet of
Router A (or C), there's no reason to put the auth. key on those interfaces.
All that should be required to get those networks into the OSPF database
(and therefore into the routing tables of far-away routers) is to include
the Ethernet interfaces in "network x.x.x.x y.y.y.y area z" commands in the
OSPF router process.
We use message-digest authentication in our network at work, and I'm
positive I've had stub networks (with no other routers on them) included in
the OSPF area but not put any kind of authentication key on those LAN
interfaces. Works fine. As long as there's nobody else to talk with, there
won't be any authentication mismatches, will there? :-)
Perhaps the CCO example just put those commands in for completeness, or so
things would continue to work if you added more routers to the chain off of
A or C. This is all my opinion, and I could be wrong, but I'm fairly sure
here.
-- Jeff Saxe, Network Engineer
Crutchfield Corporation
CCIE #9376
-----Original Message-----
From: Edward Monk [mailto:emonk@att.net]
Sent: Tuesday, August 20, 2002 10:46 PM
To: 'Hunt Lee'
Cc: ccielab@groupstudy.com
Subject: RE: CCO example on OSPF
These are two different issues although they have the area 0
authentication in common.
One issue is if you want Area 0 to propagate the routes correctly then
Ethernet interface needs authentication. Otherwise this interface will
not participate in OSPF routing.
2nd issue is making sure virtual-link has authentication so that the
area is now directly connected to area 0.
One is not dependant on the other.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hunt Lee
Sent: Tuesday, August 20, 2002 7:36 PM
To: Edward Monk
Cc: ccielab@groupstudy.com
Subject: RE: CCO example on OSPF
Hello Edward,
Yes... I noticed that. But I still don't understand why u would need
it?? Especially, I tested out this evening again and the Virtual
Link is still authenticating without that command on RTA.
Help help!!!
Best Regards,
Hunt Lee
--- Edward Monk <emonk@att.net> wrote: > Hunt,
>
> If you notice the ethernet interface is part of Area 0 on router A.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Hunt Lee
> Sent: Tuesday, August 20, 2002 7:30 AM
> To: ccielab@groupstudy.com
> Subject: CCO example on OSPF
>
> Good morning,
>
> Before leaving my place this morning I had some spare time to play
> around w/some OSPF Virtual Link Authentication and found something
> interesting. This has probably been posted before, I might be the
> last to know about it, or I'm just flat out wrong and wasn't awake
> enough while I was playing.
>
> Anyway, I want to configure 'area 0 authentication' & 'area 1
> virtual-link x.x.x.x authentication-key cisco' on both router A &
> router C and decided to verify if the configs for OSPF Virtual-Link
> Authentication configuration on CCO was true.
>
> http://www.cisco.com/warp/public/104/27.html
>
>
> When I set up my configs as you see below I verified that both of
> those commands are correct, with one problem though. What I have
> found is that CCO has an extra command on Router A's Ethernet
> interface 'ip ospf authentication-key cisco', yet I couldn't
> understand what it is for. With or without this command, my
> Virtual
> Link (between Router A & Router C) still works.
>
> And the same thing happens on the MD5 config, where CCO puts a 'ip
> opsf message-digest-key 1 md5 cisco' on Router A's Ethernet
> interface.
>
> So tell me, is CCO wrong? Did I mis-configure something?
>
> Here is the partial diagram:
>
> ----- ------- ------
> | | | | | |
> | A | ------- | B | ------------ | C |
> | |10.1.1.0/30 | | 10.1.2.0/30 | |
> ----- ------- ------
> | |
> -------- -------
> 100.0.0.1/24 120.0.0.0/24
>
>
>
> Router A
> ---------
>
> router ospf 1
> router-id 1.1.1.1
> log-adjacency-changes
> area 0 authentication
> area 1 virtual-link 3.3.3.3 authentication-key test
> network 10.1.1.0 0.0.0.3 area 1
> network 100.0.0.0 0.255.255.255 area 0
>
> interface Ethernet0
> ip address 100.0.0.1 255.255.255.0
> ip ospf authentication-key cisco
>
>
> Router C
> ---------
>
> router ospf 3
> router-id 3.3.3.3
> log-adjacency-changes
> area 0 authentication
> area 1 virtual-link 1.1.1.1 authentication-key test
> network 10.1.2.0 0.0.0.3 area 1
> network 120.0.0.0 0.255.255.255 area 2
>
>
> http://digital.yahoo.com.au - Yahoo! Digital How To
> - Get the best out of your PC!
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:31 GMT-3