From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Tue Nov 20 2001 - 19:58:30 GMT-3
Bill,
Now you got me a little confused =). Which is good, maybe I can learn
something.
Looking at your config, you have two virtual links going to two different
ABR routers 1.1.1.1 and 4.4.4.4. Lets focus on the virtual link to 1.1.1.1.
Area 0 is doing MD5 authentication, area 10 is not doing authentication, but
the virtual link going over Area 10 is doing MD5 authentication.
I just tried it out, and it works. I think what made it work was the 'area
10 virtual-link 1.1.1.1 authentication message-digest' statement on the
remote router. I've always done it by putting 'area 0 authentication
message-digest' on the remote router, since CCO described it that way:
http://www.cisco.com/warp/public/104/27.html
Now, I', abit confused on the difference with your method and CCO's method??
It seems like 'show ip ospf virtual-link' always shows the virtual link as
up, but when it really works it gives you this message: 1d01h:
%OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.7 on OSPF_VL0 from LOADING to FULL,
Loading Done
Albert
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Bill Reilly
Sent: Wednesday, November 21, 2001 9:11 AM
To: Albert Lu
Cc: ccielab@groupstudy.com
Subject: Re: Virtual Link Auth Again
Albert,
The config below worked. Because the remote router has to authenticate
through area 10 I did not need the area 0 auth message-digest there.
However I did need in my Area 0 router to authenticate.
Bill
Albert Lu wrote:
>Bill,
>
>I think you need 'area 0 authentication message-digest' for the virtual
link
>to be doing authentication, since the virtual link is like a link into area
>0.
>
>Albert
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Bill Reilly
>Sent: Monday, November 12, 2001 11:56 AM
>To: Steve O'Ney; ccielab@groupstudy.com
>Subject: Re: Virtual Link Auth Again
>
>
>Sure.
>
>Here is my area 0 router:
>
>The VL is coming in over the e0 interface, but because i am only trying to
>authenticate the VL router I do not put any authentication information
>there, it
>is under the ospf process.
>
>!
>interface Ethernet0
> ip address 10.0.1.1 255.255.255.0
> ip ospf priority 100
> no keepalive
>!
>interface Serial0
> ip address 130.10.1.1 255.255.255.0
> encapsulation frame-relay
> ip ospf message-digest-key 1 md5 cisco
> ip ospf priority 100
>!
>router ospf 64733
> network 10.0.1.0 0.0.0.255 area 10
> network 130.10.1.0 0.0.0.255 area 0
> network 1.1.1.0 0.0.0.255 area 1
> neighbor 130.10.1.6 priority 4
> neighbor 130.10.1.5 priority 2
> area 0 authentication message-digest
> area 10 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
>
>Here is my remote router:
>
>interface Ethernet0/0
> ip address 10.0.1.22 255.255.255.0
> full-duplex
> service-policy output QoS-Policy
>!
>interface Serial1/0
> ip address 50.40.1.1 255.255.255.252
> no ip mroute-cache
> clockrate 128000
>!
>router ospf 64733
> log-adjacency-changes
> area 5 virtual-link 4.4.4.4
> area 10 virtual-link 1.1.1.1 authentication message-digest
> area 10 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco
> network 10.0.1.0 0.0.0.255 area 10
> network 50.40.1.0 0.0.0.255 area 5
>
>Bill
>
>Steve O'Ney wrote:
>
>>Bill,
>>
>>Could I get a sample config from your router?
>>
>>THanks
>>
>>Steve
>>
>>----- Original Message -----
>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>To: "Steve O'Ney" <soney@proaptiv.com>; <ccielab@groupstudy.com>
>>Sent: Sunday, November 11, 2001 5:16 PM
>>Subject: Re: Virtual Link Auth Again
>>
>>>Steve,
>>>
>>>When you use the command listed below, you set up plain text
>>>
>>authentication on
>>
>>>both routers. This is the type 1 part of the message in the clip I
>>>
>sent.
>
>>>I was able to get this working, then changed my authentication type to
>>>message-digest with md5. Once I set my area 0 auth to message-digest
>>>
>and
>
>>set up
>>
>>>my keys on both my area 0 router and my remote router everything came
>>>
>up.
>
>>>
>>>Thanks,
>>>Bill
>>>
>>>Steve O'Ney wrote:
>>>
>>>>Bill,
>>>>
>>>>I have knocked my head against the wall on several occasions over this
>>>>
>>and I
>>
>>>>have found a fix, type this command on both ends of your virtual link.
>>>>
>I
>
>>>>can't say why this works because I don't have a clue, I can't find it
>>>>anywhere but this is what worked for me:
>>>>
>>>>area [#] virtual-link X.X.X.X authentication
>>>>
>>>>don't ask me why but it works.
>>>>
>>>>Steve
>>>>
>>>>----- Original Message -----
>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>To: <ccielab@groupstudy.com>
>>>>Sent: Sunday, November 11, 2001 11:36 AM
>>>>Subject: Virtual Link Auth Again
>>>>
>>>>>I have been working on some VL labs with and without different types
>>>>>
>>of
>>
>>>>>authentication. Now the first issue I have is some of my routers
>>>>>
>are
>
>>>>>running 11.2 and some are running 12.1. I suspect my issue resides
>>>>>
>in
>
>>>>>the differences in IOS, but what I am seeing is when I try to use
>>>>>message-digest I am not able to authenticate my VL.
>>>>>
>>>>>My debug output on both routers states "Rcv pkt from 10.0.1.22,
>>>>>Ethernet0 : Mismatch Authentication type. Input pa
>>>>>cket specified type 0, we use type 1"
>>>>>
>>>>>Any help would be appreciated.
>>>>>
>>>>>Bill
>>>>>
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:19 GMT-3