RE: rip passive int with neighbor command

From: Scott Morris (smorris@internetworkexpert.com)
Date: Wed Jul 16 2008 - 15:05:20 ART

• Next message: Lurix: "VRF's"
• Previous message: Alexey Tolstenok: "Re: rip passive int with neighbor command"
• Maybe in reply to: Igor Manassypov: "rip passive int with neighbor command"
• Next in thread: Alexey Tolstenok: "Re: rip passive int with neighbor command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you doing MD5? If so, according to RFC 2082, section 3.1 the key
number absolutely is exchanged!

If using plain text, according to RFC 2453, section 4.1 there is no entry
for key-id. Simply a 16-byte password.

Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
Senior CCIE Instructor

smorris@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Online Community: http://www.IEOC.com
CCIE Blog: http://blog.internetworkexpert.com

Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alexey Tolstenok
Sent: Wednesday, July 16, 2008 1:39 PM
To: Narbik Kocharians
Cc: Jason Madsen; Petr Lapukhov; Igor Manassypov; GS CCIE-Lab
Subject: Re: rip passive int with neighbor command

Hi Narbik,
Can you explain why the following doesn't work? IOS is 12.4(19)b and no RIP
routes on both sides.

RACK01-R1#sh run | be key
key chain RIP
 key 1
   key-string 123
 key 2
   key-string 321

RACK1-R3#sh run | be key
key chain RIP
 key 1
   key-string 321

Remaining configs are the same as yours (mode md5, etc.)

2008/7/16 Narbik Kocharians <narbikk@gmail.com>:

> ha ha ha ha Petr, i did not know that what we discuss here in
> reference to CCIE should all be *STANDARD* and *NOT OBSCURE*.
>
> BUT NO its NOT what you are saying here, this is what i was referring
> to, let's say we are doing MD5 RIPv2 authentication between R1 and R2,
> you don't even need to use the "lifetime" option, your assumption is
> incorrect, here we go:
>
>
>
>
> *To Verify:*
>
>
>
> R1#sh ip route rip
>
> *Note you don't see any routes because the locally configured key
> number is lower than R2, it rejects the authentication. *
>
>
>
> R2#sh ip route rip
>
> R 1.0.0.0/8 [120/1] via 10.1.12.1, 00:00:15, Serial1/0.21
>
> *R2 accepts the routes and authentication is successful because it has
> a higher key number.*
>
>

--
Alexey Tolstenok
CCIEx2 (R&S, SP) #17405, JNCIE-M #313, CCSI #31737

• Next message: Lurix: "VRF's"
• Previous message: Alexey Tolstenok: "Re: rip passive int with neighbor command"
• Maybe in reply to: Igor Manassypov: "rip passive int with neighbor command"
• Next in thread: Alexey Tolstenok: "Re: rip passive int with neighbor command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART