Re: OSPF Authentication from Darby Weaver on 2009-09-05 (Ccielab archives 09/2009)

From: Darby Weaver <darby.weaver_at_gmail.com>
Date: Sat, 5 Sep 2009 04:01:17 -0400

Be careful with virtual-links.

Remember virtual-links are "extending area 0" as you mentioned.

So if you are adding authentication to the far side link... don't forget:

area 0 authentication .. look carefully in the example configs and find it
and don't ever forget it.

Example:

[image: 27-a.gif]

Router 1.1.1.1

hostname r1.1.1.1

interface Loopback0
ip address 1.1.1.1 255.0.0.0

interface Ethernet0
ip address 4.0.0.1 255.0.0.0
*ip ospf message-digest-key 1 md5 cisco**!--- This command configures
the MD5 authentication key
!--- on the interface as "cisco".*
interface Serial0
ip address 5.0.0.1 255.0.0.0
clockrate 64000

router ospf 2
network 4.0.0.0 0.255.255.255 area 0
network 5.0.0.0 0.255.255.255 area 1
*area 0 authentication message-digest**!--- This command enables MD5
authentication for area 0
!--- on the router.** area 1 virtual-link 3.3.3.3 message-digest-key 1
md5 cisco**!--- This command creates the virtual link between Router
!--- 1.1.1.1 and Router 3.3.3.3 with MD5 authentication enabled.*

Router 3.3.3.3

hostname r3.3.3.3

interface Loopback0
ip address 3.3.3.3 255.0.0.0

interface Ethernet0
ip address 12.0.0.3 255.0.0.0

interface Serial0
ip address 6.0.0.3 255.0.0.0

router ospf 2
network 12.0.0.0 0.255.255.255 area 2
network 6.0.0.0 0.255.255.255 area 1
*area 0 authentication**!--- This command enables plain
authentication for area 0
!--- on the router.*
*area 1 virtual-link 1.1.1.1 authentication-key cisco**!--- This
command creates the virtual link to area 0 via
!--- transit area 1 with plain text authentication enabled.*

I'm going back to bed... lots of lab all holiday weekend...

Don't forget Area Authentication versus Interface Authentication

Interface Authentication - Yep keep in mind the virtual-link:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054174

Router(config-if)# *ip ospf authentication-key* *key *

Assigns a password to be used by neighboring OSPF routers on a network
segment that is using the OSPF simple password authentication.

Router(config-if)# *ip ospf message-digest-key* *key-id *md5 key

Enables OSPF MD5 authentication. The values for the *key-id* and *key
arguments *must match values specified for other neighbors on a network
segment.

Router(config-if)# *ip ospf authentication *[*message-digest *|* null*]

Specifies the authentication type for an interface.

Then we have Area Authentication:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054380

Command
Purpose

Router(config-router)# *area* *area-id* *authentication *

Enables authentication for an OSPF area.

Router(config-router)# *area *area-id *authentication* *message-digest *

Enables MD5 authentication for an OSPF area.

Finally we have the virtual-link:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054496

Creating Virtual Links

In OSPF, all areas must be connected to a backbone area. If there is a break
in backbone continuity, or the backbone is purposefully partitioned, you can
establish a *virtual link*. The two endpoints of a virtual link are ABRs.
The virtual link must be configured in both routers. The configuration
information in each router consists of the other virtual endpoint (the other
ABR) and the nonbackbone area that the two routers have in common (called
the *transit area*). Note that virtual links cannot be configured through
stub areas.

To establish a virtual link, use the following command in router
configuration mode:

Command
Purpose

Router(config-router)# *area* *area-id* *virtual-link* *router-id*
[*authentication
*[*message-digest *|* null*]]* *[*hello-interval* *seconds*] [*
retransmit-interval* *seconds*] [*transmit-delay* *seconds*] [*dead-interval
* *seconds*] [[*authentication-key* *key*] | [*message-digest-key* *key-id *
md5 key]]

Establishes a virtual link.

On Fri, Sep 4, 2009 at 10:46 PM, Nishant Aggarwal <
er.nishantaggarwal_at_gmail.com> wrote:

> Hi Group,
>
> We are asked for simple authentication in area 0 and no key is given in the
> question which is to be used. Then which set of command should be used:
>
> 1. ip os authentication
> ip os authentication-key 1 cisco
>
> or
>
> 2. ip os authentication
>
> Also explain authentication commands to be used for virtual-links (As
> virtual-links are considered a part of Area 0 itself.)
>
> Thanks,
> Nishant aggarwal.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Darby Weaver
Network Engineer
407-802-7394
darbyweaver_at_yahoo.com
Blogs and organic groups at http://www.ccie.net

Received on Sat Sep 05 2009 - 04:01:17 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART