From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Tue Nov 20 2001 - 22:24:22 GMT-3
Have you had a look at the CCO I included about virtual link authentication.
Could you have done it that way, if not then what were the requirements that
did not allow you to do so?
Thanks
Albert
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Bill Reilly
Sent: Wednesday, November 21, 2001 11:57 AM
To: albert_ccie@yahoo.com
Cc: ccielab@groupstudy.com
Subject: Re: Virtual Link Auth Again
My goal was to only authenticate area 0 connections. So all routers in
area 10 did not have to auth. to each other, that is why you do not see
an area 10 authenticate message-digest. Since the VL must connect to
area 0 it must be doing md5 auth. All other connections in area 10 is
free to connect with any other router in area 10.
Probably not the best practice but it was my lab.
Bill
Albert Lu wrote:
>Bill,
>
>Now you got me a little confused =). Which is good, maybe I can learn
>something.
>
>Looking at your config, you have two virtual links going to two different
>ABR routers 1.1.1.1 and 4.4.4.4. Lets focus on the virtual link to 1.1.1.1.
>
>Area 0 is doing MD5 authentication, area 10 is not doing authentication,
but
>the virtual link going over Area 10 is doing MD5 authentication.
>
>I just tried it out, and it works. I think what made it work was the 'area
>10 virtual-link 1.1.1.1 authentication message-digest' statement on the
>remote router. I've always done it by putting 'area 0 authentication
>message-digest' on the remote router, since CCO described it that way:
>
>http://www.cisco.com/warp/public/104/27.html
>
>Now, I', abit confused on the difference with your method and CCO's
method??
>
>
>It seems like 'show ip ospf virtual-link' always shows the virtual link as
>up, but when it really works it gives you this message: 1d01h:
>%OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.7 on OSPF_VL0 from LOADING to FULL,
>Loading Done
>
>Albert
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Bill Reilly
>Sent: Wednesday, November 21, 2001 9:11 AM
>To: Albert Lu
>Cc: ccielab@groupstudy.com
>Subject: Re: Virtual Link Auth Again
>
>
>Albert,
>
>The config below worked. Because the remote router has to authenticate
>through area 10 I did not need the area 0 auth message-digest there.
> However I did need in my Area 0 router to authenticate.
>
>Bill
>
>Albert Lu wrote:
>
>>Bill,
>>
>>I think you need 'area 0 authentication message-digest' for the virtual
>>
>link
>
>>to be doing authentication, since the virtual link is like a link into
area
>>0.
>>
>>Albert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Bill Reilly
>>Sent: Monday, November 12, 2001 11:56 AM
>>To: Steve O'Ney; ccielab@groupstudy.com
>>Subject: Re: Virtual Link Auth Again
>>
>>
>>Sure.
>>
>>Here is my area 0 router:
>>
>>The VL is coming in over the e0 interface, but because i am only trying to
>>authenticate the VL router I do not put any authentication information
>>there, it
>>is under the ospf process.
>>
>>!
>>interface Ethernet0
>>ip address 10.0.1.1 255.255.255.0
>>ip ospf priority 100
>>no keepalive
>>!
>>interface Serial0
>>ip address 130.10.1.1 255.255.255.0
>>encapsulation frame-relay
>>ip ospf message-digest-key 1 md5 cisco
>>ip ospf priority 100
>>!
>>router ospf 64733
>>network 10.0.1.0 0.0.0.255 area 10
>>network 130.10.1.0 0.0.0.255 area 0
>>network 1.1.1.0 0.0.0.255 area 1
>>neighbor 130.10.1.6 priority 4
>>neighbor 130.10.1.5 priority 2
>>area 0 authentication message-digest
>>area 10 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
>>
>>Here is my remote router:
>>
>>interface Ethernet0/0
>>ip address 10.0.1.22 255.255.255.0
>>full-duplex
>>service-policy output QoS-Policy
>>!
>>interface Serial1/0
>>ip address 50.40.1.1 255.255.255.252
>>no ip mroute-cache
>>clockrate 128000
>>!
>>router ospf 64733
>>log-adjacency-changes
>>area 5 virtual-link 4.4.4.4
>>area 10 virtual-link 1.1.1.1 authentication message-digest
>>area 10 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco
>>network 10.0.1.0 0.0.0.255 area 10
>>network 50.40.1.0 0.0.0.255 area 5
>>
>>Bill
>>
>>Steve O'Ney wrote:
>>
>>>Bill,
>>>
>>>Could I get a sample config from your router?
>>>
>>>THanks
>>>
>>>Steve
>>>
>>>----- Original Message -----
>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>To: "Steve O'Ney" <soney@proaptiv.com>; <ccielab@groupstudy.com>
>>>Sent: Sunday, November 11, 2001 5:16 PM
>>>Subject: Re: Virtual Link Auth Again
>>>
>>>>Steve,
>>>>
>>>>When you use the command listed below, you set up plain text
>>>>
>>>authentication on
>>>
>>>>both routers. This is the type 1 part of the message in the clip I
>>>>
>>sent.
>>
>>>>I was able to get this working, then changed my authentication type to
>>>>message-digest with md5. Once I set my area 0 auth to message-digest
>>>>
>>and
>>
>>>set up
>>>
>>>>my keys on both my area 0 router and my remote router everything came
>>>>
>>up.
>>
>>>>Thanks,
>>>>Bill
>>>>
>>>>Steve O'Ney wrote:
>>>>
>>>>>Bill,
>>>>>
>>>>>I have knocked my head against the wall on several occasions over this
>>>>>
>>>and I
>>>
>>>>>have found a fix, type this command on both ends of your virtual link.
>>>>>
>>I
>>
>>>>>can't say why this works because I don't have a clue, I can't find it
>>>>>anywhere but this is what worked for me:
>>>>>
>>>>>area [#] virtual-link X.X.X.X authentication
>>>>>
>>>>>don't ask me why but it works.
>>>>>
>>>>>Steve
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>>To: <ccielab@groupstudy.com>
>>>>>Sent: Sunday, November 11, 2001 11:36 AM
>>>>>Subject: Virtual Link Auth Again
>>>>>
>>>>>>I have been working on some VL labs with and without different types
>>>>>>
>>>of
>>>
>>>>>>authentication. Now the first issue I have is some of my routers
>>>>>>
>>are
>>
>>>>>>running 11.2 and some are running 12.1. I suspect my issue resides
>>>>>>
>>in
>>
>>>>>>the differences in IOS, but what I am seeing is when I try to use
>>>>>>message-digest I am not able to authenticate my VL.
>>>>>>
>>>>>>My debug output on both routers states "Rcv pkt from 10.0.1.22,
>>>>>>Ethernet0 : Mismatch Authentication type. Input pa
>>>>>>cket specified type 0, we use type 1"
>>>>>>
>>>>>>Any help would be appreciated.
>>>>>>
>>>>>>Bill
>>>>>>
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:19 GMT-3