From: Brian McGahan (brian@cyscoexpert.com)
Date: Fri Dec 27 2002 - 15:15:45 GMT-3
Vijay,
Yes, this is valid configuration because as I said, interface
authentication overrides area authentication. If you say 'area 1
virtual-link authentication...', this interface authentication will
automatically override the area authentication. Therefore, you would
not need to say 'area 0 authentication' on the remote side where the
virtual-link terminates.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: Vijay S Jayaraman [mailto:vjayaram@in.ibm.com]
> Sent: Friday, December 27, 2002 12:51 AM
> To: OhioHondo
> Cc: Brian McGahan; ccielab@groupstudy.com; 'Lysyuk Andrew';
> nobody@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
> Importance: High
>
>
> Hi,
> what I meant was.....area 0 is using authentication....and I configure
> this
> on the router thats directly connected to area 0........
> and I configure the virtual links also with authentication using area
1
> virtual-link XXXX authentication..blah blah on both the routers
> terminating
> the virtual link....
>
> But on the router at the other end of the virtual link, I do not
configure
> the statement "area 0 authentication"
>
> and this still seems to work....
>
> I am using 12.5T12 ip plus on a 2600........possibly this is a version
> dependent behaviour....
>
>
> Regards,
> Vijay.
>
>
>
>
>
>
> "OhioHondo"
> <ohiohondo@columb To: Vijay S
> Jayaraman/India/IBM@IBMIN, "Brian McGahan" <brian@cyscoexpert.com>
> us.rr.com> cc:
> <ccielab@groupstudy.com>, "'Lysyuk Andrew'" <lysyuk@ics.ua>,
> Sent by:
<nobody@groupstudy.com>
> nobody@groupstudy Subject: RE: Help me
pls
> with OSPF authentication.
> .com
>
>
> 12/27/2002 11:48
> AM
> Please respond to
> "OhioHondo"
>
>
>
>
>
> Vijay
>
> I believe these are the points -
>
> A virtual link to a router may or may not use authentication if area 0
in
> that router does not use authentication. It's your choice.
>
> If area 0 in a router uses authentication, all virtual links to that
> router
> MUST use authentication. There is no choice
>
> -----Original Message-----
> From: Vijay S Jayaraman [mailto:vjayaram@in.ibm.com]
> Sent: Friday, December 27, 2002 12:31 AM
> To: Brian McGahan
> Cc: ccielab@groupstudy.com; 'Jerry Haverkos'; 'Lysyuk Andrew';
> nobody@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
> Importance: High
>
>
>
> I dont know if you really need to say "area 0 authentication" on a
router
> on the other end of the virtual link, although all the tech notes say
you
> need to .......
> 'cos I have tried it without this statement and this seems to
work......
>
> Though I dont take chances on a real lab and put this statement.....
>
>
> Regards,
> Vijay.
>
>
>
>
>
> "Brian McGahan"
> <brian@cyscoexper To: "'Jerry
> Haverkos'"
> <jhaverkos@columbus.rr.com>, "'Lysyuk Andrew'"
> t.com> <lysyuk@ics.ua>
> Sent by: cc:
> <ccielab@groupstudy.com>
> nobody@groupstudy Subject: RE: Help me
pls
> with OSPF authentication.
> .com
>
>
> 12/27/2002 04:36
> AM
> Please respond to
> "Brian McGahan"
>
>
>
>
>
> Jerry,
>
> There are two types of authentication in OSPF, area and
> interface. If area authentication is enabled, all interfaces which
have
> adjacencies on them must authenticate. A virtual-link *is* an area 0
> interface, therefore if you have a virtual-link, and are
authenticating
> area 0, you must authenticate the virtual-link.
>
> Interface authentication is independent of area
> authentication,
> and interface authentication overrides area authentication. This
means
> that you could be using clear-text authentication throughout and area,
> and implement md5 authentication on a particular link within that
area.
> In the case that you have presented, interface authentication is
enabled
> on the virtual-link. This is a perfectly valid configuration.
>
> If in your example you had said 'area 0 authentication',
the
> remote router where the virtual-link terminates would also have to say
> 'area 0 authentication'. It is not completely necessary that you
> configure a key on the interface (or virtual-link in this case). OSPF
> authentication uses a "null" key by default. Practically, security
> through obscurity is not a very safe practice, therefore you should
> configure a key on each interface which is authenticating.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Jerry Haverkos
> > Sent: Thursday, December 26, 2002 2:42 PM
> > To: 'Lysyuk Andrew'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> > Lysuk
> >
> > I am on IOS 12.1.13 and my configs show no correlation between
> > authentication of area 0 and authentication on the virtual link. The
> > following are excerpts from my configs on the router that houses
area
> 0
> > and
> > participates as part of the virtual link in my network. They show
that
> > there
> > is no correlation in my network.
