RE: Virtual Link Authentication

From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Mon Oct 29 2001 - 22:56:27 GMT-3

   
Eric,

Did you know that the area virtual-link command requires a router-id

area area-id virtual-link router-id [authentication [message-digest | null]]
[hello-interval seconds] [retransmit-interval seconds] [transmit-delay
seconds] [dead-interval seconds] [[authentication-key key] |
[message-digest-key keyid md5 key]]

You have not set your router-id for either of your ospf process, so it's
going to use your highest ip address from your interfaces.

The statement:
   area 45 virtual-link 4.4.4.4 authentication message-digest

Is not going to work, since I don't believe 4.4.4.4 is going to be your
router-id on the other router. I would assume 160.5.54.4 would be the
router-id.

Albert

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Eric Sarraf
Sent: Tuesday, October 30, 2001 10:08 AM
To: Jon CCIE-study Account
Cc: ccielab@groupstudy.com; anawaz@cisco.com
Subject: Re: Virtual Link Authentication

Here are the configs. Area 0 resides on R5's Serial0. Area 45 is on R4's
Ethernet0 and R5's Ethernet 1.

Thanks guys for the extra effort.

R4500M-3A-R5#sh run
Building configuration...

Current configuration : 3653 bytes
!
version 12.1
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname R4500M-3A-R5
!
enable password ww
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
source-bridge ring-group 2000
source-bridge transparent 2000 100 1 10
dlsw local-peer peer-id 5.5.5.5
dlsw remote-peer 0 tcp 3.3.3.3 host-netbios-out test2
dlsw icanreach mac-address 4000.2000.1000 mask ffff.ffff.ffff
dlsw bridge-group 1
!
!
interface Loopback0
  ip address 5.5.5.5 255.255.255.255
!
interface Loopback1
  ip address 160.5.65.1 255.255.255.0
  ip ospf network point-to-point
!
interface Loopback2
  ip address 160.5.66.1 255.255.255.0
  ip ospf network point-to-point
!
interface Loopback3
  ip address 160.5.67.1 255.255.255.0
!
interface Loopback4
  ip address 160.5.68.1 255.255.255.0
!
interface Loopback5
  no ip address
!
interface Loopback21
  ip address 21.21.21.21 255.255.255.255
!
interface Ethernet0
  ip address 160.5.53.5 255.255.255.0
  media-type 10BaseT
!
interface Ethernet1
  ip address 160.5.54.5 255.255.255.0
  media-type 10BaseT
  bridge-group 10
!
interface Serial0
  ip address 160.5.1.5 255.255.255.248
  ip access-group 5 in
  encapsulation frame-relay
  ip ospf message-digest-key 1 md5 cisco
  ip ospf network non-broadcast
  ip ospf priority 10
  no fair-queue
  clockrate 64000
  frame-relay map ip 160.5.1.1 201 broadcast
  frame-relay map ip 160.5.1.3 100 broadcast
  no frame-relay inverse-arp
!
interface Serial1
  no ip address
  shutdown
!
interface TokenRing0
  ip address 160.5.5.5 255.255.255.0
  ring-speed 16
  source-bridge 1 1 2000
  source-bridge spanning
  netbios output-access-filter host test
!
interface TokenRing1
  ip address 160.1.45.1 255.255.255.0
  shutdown
  ring-speed 16
!
router ospf 1
  log-adjacency-changes
  area 0 authentication message-digest
  area 45 virtual-link 4.4.4.4 authentication message-digest
  area 45 virtual-link 4.4.4.4 message-digest-key 1 md5 cisco
  area 55 range 160.5.64.0 255.255.248.0
  redistribute connected subnets
  network 160.5.1.0 0.0.0.255 area 0
  network 160.5.53.0 0.0.0.255 area 5
  network 160.5.54.0 0.0.0.255 area 45
  network 160.5.64.0 0.0.7.255 area 55
  neighbor 160.5.1.1
  neighbor 160.5.1.3
!
router bgp 65050
  no synchronization
  bgp log-neighbor-changes
  bgp confederation identifier 5000
  bgp confederation peers 65040
  network 5.5.5.5 mask 255.255.255.255
  neighbor 1.1.1.1 remote-as 65050
  neighbor 1.1.1.1 update-source Loopback0
  neighbor 1.1.1.1 route-reflector-client
  neighbor 3.3.3.3 remote-as 65050
  neighbor 3.3.3.3 update-source Loopback0
  neighbor 3.3.3.3 route-reflector-client
  neighbor 4.4.4.4 remote-as 65040
  neighbor 4.4.4.4 ebgp-multihop 255
  neighbor 4.4.4.4 update-source Loopback0
!
ip classless
no ip http server
!
access-list 5 deny 160.5.68.0 0.0.0.255
access-list 5 permit any
access-list 10 permit 160.5.65.0 0.0.0.255
access-list 11 deny 160.5.68.0 0.0.0.255
access-list 11 permit any
access-list 165 deny ip host 160.5.68.0 255.255.255.0 0.0.0.255
access-list 165 permit ip any any
access-list 200 permit 0x0000 0x0D0D
access-list 200 deny 0x0000 0xFFFF
route-map supp permit 10
  match ip address 10
!
route-map suppress permit 10
  match ip address 165
!
bridge 1 protocol ieee
bridge 10 protocol ieee
!
line con 0
  exec-timeout 0 0
  transport input none
line aux 0
line vty 0 4
  password ww
  login
!
end

