From: Mas Kato (tealp729@xxxxxxxx)
Date: Sat Apr 28 2001 - 19:58:55 GMT-3
Andres,
I was wondering if you Johnny ended up swapping configs and getting to
the bottom of the authentication over virtual links issue?
Andres, in the last config fragment you posted, you showed that you
didn't need to enable area 0 authentication on R2 (your "virtual ABR").
You did, however, enable authentication in the transit area, area 4--and
authentication on the virtual link itself.
The last link posted to the thread:
http://www.cisco.com/warp/customer/104/27.html
...doesn't show authentication in the transit area, but does show area 0
authentication on the "virtual ABR" and the virtual link itself.
My findings with 12.1(7) in my lab tend to support the link above and
Guy's findings and Johnny's explanation below--I had to enable area 0
authentication on my virtual ABR and the authentication on each end of
the virtual link had to match...
Were you really able to get away with not enabling area 0 authentication
on your virtual ABR?
Regards,
Mas Kato
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Guy
Farber
Sent: 2001 04 08 14:45
To: Andres Zeller; Johnny Dedon
Cc: ccielab@groupstudy.com
Subject: Re: Authentication on virtual links
No it's not a problem, just how the OSPF specification works. Since the
router connecting from area 3 is considered part of area 0 and since all
routers in an area need the same type of authentication, you need the
"area
0 auth mess" command on that router.
The virtual link from area 0's side doesn't use a key on that interface
(VL) so it's no required on the router from area 3.
Hope that makes sense. It's important for the lab.
----- Original Message -----
From: "Andres Zeller" <azeller@uswest.net>
To: "Johnny Dedon" <johnny.dedon@exodus.net>
Cc: "Guy Farber" <gfarber@cisco.com>; <ccielab@groupstudy.com>
Sent: Sunday, April 08, 2001 4:19 AM
Subject: Re: Authentication on virtual links
> Hmmm I am using 12.0(7) on my routers. I entered the commands:
>
> R1
> router ospf 316
> area 0 authentication message-digest
> area 4 authentication message-digest
> area 4 virtual-link 10.1.4.4 message-digest-key 1 md5 ccie
>
> R2
> router ospf 316
> area 4 authentication message-digest
> area 4 virtual-link 10.1.4.4 message-digest-key 1 md5 ccie
>
>
> AND it works great. I wonder if you would mind showing me your config.
I
am
> concerned about whether this is a know caveat from differing IOS or
what.
>
> Andres
>
>
> Johnny Dedon wrote:
>
> > Guy,
> > If you require authentication in the backbone area then all routers
that
> > connect to the backbone must authenticate. Area3 in your case
connects
to
> > the backbone through the virtual link but the virtual link's job is
> > basically to extend area0 out to area3.
> > So the router in area3 must authenticate to area0 even though it
doesn't
> > physically have a connection to area0.
> > I hope this makes sense.
> > Johnny Dedon
> > Senior Staff Consultant
> > Exodus Professional Services
> > johnny.dedon@exodus.net
> > www.exodus.net
> > ----- Original Message -----
> > From: "Guy Farber" <gfarber@cisco.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Saturday, April 07, 2001 5:05 AM
> > Subject: Authentication on virtual links
> >
> > > Hi,
> > >
> > > I'm working on a lab where I have MD5 authentication on all
routers in
the
> > > backbone. When I'm connecting area 3 through area 1 to the
backbone
I'm
> > > getting an authentication mismatch on the area 0 side of the
virtual
link.
> > sh
> > > ip ospf virtual-links shows that md5 authentication is enabled
for
the
> > VL.
> > >
> > > Turning on MD5 authentication on the virtual link from area 3
doesn't
> > help.
> > > The only solution was to put area 0 authentication on the area 3
router.
> > It
> > > works without a password on the interface.
> > >
> > > Can anyone explain how area authentication works in this regard?
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:00 GMT-3