From: Fahad Khan (fahad.khan@gmail.com)
Date: Thu Oct 23 2008 - 07:02:20 ARST
look at this ,
R2#sh run | s ospf
router ospf 1
log-adjacency-changes
area 0 authentication message-digest -----just configured this command
for auth (not on the inteface or no any "key" configured")----
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.2 0.0.0.0 area 0
R2#sh ip ospf 1
Routing Process "ospf 1" with ID 2.2.2.2
Start time: 00:00:08.476, Time elapsed: 00:00:58.708
Supports only single TOS(TOS0) routes
Supports opaque LSA
-------some output omitted--------
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
* Area has message digest authentication
* SPF algorithm last executed 00:00:49.444 ago
SPF algorithm executed 2 times
Area ranges are
Number of LSA 2. Checksum Sum 0x019336
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R2#sh ip ospf interface serial 1/0
Serial1/0 is up, line protocol is up
Internet Address 10.0.0.2/8, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1
Suppress hello for 0 neighbor(s)
* Message digest authentication enabled
* No key configured, using default key id 0
Any comments?????
best regards,
On 10/23/08, amernas <taloust@gmail.com> wrote:
>
> I think the authentication key still need to be applied at the interface
> level for ospf authentication to work.
> With "area x authentication |message-digest" only, ospf auth is still not
> enabled. Because interface auth takes precedence and is default to "ip ospf
> authentication null".
>
> So in your this case "ip ospf message-digest-key key-id md5 key" is still
> needed
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Hobbs
> Sent: Wednesday, October 22, 2008 7:09 PM
> To: GAURAV MADAN
> Cc: Fahad Khan; Jonny English; stephen skinner; Omkar Tambalkar; Cisco
> certification
> Subject: Re: ospf virtual link Area authentication
>
>
> thats a dilemma I guess. i dont know what I would do, i guess ask the
> proctor. i was just trying to point out that "area x authentication" isnt
> required for authentication to actually work :)
>
> funny thing is that if you do show ip ospf, it will say that auth is not
> enabled. so i would always use it in case the script is running that
> command
> looking for auth to be anabled.
>
> On Tue, Oct 21, 2008 at 11:12 PM, GAURAV MADAN
> <gauravmadan1177@gmail.com>wrote:
>
> > I think Fahad is correct
> > If the question says just to enbale authentication type 1 / type 2
> > .... just enable that .. no need of assuming and putting up the key
> >
> > Hence I would say :
> >
> > area 0 authentication message-digest
> >
> > PLUS
> >
> > area 1 virtual-link 1.1.1.1 authentication message-digest
> >
> > are ok for this task
> >
> > Gaurav Madan.
> >
> >
> > On Wed, Oct 22, 2008 at 10:12 AM, Fahad Khan <fahad.khan@gmail.com>
> > wrote:
> > > Thats correct hobbs, now the question is if the question says just
> > > to
> > enable
> > > authentication for particular area and doesn't shed light on
> > > message-digest-key, then according to my opinion, we dont have to
> > configure
> > > "key".
> > >
> > > "area 0 authentication message-digest" command will do the task (In
> > this
> > > case im not talking about any virtual link)
> > >
> > > Correct me if I am wrong.
> > >
> > > regards,
> > >
> > >
> > > On 10/22/08, Hobbs <deadheadblues@gmail.com> wrote:
> > >>
> > >> You can enable authentication without the area authentication
> > >> command. I just tried it. I am not using IE, just my own lab:
> > >>
> > >> R2#show run | sec router ospf
> > >> router ospf 1
> > >> log-adjacency-changes
> > >> area 1 virtual-link 3.3.3.3 authentication message-digest area 1
> > >> virtual-link 3.3.3.3 message-digest-key 1 md5 cisco network
> > >> 172.12.25.0 0.0.0.255 area 0 network 172.12.123.0 0.0.0.255 area 1
> > >>
> > >> R2#show ip ospf virtual-links | inc au
> > >> Message digest authentication enabled
> > >> R2#
> > >>
> > >> Notice there is 2 commands, one where you enable authentication
> > >> type,
> > and
> > >> the other with the key. Just like when you do it for interfaces.
> > >> The
> > type
> > >> is
> > >> message-digest verified with the show command.
