As many of you know, I've been reading Parkhurst's OSPF book for a number of
reasons. So I'm fooling around in the chapter on interface commands, when
something hits me over the head.
authentication can be done on an interface by interface basis!
one of those things that I just never noticed before. Maybe because all the
practice labs always instruct you to use area authentication. Maybe cause
I'm just a Homer Simpson kind of guy.
So check this out. Topology will look strange, because I'm doing this over a
vlan tunnel.
router-------------vlan tunnel-------------router
each router has 4 subinterfaces, making four point-to-point links
FrameSwitch#o nei
Neighbor ID Pri State Dead Time Address Interface
222.222.222.14 1 FULL/DR 00:00:33 122.1.4.1
Ethernet0/1.4
222.222.222.14 1 FULL/DR 00:00:36 122.1.3.1
Ethernet0/1.3
222.222.222.14 1 FULL/DR 00:00:36 122.1.2.1
Ethernet0/1.2
222.222.222.14 1 FULL/DR 00:00:33 122.1.1.1
Ethernet0/1.1
FrameSwitch#
FrameSwitch#ir os
O 197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
O 195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
FrameSwitch#
So let's play!
interface Ethernet0/1.1
encapsulation dot1Q 121
ip address 122.1.1.2 255.255.255.0
!
interface Ethernet0/1.2
encapsulation dot1Q 122
ip address 122.1.2.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key sycon
!
interface Ethernet0/1.3
encapsulation dot1Q 123
ip address 122.1.3.2 255.255.255.0
ip ospf authentication message-digest
ip ospf authentication-key cisco
!
interface Ethernet0/1.4
encapsulation dot1Q 124
ip address 122.1.4.2 255.255.255.0
!
Ethernet0/1.3 is up, line protocol is up
Internet Address 122.1.3.2/24, Area 1
Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
Message digest authentication enabled
No key configured, using default key id 0
Ethernet0/1.2 is up, line protocol is up
Internet Address 122.1.2.2/24, Area 1
Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
Simple password authentication enabled
FrameSwitch#o nei
Neighbor ID Pri State Dead Time Address Interface
222.222.222.14 1 FULL/DR 00:00:33 122.1.4.1
Ethernet0/1.4
222.222.222.14 1 FULL/DR 00:00:37 122.1.3.1
Ethernet0/1.3
222.222.222.14 1 FULL/DR 00:00:37 122.1.2.1
Ethernet0/1.2
222.222.222.14 1 FULL/DR 00:00:33 122.1.1.1
Ethernet0/1.1
FrameSwitch#
FrameSwitch#ir os
O 197.32.44.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
O 195.100.3.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
FrameSwitch#
during the entirety, the following is the ospf configuration:
router ospf 1
log-adjacency-changes
network 100.36.0.0 0.0.255.255 area 1
network 122.1.0.0 0.0.255.255 area 1
!
next, lets use area authentication
router ospf 1
log-adjacency-changes
area 1 authentication
network 100.36.0.0 0.0.255.255 area 1
network 122.1.0.0 0.0.255.255 area 1
!
FrameSwitch#o nei
Neighbor ID Pri State Dead Time Address Interface
222.222.222.14 1 FULL/DR 00:00:33 122.1.3.1
Ethernet0/1.3
222.222.222.14 1 FULL/DR 00:00:33 122.1.2.1
Ethernet0/1.2
FrameSwitch#
note that the only two interfaces that are up are the two with
authentication configured. note also that it appears not to matter if the
authentication is plain text or md5.
Also, I should note that the other side does not have area authentication
enabled
router ospf 1
log-adjacency-changes
network 122.1.0.0 0.0.255.255 area 1
network 195.100.3.0 0.0.0.255 area 1
network 197.32.44.0 0.0.0.255 area 1
!
tells me that as far as either router is concerned, so long as the ospf
packets have authentication fields filled, nothing else matters. pretty
neat! of course there is a down side, but for purposes of illustration, this
is wonderful!
as long as I am on the topic, here's another knob:
interface Ethernet0/1.1
encapsulation dot1Q 121
ip address 122.1.1.2 255.255.255.0
ip ospf authentication null >>>>>>>>> THIS ONE!
end
And the neighbor comes up on that subinterface:
Neighbor ID Pri State Dead Time Address Interface
222.222.222.14 1 FULL/DR 00:00:38 122.1.3.1
Ethernet0/1.3
222.222.222.14 1 FULL/DR 00:00:38 122.1.2.1
Ethernet0/1.2
222.222.222.14 1 FULL/DR 00:00:35 122.1.1.1
Ethernet0/1.1
FrameSwitch#
ip ospf authentication null can be used to "excuse" one or more interfaces
from the authentication requirement.
Pretty neat stuff! I'm not sure why it never occurred to me that you can
have interface authentication, and you can have area authentication on top
of that. Now that I've re-read the CCO docs under the influence of this
enlightenment, some things are clearer. For example, the docs suggest
beginning with interface authentication configuration, then adding the area
authentication under the routing process. I checked earlier notes on the
topic, and can find only the checklist points of doing it the other way
around. now I understand why the docs say what they do.
Well, the third dimension gets built out just a little bit deeper.
Still Waters. Green hillsides. An hour or two TV break - this much work
deserves a reward!
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60275&t=60275
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
