I'm just curious, Chuck. When was the last time you had any sleep? :-) Interesting subject tonight!
Shawn K. > -----Original Message----- > From: The Long and Winding Road [SMTP:[EMAIL PROTECTED]] > Sent: Friday, January 03, 2003 10:46 PM > To: [EMAIL PROTECTED] > Subject: Tonight's Homily - OSPF authenitcation - I didn't know that! > [7:60275] > > As many of you know, I've been reading Parkhurst's OSPF book for a number > of > reasons. So I'm fooling around in the chapter on interface commands, when > something hits me over the head. > > authentication can be done on an interface by interface basis! > > one of those things that I just never noticed before. Maybe because all > the > practice labs always instruct you to use area authentication. Maybe cause > I'm just a Homer Simpson kind of guy. > > So check this out. Topology will look strange, because I'm doing this over > a > vlan tunnel. > > router-------------vlan tunnel-------------router > > each router has 4 subinterfaces, making four point-to-point links > > FrameSwitch#o nei > > Neighbor ID Pri State Dead Time Address > Interface > 222.222.222.14 1 FULL/DR 00:00:33 122.1.4.1 > Ethernet0/1.4 > 222.222.222.14 1 FULL/DR 00:00:36 122.1.3.1 > Ethernet0/1.3 > 222.222.222.14 1 FULL/DR 00:00:36 122.1.2.1 > Ethernet0/1.2 > 222.222.222.14 1 FULL/DR 00:00:33 122.1.1.1 > Ethernet0/1.1 > FrameSwitch# > > FrameSwitch#ir os > O 197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4 > [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1 > [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2 > [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3 > O 195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4 > [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1 > [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2 > [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3 > FrameSwitch# > > So let's play! > > interface Ethernet0/1.1 > encapsulation dot1Q 121 > ip address 122.1.1.2 255.255.255.0 > ! > interface Ethernet0/1.2 > encapsulation dot1Q 122 > ip address 122.1.2.2 255.255.255.0 > ip ospf authentication > ip ospf authentication-key sycon > ! > interface Ethernet0/1.3 > encapsulation dot1Q 123 > ip address 122.1.3.2 255.255.255.0 > ip ospf authentication message-digest > ip ospf authentication-key cisco > ! > interface Ethernet0/1.4 > encapsulation dot1Q 124 > ip address 122.1.4.2 255.255.255.0 > ! > > Ethernet0/1.3 is up, line protocol is up > Internet Address 122.1.3.2/24, Area 1 > Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10 > Message digest authentication enabled > No key configured, using default key id 0 > > Ethernet0/1.2 is up, line protocol is up > Internet Address 122.1.2.2/24, Area 1 > Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10 > Simple password authentication enabled > > FrameSwitch#o nei > > Neighbor ID Pri State Dead Time Address > Interface > 222.222.222.14 1 FULL/DR 00:00:33 122.1.4.1 > Ethernet0/1.4 > 222.222.222.14 1 FULL/DR 00:00:37 122.1.3.1 > Ethernet0/1.3 > 222.222.222.14 1 FULL/DR 00:00:37 122.1.2.1 > Ethernet0/1.2 > 222.222.222.14 1 FULL/DR 00:00:33 122.1.1.1 > Ethernet0/1.1 > FrameSwitch# > > FrameSwitch#ir os > O 197.32.44.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4 > [110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1 > [110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2 > [110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3 > O 195.100.3.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4 > [110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1 > [110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2 > [110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3 > FrameSwitch# > > during the entirety, the following is the ospf configuration: > > router ospf 1 > log-adjacency-changes > network 100.36.0.0 0.0.255.255 area 1 > network 122.1.0.0 0.0.255.255 area 1 > ! > > next, lets use area authentication > > router ospf 1 > log-adjacency-changes > area 1 authentication > network 100.36.0.0 0.0.255.255 area 1 > network 122.1.0.0 0.0.255.255 area 1 > ! > > FrameSwitch#o nei > > Neighbor ID Pri State Dead Time Address > Interface > 222.222.222.14 1 FULL/DR 00:00:33 122.1.3.1 > Ethernet0/1.3 > 222.222.222.14 1 FULL/DR 00:00:33 122.1.2.1 > Ethernet0/1.2 > FrameSwitch# > > note that the only two interfaces that are up are the two with > authentication configured. note also that it appears not to matter if the > authentication is plain text or md5. > > Also, I should note that the other side does not have area authentication > enabled > > router ospf 1 > log-adjacency-changes > network 122.1.0.0 0.0.255.255 area 1 > network 195.100.3.0 0.0.0.255 area 1 > network 197.32.44.0 0.0.0.255 area 1 > ! > > tells me that as far as either router is concerned, so long as the ospf > packets have authentication fields filled, nothing else matters. pretty > neat! of course there is a down side, but for purposes of illustration, > this > is wonderful! > > as long as I am on the topic, here's another knob: > > interface Ethernet0/1.1 > encapsulation dot1Q 121 > ip address 122.1.1.2 255.255.255.0 > ip ospf authentication null >>>>>>>>> THIS ONE! > end > > And the neighbor comes up on that subinterface: > > Neighbor ID Pri State Dead Time Address > Interface > 222.222.222.14 1 FULL/DR 00:00:38 122.1.3.1 > Ethernet0/1.3 > 222.222.222.14 1 FULL/DR 00:00:38 122.1.2.1 > Ethernet0/1.2 > 222.222.222.14 1 FULL/DR 00:00:35 122.1.1.1 > Ethernet0/1.1 > FrameSwitch# > > ip ospf authentication null can be used to "excuse" one or more interfaces > from the authentication requirement. > > Pretty neat stuff! I'm not sure why it never occurred to me that you can > have interface authentication, and you can have area authentication on top > of that. Now that I've re-read the CCO docs under the influence of this > enlightenment, some things are clearer. For example, the docs suggest > beginning with interface authentication configuration, then adding the > area > authentication under the routing process. I checked earlier notes on the > topic, and can find only the checklist points of doing it the other way > around. now I understand why the docs say what they do. > > Well, the third dimension gets built out just a little bit deeper. > > Still Waters. Green hillsides. An hour or two TV break - this much work > deserves a reward! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60281&t=60281 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