> > >>
> > >> On Tue, Oct 21, 2008 at 3:38 PM, Jonny English <
> > redkidneybeans@gmail.com
> > >> >wrote:
> > >>
> > >> > yes you do need the area 0 authentication message-digest. Have a
> > >> > look
> > at
> > >> a
> > >> > diagram of say IE lab 6. Look at how the OSPF is set up. Where do
> > >> > you
> > use
> > >> > your virtual-links? what are they used for? Think about these
> > questions
> > >> and
> > >> > you will see you need them.
> > >> >
> > >> > Things break otherwise. Do it without the area 0 authentication
> > >> > message-digest and do a show ip ospf nei, and you will see....
> > >> >
> > >> >
> > >> >
> > >> > On Wed, Oct 22, 2008 at 6:55 AM, Hobbs <deadheadblues@gmail.com>
> > wrote:
> > >> >
> > >> >> Do you really need "area 0 authentication message-digest" ? I
> > >> >> thought
> > >> this
> > >> >> just makes it easier to enable authentication on all your are 0
> > links.
> > >> You
> > >> >> can just manually do it in the VL...
> > >> >>
> > >> >>
> > >> >> On Tue, Oct 21, 2008 at 4:09 AM, Jonny English <
> > >> redkidneybeans@gmail.com>wrote:
> > >> >>
> > >> >>> you need the "area 0 authentication message-digest" on routers
> > >> >>> that
> > >> have
> > >> >>> a
> > >> >>> virtual-link as well, because they are "virtually" connected to
> > >> >>> area
> > 0.
> > >> >>>
> > >> >>> On Tue, Oct 21, 2008 at 10:00 PM, stephen skinner <
> > >> stephenski@gmail.com
> > >> >>> >wrote:
> > >> >>>
> > >> >>> > hello Omkar
> > >> >>> >
> > >> >>> > thanks for your answer ,
> > >> >>> >
> > >> >>> > what do think about adding the "area 0 authentication
> > message-digest"
> > >> >>> > command on R1 ,
> > >> >>> >
> > >> >>> > i suppose because i have put the above command on the Area 0
> > routers
> > >> i
> > >> >>> > should put it on R1 as well, even though it didnt seem to
> > >> >>> > need
> > it??
> > >> >>> >
> > >> >>> > any thoughts
> > >> >>> >
> > >> >>> > cheers
> > >> >>> > On Tue, Oct 21, 2008 at 1:56 PM, Omkar Tambalkar <
> > >> >>> > omkar.groupstudy@gmail.com
> > >> >>> > > wrote:
> > >> >>> >
> > >> >>> > > You would configure the authentication on virtual link
> > >> >>> > > between
> > R1
> > >> and
> > >> >>> R2
> > >> >>> > > beause area 0 is being extended to R1 via that virtual
> > >> >>> > > link. So
> > it
> > >> >>> will
> > >> >>> > be
> > >> >>> > > On R1: area 5 virtual-link [router-id of R2] authentication
> > >> >>> > message-digest
> > >> >>> > > message-digest-key md5 xxxx
> > >> >>> > > On R2: area 5 virtual-link [router-id of R1] authentication
> > >> >>> > message-digest
> > >> >>> > > message-digest-key md5 xxxx
> > >> >>> > >
> > >> >>> > > I think its tricky because the authentication task was
> > >> >>> > > asked
> > before
> > >> >>> > > creating the virtual link. So you are extending area 0
> > >> >>> > > after
> > >> >>> configuring
> > >> >>> > the
> > >> >>> > > authentication. If you dont configure authentication on the
> > virtual
> > >> >>> link
> > >> >>> > > then the routes from the area 2 will not propogate to area
> > >> >>> > > 0.
