Re: OSPF authentication

From: Daniel Sheedy (dansheedy@gmx.net)
Date: Mon Aug 02 2004 - 05:32:12 GMT-3

• Next message: duke eril: "Huntstop <dial-peer>"
• Previous message: Georg Pauwen: "RE: OSPF authentication"
• Maybe in reply to: Narcis Micsoniu: "OSPF authentication"
• Next in thread: Edwards, Andrew M: "RE: OSPF authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Narcis,

It says you want area 0 to be authenticated. So, the first thing you need
to do is go into:

router ospf 1
area 0 authentication

Im just using plain-text authentication here, as it doesnt specifically
mention anything about encrypting, or MD5..

So, then we go to the interfaces.

On the interface, I type in:

ip ospf authentication-key CISCO

I do that on all my routers, and hey presto, I have authentication working.
Ah, but the requirement was that I must be able to change the key, without
interuption. So, somehow I need to put two keys on the interface. One
using CCIE, the other using CISCO.
If I try that with plain-text, it is not going to really work well...

So, remove all that configuration, and change it to MD5 authentication.

router ospf 1
area 0 authentication message-digest

and under the interface:

ip ospf message-digest-key 1 md5 CISCO

Notice the key number? So, now I am able to have more than one key!

ip ospf message-digest-key 2 md5 CCIE

If I go to the other router, and give it also a second key, I should be able
to delete the first key with no real problems. It will pick up the second
key on both routers, and carry on. Cool huh?

Just dont forget about changing the keys on any virtual-links as well.

hth

Dan Sheedy

----- Original Message -----
From: "Narcis Micsoniu" <micsoniu@telus.net>
To: <ccielab@groupstudy.com>
Sent: Monday, August 02, 2004 8:48 AM
Subject: OSPF authentication

> A really wise advice is more than needed :
>
> Configure area 0 on the Frame Relay cloud between R1, R2 and R3
> In order to prevent false routing information area 0 will be authenticated
> using the password CISCO.
> In the future the password will be changed from CISCO to CCIE.
> This migration should be performed without disrupting the communication
> between adjacent routers.
> Start this migration on R3 only
>
> Q: - Is a mechanism similar to ISIS ( area & link keys) available for OSPF
?
> If not, what workaround can be used ?
>
> Thank you
>
> [GroupStudy removed an attachment of type application/ms-tnef which had a
name of winmail.dat]
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: duke eril: "Huntstop <dial-peer>"
• Previous message: Georg Pauwen: "RE: OSPF authentication"
• Maybe in reply to: Narcis Micsoniu: "OSPF authentication"
• Next in thread: Edwards, Andrew M: "RE: OSPF authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:31 GMT-3