6.20 OSPF MD5 Authentication with Multiple Keys

I have a question to 6.20.

The solution given only authenticates R1-R6 and R4-R6.

However, given that Vlan 146 is a multiaccess-network, shouldn't we also authenticate R1-R4?

This would require an additional md5 key on R1 and R4, e.g.

interface FastEthernet0/0
  ip ospf authentication message-digest
  ip ospf message-digest-key 16 md5 R1R6KEY
  ip ospf message-digest-key 14 md5 R1R4KEY  <---

 

Regards,

tom

Comments

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    On the LAN, who do you establish OSPF adjacency with?



    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.internetworkexpert.com






    cc1etom wrote:

    I have a question to 6.20.

    The solution given only authenticates R1-R6 and R4-R6.

    However, given that Vlan 146 is a multiaccess-network, shouldn't
    we also authenticate R1-R4?

    This would require an additional md5 key on R1 and R4, e.g.

    interface FastEthernet0/0

      ip ospf authentication message-digest

      ip ospf message-digest-key 16 md5 R1R6KEY

      ip ospf message-digest-key 14 md5 R1R4KEY  <---

     

    Regards,

    tom







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • DR / BDR

    R6 and R1 can both be DR/BDR, depending on the sequence/timing of OSPF process loading.

    R4 is not eligible for DR/BDR election. Nevertheless, R4 should establish adjacency with DR/BDR.

    Am I missing something?

    Regards,

    tom

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    If R4 and R6 are both DROTHERs, there's no need to authenticate between
    them, because they wouldn't establish adjacency anyways.



    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.internetworkexpert.com






    cc1etom wrote:

    DR / BDR

    R6 and R1 can both be DR/BDR, depending on the sequence/timing of
    OSPF process loading.

    R4 is not eligible for DR/BDR election. Nevertheless, R4 should
    establish adjacency with DR/BDR.

    Am I missing something?

    Regards,

    tom







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • I concur with you Tom. I am running into the same scenario after configuring the devices in area 1. R1 and R4 are no longer neighbors after configuring authentication key on the interfaces on vlan146. The output for 'debug ospf adj' on R1 and R4 show a mismatch on key 46 and 16 respectively.

    R1 and R4 do not authenticate therefore they do not become OSPF neighbors. If authentication is configured on R1 and R4's fastE interfaces using keys 46 AND 16, as shown in the excercise for R6, then full state between devices in area 1 is established.

    What I am taking away from this without looking beyond 6.20 is that the excercise does not mention that R1 and R4 should or should not be neighbors. Its about R6, configured with MD5 authentication using multiple keys, authenticating R1 and R4 successfully.

     

    Regards,

    Weylyn

     

     

Sign In or Register to comment.