• Configure MD5 based OSPF authentication for all adjacencies in area 0, including the Virtual-Links, using the password MD5KEY.
• R1 should enable MD5 authentication on all interfaces in area 0 with a single command.
• All other devices in area 0 should enable MD5 authentication on a per interface basis.
R1: (R1有touch Area 0, 且有virtual-link to R6, area 0啟動mds認證,因virtual-link也算是aree 0的介面,所以認證也啟動了)
interface Serial0/0
ip ospf message-digest-key 1 md5 MD5KEY
!
router ospf 1
area 0 authentication message-digest
area 1 virtual-link 150.1.6.6 message-digest-key 1 md5 MD5KEY
R2: (R2有virtual-link to R3, 但是認證是下在介面(area 0),所以針對virtual-link認證僅能在router process中,只好於process將area 5的virtual-link md5認證啟動)
interface Serial0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
!
router ospf 1
area 5 virtual-link 150.1.3.3 authentication message-digest
area 5 virtual-link 150.1.3.3 message-digest-key 1 md5 MD5KEY
R3:
interface Serial1/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
!
router ospf 1
area 5 virtual-link 150.1.2.2 authentication message-digest
area 5 virtual-link 150.1.2.2 message-digest-key 1 md5 MD5KEY
R4:
interface Serial0/0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
!
interface Serial0/1/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
R5:
interface Serial0/0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
!
interface Serial0/1/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 MD5KEY
------------------------------------
Remember that a virtual-link is an interface in area 0.
This means that if the area 0 authentication [message-digest] command is enabled,
authentication is also enabled on the virtual-link.
In this example MD5 authentication is enabled on the virtual-link on R1 with the area 0
authentication message-digest command, but the password must still be assigned on the virtual-link interface itself with the area 1 virtual-link 150.1.6.6 message-digest-key 1 md5 MD5KEY command.
On R6 authentication is enabled at the virtual-link interface level with the area 1
virtual-link 150.1.1.1 authentication message-digest command, and the key is applied with the area 1 virtual-link 150.1.1.1 message-digest-key 1 md5 MD5KEY command.
In some versions these two commands are combined automatically in the running config
to the single statement area 1 virtual-link 150.1.1.1 authentication message-digest message-digest-key 1 md5 MD5KEY, however the result of either syntax is the same.
Once authentication is enabled on the virtual-link ensure to issue the clear ip ospf process command, because the virtual-link does not support periodic hellos. This means that if the authentication is wrong, the virtual-link interface will not immediately go down, but if there is a change in the topology it won’t actually be propagated across the virtual-link.
沒有留言:
張貼留言