From: amernas (taloust@gmail.com)
Date: Wed Oct 22 2008 - 23:08:21 ARST
I think the authentication key still need to be applied at the interface
level for ospf authentication to work.
With "area x authentication |message-digest" only, ospf auth is still not
enabled. Because interface auth takes precedence and is default to "ip ospf
authentication null".
So in your this case "ip ospf message-digest-key key-id md5 key" is still
needed
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Hobbs
Sent: Wednesday, October 22, 2008 7:09 PM
To: GAURAV MADAN
Cc: Fahad Khan; Jonny English; stephen skinner; Omkar Tambalkar; Cisco
certification
Subject: Re: ospf virtual link Area authentication
thats a dilemma I guess. i dont know what I would do, i guess ask the
proctor. i was just trying to point out that "area x authentication" isnt
required for authentication to actually work :)
funny thing is that if you do show ip ospf, it will say that auth is not
enabled. so i would always use it in case the script is running that command
looking for auth to be anabled.
On Tue, Oct 21, 2008 at 11:12 PM, GAURAV MADAN
<gauravmadan1177@gmail.com>wrote:
> I think Fahad is correct
> If the question says just to enbale authentication type 1 / type 2
> .... just enable that .. no need of assuming and putting up the key
>
> Hence I would say :
>
> area 0 authentication message-digest
>
> PLUS
>
> area 1 virtual-link 1.1.1.1 authentication message-digest
>
> are ok for this task
>
> Gaurav Madan.
>
>
> On Wed, Oct 22, 2008 at 10:12 AM, Fahad Khan <fahad.khan@gmail.com>
> wrote:
> > Thats correct hobbs, now the question is if the question says just
> > to
> enable
> > authentication for particular area and doesn't shed light on
> > message-digest-key, then according to my opinion, we dont have to
> configure
> > "key".
> >
> > "area 0 authentication message-digest" command will do the task (In
> this
> > case im not talking about any virtual link)
> >
> > Correct me if I am wrong.
> >
> > regards,
> >
> >
> > On 10/22/08, Hobbs <deadheadblues@gmail.com> wrote:
> >>
> >> You can enable authentication without the area authentication
> >> command. I just tried it. I am not using IE, just my own lab:
> >>
> >> R2#show run | sec router ospf
> >> router ospf 1
> >> log-adjacency-changes
> >> area 1 virtual-link 3.3.3.3 authentication message-digest area 1
> >> virtual-link 3.3.3.3 message-digest-key 1 md5 cisco network
> >> 172.12.25.0 0.0.0.255 area 0 network 172.12.123.0 0.0.0.255 area 1
> >>
> >> R2#show ip ospf virtual-links | inc au
> >> Message digest authentication enabled
> >> R2#
> >>
> >> Notice there is 2 commands, one where you enable authentication
> >> type,
> and
> >> the other with the key. Just like when you do it for interfaces.
> >> The
> type
> >> is
> >> message-digest verified with the show command.
> >>
> >> On Tue, Oct 21, 2008 at 3:38 PM, Jonny English <
> redkidneybeans@gmail.com
> >> >wrote:
> >>
> >> > yes you do need the area 0 authentication message-digest. Have a
> >> > look
> at
> >> a
> >> > diagram of say IE lab 6. Look at how the OSPF is set up. Where do
> >> > you
> use
> >> > your virtual-links? what are they used for? Think about these
> questions
> >> and
> >> > you will see you need them.
> >> >
> >> > Things break otherwise. Do it without the area 0 authentication
> >> > message-digest and do a show ip ospf nei, and you will see....
> >> >
> >> >
> >> >
> >> > On Wed, Oct 22, 2008 at 6:55 AM, Hobbs <deadheadblues@gmail.com>
> wrote:
> >> >
> >> >> Do you really need "area 0 authentication message-digest" ? I
> >> >> thought
> >> this
> >> >> just makes it easier to enable authentication on all your are 0
> links.
> >> You
> >> >> can just manually do it in the VL...
> >> >>
> >> >>
> >> >> On Tue, Oct 21, 2008 at 4:09 AM, Jonny English <
> >> redkidneybeans@gmail.com>wrote:
> >> >>
> >> >>> you need the "area 0 authentication message-digest" on routers
> >> >>> that
> >> have
> >> >>> a
> >> >>> virtual-link as well, because they are "virtually" connected to
> >> >>> area
> 0.
> >> >>>
> >> >>> On Tue, Oct 21, 2008 at 10:00 PM, stephen skinner <
> >> stephenski@gmail.com
> >> >>> >wrote:
> >> >>>
> >> >>> > hello Omkar
> >> >>> >
> >> >>> > thanks for your answer ,
> >> >>> >
> >> >>> > what do think about adding the "area 0 authentication
> message-digest"
> >> >>> > command on R1 ,
> >> >>> >
> >> >>> > i suppose because i have put the above command on the Area 0
> routers
> >> i
> >> >>> > should put it on R1 as well, even though it didnt seem to
> >> >>> > need
> it??