> >
> > 3640-1_R1#sho ip ospf virtual-links
> > Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> > Run as demand circuit
> > DoNotAge LSA allowed.
> > Transit area 4, via interface Serial1/0.4, Cost of using 781
> > Transmit Delay is 1 sec, State POINT_TO_POINT,
> > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
5
> > Hello due in 00:00:05
> > Adjacency State FULL (Hello suppressed)
> > Index 1/4, retransmission queue length 0, number of
retransmission
> 1
> > First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> > Last retransmission scan length is 1, maximum is 1
> > Last retransmission scan time is 0 msec, maximum is 0 msec
> > Message digest authentication enabled
> > Youngest key id is 1
> >
> >
> > Note -- on the router there is only one interface in area 0 and it
> does
> > not
> > specify authentication
> >
> > 3640-1_R1#
> > router ospf 100
> > router-id 0.0.0.1
> > log-adjacency-changes
> > no discard-route internal
> > area 0 range 149.1.254.0 255.255.255.0
> > area 0 range 149.1.0.0 255.255.0.0
> > area 1 range 149.1.1.0 255.255.255.0
> > area 2 authentication message-digest
> > area 2 stub no-summary
> > area 2 range 149.1.2.0 255.255.255.0
> > area 4 range 149.1.4.0 255.255.255.0
> > area 4 virtual-link 0.0.0.4 authentication message-digest
> > area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
> > area 5 authentication message-digest
> > area 5 nssa no-summary
> > area 5 range 149.1.5.0 255.255.255.0
> > summary-address 17.0.0.0 255.0.0.0 not-advertise
> > network 149.1.1.0 0.0.0.255 area 1
> > network 149.1.2.0 0.0.0.255 area 2
> > network 149.1.4.0 0.0.0.255 area 4
> > network 149.1.5.0 0.0.0.255 area 5
> > network 149.1.254.254 0.0.0.0 area 0
> > neighbor 149.1.2.254
> > neighbor 149.1.4.254
> > neighbor 149.1.5.254
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > Justin Menga
> > Sent: Thursday, December 26, 2002 1:11 AM
> > To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Also, if you enable authentication for a virtual link, you must also
> > ensure
> > area 0 has authentication enabled:
> >
> > router ospf 1
> > area 0 authentication
> > area 1 virtual-link .....
> >
> > Regards,
> > Justin
> >
> > -----Original Message-----
> > From: Jude Servi [mailto:jservi@cisco.com]
> > Sent: Wednesday, December 25, 2002 12:36 PM
> > To: 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Don't forget to add authentication to a virtual link if needed.
> Example
> > for
> > md5 auth:
> >
> > router ospf 1
> > area # virtual-link <neighbor ip addr> authentication
message-digest
> > message-digest-key # <key>
> >
> > Jude
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Robert Slaski
> > Sent: Saturday, December 21, 2002 11:16 AM
> > To: Manish Gupta
> > Cc: Lysyuk Andrew; ccielab@groupstudy.com
> > Subject: Re: Help me pls with OSPF authentication.
> >
> >
> > Manish Gupta wrote:
> > > I always prefer
> > >
> > > Under router ospf x
> > > area x authentication (plain or MD5)
> > >
> > > Under interface:
> > > ip opsf authetication <password> if plain
> >
> > You meant 'ip ospf authentication-key' I think, but this does not
> answer
> >
> > the Andrew's question.
> >
> > There are two authentication types available in OSPF: per area and
per
> > interface, if both are configured then per interface authentication
> > takes precedence. Both have plain-text and MD5 checksum variants.
> >
> > Per area:
> > 1. enable area authentication
> > (config-router)# area <area> authentication [message-digest]
> > 2. setup keys (this should be done on each area interface)
> > (config-if)# ip ospf authentication-key <text> # for
plain
> text
> > or
> > (config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for
> MD5
> >
> > Per interface:
> > 1. enable interface authentication
> > (config-if)# ip ospf authentication [message-digest | null]
> > 2. setup keys (same as above)
> >
> > mikrobi,
> > --
> > .
> > .
> .
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3