From: Mas Kato (tealp729@xxxxxxxx)
Date: Sat Jun 09 2001 - 18:12:17 GMT-3
In order for the "virtual ABR" to become adjacent over the virtual-link,
it needs to agree to the same type of 'area 0 authentication' configured
on its "backbone ABR" partner. -If- there is a key on the v-link, that
must match too. This is easy to illustrate by logging or debugging OSPF
adjacency events--when area authentication is configured on only the
backbone ABR, the adjacency will either break or not form to begin with.
When area authentication is then configured on the virtual ABR, they
will become adjacent again, even with no key configured on the v-link.
At this point, if a key is configured on only one end of the v-link, of
course the adjacency will break and configuring the same key on the
other end will restore it.
With an IOS that supports interface-by-interface authentication on both
ends, if you go back to where only the backbone ABR has 'area 0
authentication' turned on under the OSPF process, you can override the
area setting by configuring the v-link with 'authentication null'
on -both- ends and the adjacency should form (without having to
configure 'area 0 authentication' under the virtual ABR's OSPF process).
The backbone ABR could have other links configured with authentication,
but the v-link will not be using authentication.
Mas
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Padhu (LFG)
Sent: Friday, June 08, 2001 8:50 AM
To: 'sanjay'; Luke; Ccie (E-mail)
Subject: RE: OSPF Encrypted Authentication w/virtual links
I don't think you need authentication on the virtual link itself.
However
you need area 0 authentication command on the router where the virtual
link
is originating towards area 0.
Cheers,Padhu
-----Original Message-----
From: sanjay [mailto:ccienxtyear@hotmail.com]
Sent: Thursday, June 07, 2001 5:56 PM
To: Luke; Ccie (E-mail)
Subject: Re: OSPF Encrypted Authentication w/virtual links
As far as I know, the Virtual Link is part of AREA 0, since you have
authentication running on AREA 0 routers, you also need to implement
authentication on the Virtual link with the area 0 authentication. I
practiced on a similar lab couple of weeks ago and had to configure
authentication on the virtual link to get the routers to recieve routes.
sanjay
----- Original Message -----
From: "Luke" <luke.mendoza@home.com>
To: "Ccie (E-mail)" <ccielab@groupstudy.com>
Sent: Thursday, June 07, 2001 2:31 PM
Subject: OSPF Encrypted Authentication w/virtual links
> Ok here is the scenario:
>
>
>
> r1 --------------- r2 ----------------
> r3 -----------------r4 ---------------r5
> area 1 area 2 area 0 area 0
>
> So I have R1 and R2 in Area 1
> R2 and R3 in Area 2
> R3 and R4 in Area 0
> R4 and R5 in Area 0
>
>
> I configure virtual link for area 2 between R2 and R3.
>
> I also configure Area 0 Authentication MD5 for R3/R4/R5
>
> Router ospf 1
> area 0 authentication message-digest
>
> interface S.x
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 7 cisco
>
> that's basically the configs for R3/R4/R5. Ok this works
>
> I guess I remember seeing some post sometime ago about backbone
routers
> (Area 0 Routers) with virtual links and Area 0 authentication
requirements
> will also require authentication on the Virtual-links. So here is
what I
> did...
>
> I hopped on R2 :
>
> router ospf 1
> area 0 authentication message-digest
> area 2 virtual-link 3x.3x.3x.3x message-digest-key 1 md5 7 cisco
>
>
> On R3
> area 2 virtual-link 2x.2x.2x.2x message-digest-key 1 md5 7 cisco
>
>
> This seems to work but I am not entirely sure that this is correct.
Will
> someone please comment?
>
>
> Thanks,
>
> Luke
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:21 GMT-3