> >> >>> >
> >> >>> > any thoughts
> >> >>> >
> >> >>> > cheers
> >> >>> > On Tue, Oct 21, 2008 at 1:56 PM, Omkar Tambalkar <
> >> >>> > omkar.groupstudy@gmail.com
> >> >>> > > wrote:
> >> >>> >
> >> >>> > > You would configure the authentication on virtual link
> >> >>> > > between
> R1
> >> and
> >> >>> R2
> >> >>> > > beause area 0 is being extended to R1 via that virtual
> >> >>> > > link. So
> it
> >> >>> will
> >> >>> > be
> >> >>> > > On R1: area 5 virtual-link [router-id of R2] authentication
> >> >>> > message-digest
> >> >>> > > message-digest-key md5 xxxx
> >> >>> > > On R2: area 5 virtual-link [router-id of R1] authentication
> >> >>> > message-digest
> >> >>> > > message-digest-key md5 xxxx
> >> >>> > >
> >> >>> > > I think its tricky because the authentication task was
> >> >>> > > asked
> before
> >> >>> > > creating the virtual link. So you are extending area 0
> >> >>> > > after
> >> >>> configuring
> >> >>> > the
> >> >>> > > authentication. If you dont configure authentication on the
> virtual
> >> >>> link
> >> >>> > > then the routes from the area 2 will not propogate to area
> >> >>> > > 0.
> >> >>> > >
> >> >>> > > HTH,
> >> >>> > > -Later
> >> >>> > > Omkar
> >> >>> > >
> >> >>> > > On Mon, Oct 20, 2008 at 10:24 PM, stephen skinner <
> >> >>> stephenski@gmail.com
> >> >>> > >wrote:
> >> >>> > >
> >> >>> > >> hello,
> >> >>> > >>
> >> >>> > >> i have the following questions i am not to sure about ,
> >> >>> > >>
> >> >>> > >> could someone please help
> >> >>> > >>
> >> >>> > >> Area 2 ----Area 5 ------Area 0
> >> >>> > >> R1 R1-R2 R2-R3
> >> >>> > >> 0/0 0/1 0/0 0/1 0/0 (all ethernets)
> >> >>> > >>
> >> >>> > >> Senario
> >> >>> > >> configure OSPF strongest authentication for area 0 by
> >> >>> > >> using the
> >> >>> "area 0
> >> >>> > >> authentication message-digest" command
> >> >>> > >>
> >> >>> > >> Connect area 2 to the main ospf network , Do not use
> >> >>> > >> tunnels (
> use
> >> >>> the
> >> >>> > >> "area
> >> >>> > >> x virtual link" command)
> >> >>> > >>
> >> >>> > >> my question is ,
> >> >>> > >>
> >> >>> > >> If i am in the Lab and i have added the "area 0
> >> >>> > >> authentication message-digest" to R2 and R3 ..
> >> >>> > >>
> >> >>> > >> do i need to add the command "area 0 authentication
> >> message-digest"
> >> >>> to
> >> >>> > my
> >> >>> > >> router R1 , thats in Area 2 ??
> >> >>> > >>
> >> >>> > >> i have configed it up , without the above command in R1 ,
> >> >>> > >> and
> it
> >> >>> works
> >> >>> > >> fine.
> >> >>> > >>
> >> >>> > >> i am just wondering what people think is " best practise"
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >> Another question
> >> >>> > >>
> >> >>> > >> when trying this out , i found i had to type all the
> information
> >> on
> >> >>> one
> >> >>> > >> line
> >> >>> > >> , even thought the IOS puts these commands on two lines.
> >> >>> > >>
> >> >>> > >> i am not going mad am i ???? ,
> >> >>> > >> not much sleep this week ..
> >> >>> > >>
> >> >>> > >> TIA
> >> >>> > >>
> >> >>> > >> MD5
> >> >>> > >> (i typed )
> >> >>> > >> area 2 virtual-link 2.2.2.2 authentication message-digest
> >> >>> > >> message-digest-key 1 md5 CISCO
> >> >>> > >> (IOS Showed)
> >> >>> > >> area 2 virtual-link 2.2.2.2 authentication message-digest
> >> >>> > >> area 2 virtual-link 2.2.2.2 message-digest-key 1 md5 CISCO
> >> >>> > >>
> >> >>> > >> --
> >> >>> > >> Only two things are infinite, the universe and human
> >> >>> > >> stupidity,
> >> and
> >> >>> I'm
> >> >>> > >> not
> >> >>> > >> sure about the former.
> >> >>> > >>
> >> >>> > >>
> >> >>> > >> Blogs and organic groups at http://www.ccie.net
> >> >>> > >>
> >> >>> > >>
> >> >>>
> ______________________________________________________________________
> _
> >> >>> > >> Subscription information may be found at:
> >> >>> > >> http://www.groupstudy.com/list/CCIELab.html
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >>
> >> >>> > >
> >> >>> >
> >> >>> >
> >> >>> > --
> >> >>> > Only two things are infinite, the universe and human
> >> >>> > stupidity,
> and
> >> I'm
> >> >>> not
> >> >>> > sure about the former.
> >> >>> >
> >> >>> >
> >> >>> > Blogs and organic groups at http://www.ccie.net
> >> >>> >
> >> >>> >
> >> ___________________________________________________________________
> >> ____
> >> >>> > Subscription information may be found at:
> >> >>> > http://www.groupstudy.com/list/CCIELab.html
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Thank You,
> >> >>>
> >> >>>
> >> >>> Blogs and organic groups at http://www.ccie.net
> >> >>>
> >> >>>
> ______________________________________________________________________
> _
> >> >>> Subscription information may be found at:
> >> >>> http://www.groupstudy.com/list/CCIELab.html
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>
> >> >
> >> >
> >> > --
> >> > Thank You,
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> ___________________________________________________________________
> >> ____
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Fahad Khan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ____________________________________________________________________
> > ___
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:22 ARST