From: Paglia, John (USPC.PCT.Hopewell) (JPaglia@NA2.US.ML.com)
Date: Wed Nov 13 2002 - 00:26:07 GMT-3
I suppose the better reply to the original question probably would have been
'no, they do not accomplish the same thing'.
There is indeed a difference btwn the 2, but both require the interface
config. Under ospf, the 'area 0 auth' or 'area 0 auth message-digest' tells
the router that ALL INTERFACES that advertise themselves as being in area 0
need the specified type of authentication. Then you perform the interface
config so the routers know what key is in use...they need to know some kind
of key in order to authenticate, right?
The diff w/ interface config is that NOT EVERY INTERFACE IN THE AREA NEEDS
TO USE THE CONFIG, thus you leave the 'area ...' part out. You could have 10
interfaces in area 0, but only 6 of them running authentication. In this
scenario however, A KEY IS STILL NEEDED. This is why both types need the
interface configuration.
You definately do not need to config the 'area' part if you're only
performing interface auth.
HTH,
John
> -----Original Message-----
> From: Jennifer Bellucci [SMTP:Jennifer_bellucci@hotmail.com]
> Sent: Tuesday, November 12, 2002 7:23 PM
> To: Nate Kleven; 'Paglia, John (USPC.PCT.Hopewell)';
> ccielab@groupstudy.com
> Subject: Re: OSFP Message Digest Authentication
>
> Cisco specify that you can now enable interface or area authentication. If
> this is the case then why would you have to enable area authentication to
> get interface authentication to work?
> Refer to Cisco OSPF Command and Configuration Handbook, page 364.
>
> JBell
> ----- Original Message -----
> From: "Nate Kleven" <cciemail@intellinet.ws>
> To: "'Paglia, John (USPC.PCT.Hopewell)'" <JPaglia@NA2.US.ML.com>;
> <ccielab@groupstudy.com>
> Sent: Tuesday, November 12, 2002 11:17 PM
> Subject: RE: OSFP Message Digest Authentication
>
>
> > I was able to get obtain full adjacency by putting the "area 0
> > authentication message-digest" command in on only one side. I then
> > performed a "clear ip ospf proc" on both sides to make sure the
> connection
> > could re-establish and it did. That to me would indicate that the "area
> 0
> > authentication message-digest" may not be necessary if you have it in
> the
> > interface.
> >
> > It is better to be safe than sorry, so I will probably do both on the
> test,
> > just wanted to let you know what I found.
> >
> > NK
> >
> >
> > -----Original Message-----
> > From: Paglia, John (USPC.PCT.Hopewell) [mailto:JPaglia@NA2.US.ML.com]
> > Sent: Tuesday, November 12, 2002 2:00 PM
> > To: 'Nate Kleven'; ccielab@groupstudy.com
> > Subject: RE: OSFP Message Digest Authentication
> >
> >
> > Ya need to do it to both. If ya don't it'll appear as if it is working,
> but
> > in reality it will be performing a 'null authentication' which in
> reality
> > isn't authenticating at all.
> >
> > router ospf xxx
> > area 0 auth message-dig
> >
> > int s0
> > ip ospf auth message-dig message-digest-k 1 md5 cisco
> >
> >
> > John
> >
> > > -----Original Message-----
> > > From: Nate Kleven [SMTP:cciemail@intellinet.ws]
> > > Sent: Tuesday, November 12, 2002 4:35 PM
> > > To: ccielab@groupstudy.com
> > > Subject: OSFP Message Digest Authentication
> > >
> > > Does the interface command "IP OSPF AUTHENTICATION MESSAGE-DIGEST"
> > > accomplish the same thing as the OSPF router command "AREA O
> > > AUTHENTICATION MESSAGE-DIGEST" ?
> > >
> > > I was told to setup authentication between two OSPF neighbors and I
> > > did it on the interface level rather than under Router OSPF. It seems
> > > as though it is working, and a "sh ip ospf int" show authentication in
> > > use.
> > >
> > > Thoughts?
> > >
> > > __________
> > >
> > > Nate Kleven
> > >
> > > Senior Network Engineer, CCNP Voice Access, MCSE
> > >
> > > Expanets
> > >
> > > 6020 So 190th ST
> > >
> > > Kent, WA 98032
> > >
> > > (206)219.6135
> > >
> > > "Experienced at Networked Solutions"
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:58 GMT-3