Re: Authentication on virtual links

From: Guy Farber (gfarber@xxxxxxxxx)
Date: Sun Apr 08 2001 - 03:44:46 GMT-3

• Next message: Greg Ferro: "Re: Qsaal on point-to-point PVCs"
• Previous message: Doug Hall: "CCIE #7168"
• Maybe in reply to: Guy Farber: "Authentication on virtual links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
No it's not a problem, just how the OSPF specification works. Since the
router connecting from area 3 is considered part of area 0 and since all
routers in an area need the same type of authentication, you need the "area
0 auth mess" command on that router.

The virtual link from area 0's side doesn't use a key on that interface
(VL) so it's no required on the router from area 3.

Hope that makes sense. It's important for the lab.

----- Original Message -----
From: "Andres Zeller" <azeller@uswest.net>
To: "Johnny Dedon" <johnny.dedon@exodus.net>
Cc: "Guy Farber" <gfarber@cisco.com>; <ccielab@groupstudy.com>
Sent: Sunday, April 08, 2001 4:19 AM
Subject: Re: Authentication on virtual links

> Hmmm I am using 12.0(7) on my routers. I entered the commands:
>
> R1
> router ospf 316
> area 0 authentication message-digest
> area 4 authentication message-digest
> area 4 virtual-link 10.1.4.4 message-digest-key 1 md5 ccie
>
> R2
> router ospf 316
> area 4 authentication message-digest
> area 4 virtual-link 10.1.4.4 message-digest-key 1 md5 ccie
>
>
> AND it works great. I wonder if you would mind showing me your config. I
am
> concerned about whether this is a know caveat from differing IOS or what.
>
> Andres
>
>
> Johnny Dedon wrote:
>
> > Guy,
> > If you require authentication in the backbone area then all routers that
> > connect to the backbone must authenticate. Area3 in your case connects
to
> > the backbone through the virtual link but the virtual link's job is
> > basically to extend area0 out to area3.
> > So the router in area3 must authenticate to area0 even though it doesn't
> > physically have a connection to area0.
> > I hope this makes sense.
> > Johnny Dedon
> > Senior Staff Consultant
> > Exodus Professional Services
> > johnny.dedon@exodus.net
> > www.exodus.net
> > ----- Original Message -----
> > From: "Guy Farber" <gfarber@cisco.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Saturday, April 07, 2001 5:05 AM
> > Subject: Authentication on virtual links
> >
> > > Hi,
> > >
> > > I'm working on a lab where I have MD5 authentication on all routers in
the
> > > backbone. When I'm connecting area 3 through area 1 to the backbone
I'm
> > > getting an authentication mismatch on the area 0 side of the virtual
link.
> > sh
> > > ip ospf virtual-links shows that md5 authentication is enabled for
the
> > VL.
> > >
> > > Turning on MD5 authentication on the virtual link from area 3 doesn't
> > help.
> > > The only solution was to put area 0 authentication on the area 3
router.
> > It
> > > works without a password on the interface.
> > >
> > > Can anyone explain how area authentication works in this regard?

• Next message: Greg Ferro: "Re: Qsaal on point-to-point PVCs"
• Previous message: Doug Hall: "CCIE #7168"
• Maybe in reply to: Guy Farber: "Authentication on virtual links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:42 GMT-3