> > >> >>> > >
> > >> >>> > > HTH,
> > >> >>> > > -Later
> > >> >>> > > Omkar
> > >> >>> > >
> > >> >>> > > On Mon, Oct 20, 2008 at 10:24 PM, stephen skinner <
> > >> >>> stephenski@gmail.com
> > >> >>> > >wrote:
> > >> >>> > >
> > >> >>> > >> hello,
> > >> >>> > >>
> > >> >>> > >> i have the following questions i am not to sure about ,
> > >> >>> > >>
> > >> >>> > >> could someone please help
> > >> >>> > >>
> > >> >>> > >> Area 2 ----Area 5 ------Area 0
> > >> >>> > >> R1 R1-R2 R2-R3
> > >> >>> > >> 0/0 0/1 0/0 0/1 0/0 (all ethernets)
> > >> >>> > >>
> > >> >>> > >> Senario
> > >> >>> > >> configure OSPF strongest authentication for area 0 by
> > >> >>> > >> using the
> > >> >>> "area 0
> > >> >>> > >> authentication message-digest" command
> > >> >>> > >>
> > >> >>> > >> Connect area 2 to the main ospf network , Do not use
> > >> >>> > >> tunnels (
> > use
> > >> >>> the
> > >> >>> > >> "area
> > >> >>> > >> x virtual link" command)
> > >> >>> > >>
> > >> >>> > >> my question is ,
> > >> >>> > >>
> > >> >>> > >> If i am in the Lab and i have added the "area 0
> > >> >>> > >> authentication message-digest" to R2 and R3 ..
> > >> >>> > >>
> > >> >>> > >> do i need to add the command "area 0 authentication
> > >> message-digest"
> > >> >>> to
> > >> >>> > my
> > >> >>> > >> router R1 , thats in Area 2 ??
> > >> >>> > >>
> > >> >>> > >> i have configed it up , without the above command in R1 ,
> > >> >>> > >> and
> > it
> > >> >>> works
> > >> >>> > >> fine.
> > >> >>> > >>
> > >> >>> > >> i am just wondering what people think is " best practise"
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >> Another question
> > >> >>> > >>
> > >> >>> > >> when trying this out , i found i had to type all the
> > information
> > >> on
> > >> >>> one
> > >> >>> > >> line
> > >> >>> > >> , even thought the IOS puts these commands on two lines.
> > >> >>> > >>
> > >> >>> > >> i am not going mad am i ???? ,
> > >> >>> > >> not much sleep this week ..
> > >> >>> > >>
> > >> >>> > >> TIA
> > >> >>> > >>
> > >> >>> > >> MD5
> > >> >>> > >> (i typed )
> > >> >>> > >> area 2 virtual-link 2.2.2.2 authentication message-digest
> > >> >>> > >> message-digest-key 1 md5 CISCO
> > >> >>> > >> (IOS Showed)
> > >> >>> > >> area 2 virtual-link 2.2.2.2 authentication message-digest
> > >> >>> > >> area 2 virtual-link 2.2.2.2 message-digest-key 1 md5 CISCO
> > >> >>> > >>
> > >> >>> > >> --
> > >> >>> > >> Only two things are infinite, the universe and human
> > >> >>> > >> stupidity,
> > >> and
> > >> >>> I'm
> > >> >>> > >> not
> > >> >>> > >> sure about the former.
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >> Blogs and organic groups at http://www.ccie.net
> > >> >>> > >>
> > >> >>> > >>
> > >> >>>
> > ______________________________________________________________________
> > _
> > >> >>> > >> Subscription information may be found at:
> > >> >>> > >> http://www.groupstudy.com/list/CCIELab.html
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >>
> > >> >>> > >
> > >> >>> >
> > >> >>> >
> > >> >>> > --
> > >> >>> > Only two things are infinite, the universe and human
> > >> >>> > stupidity,
> > and
> > >> I'm
> > >> >>> not
> > >> >>> > sure about the former.
> > >> >>> >
> > >> >>> >
> > >> >>> > Blogs and organic groups at http://www.ccie.net
> > >> >>> >
> > >> >>> >
> > >> ___________________________________________________________________
> > >> ____
> > >> >>> > Subscription information may be found at:
> > >> >>> > http://www.groupstudy.com/list/CCIELab.html
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>> Thank You,
> > >> >>>
> > >> >>>
> > >> >>> Blogs and organic groups at http://www.ccie.net
> > >> >>>
> > >> >>>
> > ______________________________________________________________________
> > _
> > >> >>> Subscription information may be found at:
> > >> >>> http://www.groupstudy.com/list/CCIELab.html
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>
> > >> >
> > >> >
> > >> > --
> > >> > Thank You,
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >> ___________________________________________________________________
> > >> ____
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > > --
> > > Fahad Khan
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > ____________________________________________________________________
> > > ___
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Fahad KhanBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:22 ARST