R2514-4M-R4#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2514-4M-R4
!
!
username R2514-4K-R1 password 0 cisco
username bangalore password 0 cisco
ip subnet-zero
no ip domain-lookup
isdn switch-type basic-ni
!
!
!
interface Loopback0
  ip address 4.4.4.4 255.255.255.255
  no ip directed-broadcast
!
interface Ethernet0
  ip address 160.5.54.4 255.255.255.0
  no ip directed-broadcast
!
interface Serial0
  ip address 150.100.1.5 255.255.255.0
  no ip directed-broadcast
  no ip mroute-cache
  no fair-queue
!
interface Serial1
  no ip address
  no ip directed-broadcast
  shutdown
!
interface BRI0
  ip address 160.5.14.2 255.255.255.252
  no ip directed-broadcast
  encapsulation ppp
  dialer idle-timeout 300
  dialer map ip 160.5.14.1 name bangalore broadcast 4349062
  dialer-group 1
  isdn switch-type basic-ni
  isdn spid1 40843490640101 4349064
  isdn spid2 40843490650101 4349065
  no peer neighbor-route
  ppp authentication chap callin
  ppp chap hostname mumbai
  ppp chap password 7 060506324F41
  ppp multilink
!
router ospf 1
  area 45 virtual-link 160.5.68.1 authentication message-digest
  area 45 virtual-link 160.5.68.1 message-digest-key 1 md5 cisco
  redistribute connected subnets
  redistribute rip subnets
  network 150.100.1.5 0.0.0.0 area 4
  network 160.5.14.2 0.0.0.0 area 14
  network 160.5.54.0 0.0.0.255 area 45
!
router rip
  network 150.100.0.0
  distribute-list 3 out ospf 1
  distribute-list 4 out Serial0
!
router bgp 65040
  no synchronization
  bgp confederation identifier 5000
  bgp confederation peers 65050
  network 4.4.4.4 mask 255.255.255.255
  neighbor 5.5.5.5 remote-as 65050
  neighbor 5.5.5.5 ebgp-multihop 3
  neighbor 5.5.5.5 update-source Loopback0
!
ip classless
!
access-list 2 deny 160.5.0.0
access-list 2 deny 150.100.0.0 0.0.255.255
access-list 2 permit any
access-list 3 permit 195.1.0.0 0.0.30.0
access-list 4 permit 160.5.0.0 0.0.255.255
access-list 105 permit ip any host 255.255.255.255
dialer-list 1 protocol ip permit
route-map RIP-OSPF permit 10
  match ip address 3
!
line con 0
  session-timeout 500
  exec-timeout 0 0
  transport input none
line aux 0
line vty 0 4
  password cisco
  login
!
end

R4 debug message:
03:26:42: OSPF: Rcv pkt from 160.5.54.5, Ethernet0 : Mismatch
Authentication Key - Message Digest Key 1
03:26:46: OSPF: Send with youngest Key 1

R5 debug message:
*Nov 22 17:56:56: OSPF: Rcv pkt from 160.5.54.4, Ethernet1 : Mismatch
Authentication Key - Message Digest Key 1
*Nov 22 17:56:56: OSPF: Send with youngest Key 1

At 10:10 PM 10/29/2001 +0100, Jon CCIE-study Account wrote:
>Hi Eric
>
>If you have tried to enable MD authentication on BOTH routers could you
>provide us with the configurations and debugs from both routers from the
>non-working example?
>
>best regard,
>Jon
>----- Original Message -----
>From: "Eric Sarraf" <esarraf@cisco.com>
>To: <ccielab@groupstudy.com>
>Sent: Monday, October 29, 2001 6:50 PM
>Subject: Virtual Link Authentication
>
>
> > I have enabled message-digest authentication on area 0. There is also
> > virtual link between my two routers R4 and R5 residing on area 45 (R5
>also
> > resides on area 0). I have also enabled authentication on the virtual
link
> > . Things work fine with below configurations. However, if I replace
"area
> > 45 virtual-link 4.4.4.4 authentication" with "area 45 virtual-link
4.4.4.4
> > authentication message digest" I get the following error on both
routers:
> >
> > 1w1d: OSPF: Rcv pkt from 160.5.54.5, Ethernet0 : Mismatch Authentication
> > Key - Message Digest Key 1
> >
> > Why can not I have "message-digest" on my viurtual link statement?
> >
> > Thanks, Eric
> >
> > R5 router:
> >
> > router ospf 1
> > log-adjacency-changes
> > area 0 authentication message-digest
> > area 45 virtual-link 4.4.4.4 authentication
> > area 45 virtual-link 4.4.4.4 message-digest-key 1 md5 cisco
> > area 55 range 160.5.64.0 255.255.248.0
> > redistribute connected subnets
> > network 160.5.1.0 0.0.0.255 area 0
> > network 160.5.53.0 0.0.0.255 area 5
> > network 160.5.54.0 0.0.0.255 area 45
> > network 160.5.64.0 0.0.7.255 area 55
> > neighbor 160.5.1.1
> > neighbor 160.5.1.3
> >
> >
> > R4 router:
> >
> > router ospf 1
> > area 45 virtual-link 160.5.68.1 authentication
> > area 45 virtual-link 160.5.68.1 message-digest-key 1 md5 cisco
> > redistribute connected subnets
> > redistribute rip subnets
> > network 150.100.1.5 0.0.0.0 area 4
> > network 160.5.14.2 0.0.0.0 area 14
> > network 160.5.54.0 0.0.0.255 area 45

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:28 GMT-3