Re: area authentication

From: Ali.Huang (zero5291@gmail.com)
Date: Mon Aug 29 2005 - 21:24:34 GMT-3

• Next message: Scott Morris: "OT: FW: Are you looking to become a CCSI?"
• Previous message: ccie2be: "ospf stub areas and gre tunnels"
• Maybe in reply to: Ali.Huang: "area authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,Leo
It depends on your R3' subinterface type.
Make sure the the subnets use the same key number and key-string if you use
MD5 or simple plain text.
If R3's subinterface,R1 and R2 are in the same subnets,R3 and R1 would
become adjacencies,and R1 not.
Thanks.

 On 8/30/05, Leo Leung <leoleung_yh@yahoo.com> wrote:
>
> Hi,
> Just to clarify If there's already an aera 0 authendication established
> between R1, R2 and R3 with R3 being the hub, something like this:
> R1(config-router)#area 0 authentication message-digest
> R1(config-if)#ip ospf message-digest-key 1 md5 cisco
> R2(config-router)#area 0 authentication message-digest
> R2(config-if)#ip ospf message-digest-key 1 md5 cisco
> R3(config-router)#area 0 authentication message-digest
> R3(config-subif)#ip ospf message-digest-key 1 md5 cisco
> Now only authentication between R1 and R3 is required with a now password
> cisco1, so it changed to the followings:
> R1(config-router)#area 0 authentication message-digest
> R1(config-if)#ip ospf message-digest-key 1 md5 cisco1
> R2(config-router)#area 0 authentication message-digest
> R2(config-if)#ip ospf authentication null
> R3(config-router)#area 0 authentication message-digest
> R3(config-subif)#ip ospf message-digest-key 1 md5 cisco1
> Does that mean ospf sessions are down between R2 and R1, R2 and R3,
> assuming R1 and R2 as spokes were able to reach each other before. Or
> interface authentication only overrides its ospf area authenticatioon
> session between R1 and R3, so R1,R2 and R3 are still get along in area 0
> Leo
>
>
>
> *"Ali.Huang" <zero5291@gmail.com>* wrote:
>
> Thanks ,I got it.
> R3(config-subif)#ip ospf message-digest-key 1 md5 cisco
>
> Wow!The following summary is very classical.
> From Brian Dennis,
> There isn't support for "area" and "interface" authentication in
> OSPF. All OSPF authentication is done on a per segment basis. The
> RFC says that all routers on a "network" (i.e. segment/subnet) must
> have the same authentication type configured and not all routers
> within an "area". The confusion comes in the way Cisco has
> implemented the commands to set the authentication type.
>
> The "area authentication" and "area
> authentication message-digest" commands are just simple methods to set
> the authentication type for all interfaces within an area on
> router.The interface level commands (ip ospf authentication, ip ospf
> authentication message-digest, and ip ospf authentication null" are
> methods to enable authentication on a single interface and/or override
> the authentication type set under the routing process.
>
> If you have ten interfaces in area 0 and you want to perform
> authentication on all ten of them, it's easier to just enable
> authentication using the "area 0 authentication "
> command than it is to type the "ip ospf authentication "
> command under each of the ten interfaces. But if you have ten
> interfaces in area 0 and you want to authenticate just a single
> interface, it's easier to use the interface level command on the one
> interface than it is to use the routing process level command. If the
> routing process level command is used, you will need to override it on
> the other nine interfaces by setting them back to the default of null
> authentication by using the "ip ospf authentication null" command.
>
> Lastly the authentication type configured under the interface
> will always override the authentication type configured under the
> routing process.
>
> On 8/29/05, ccie2be wrote:
> > There was a detailed discussion on this topic fairly recently around May
> > 2005.
> >
> > Do a search in the archives for this subject:
> >
> > Simple Authentication on Area 0 and MD5 on Virtual link
> >
> > HTH,Tim
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Ali.Huang
> > Sent: Monday, August 29, 2005 7:52 AM
> > To: Cisco certification
> > Subject: Re: area authentication
> >
> > Hi,group,
> > Thanks you.
> > I know I can do this under interface level ,even though without
> > using the "area authentication" or "area
> > authentication message-digest" commands.It seems like bones,no
> > contents, useless.But you have to use in CCIE exam.
> > I want to know whether it's right or not?
> >
> > On 8/29/05, kumara.shunmugam@wipro.com wrote:
> > >
> > > What key/password you have configured in the ospf interface using ip
> ospf
> > authentication-key/ip ospf message-digest-key 1 md5 command. What is
> your
> > "show ip ospf inter" output shows about the authentication in the last
> lines
> > ?
> > >
> > > Shun
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Ali.Huang
> > > Sent: Monday, August 29, 2005 3:02 AM
> > > To: Cisco certification
> > > Subject: area authentication
> > >
> > > Hi,group,
> > > I am confused of area authentication of OSPF.
> > > I configure as"area authentication" or "area
> > > authentication message-digest" commands on routers,but I didn't know
> > > where to find the key?When I issue debug ip ospf adja,I found the
> > > following ,
> > > 08:23:59: OSPF: Send with youngest Key 0,
> > > It doesn't affect adjacencies between routers.It seems not work,why?
> > >
> > > --
> > > THX.
> > > Ali.huang
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > Confidentiality Notice
> > > The information contained in this electronic
> > > message and any attachments to this message are
> > > intended for the exclusive use of the addressee(s)
> > > and may contain confidential or privileged information.
> > > If you are not the intended recipient, please notify
> > > the sender at Wipro or Mailadmin@wipro.com immediately
> > > and destroy all copies of this message and any attachments.
> > >
> >
> >
> > --
> > THX.
> > Ali.huang
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>
> --
> THX.
> Ali.huang
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

--
THX.
Ali.huang

• Next message: Scott Morris: "OT: FW: Are you looking to become a CCSI?"
• Previous message: ccie2be: "ospf stub areas and gre tunnels"
• Maybe in reply to: Ali.Huang: "area authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3