RE: Virtual Link Auth Again

From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Tue Nov 20 2001 - 23:02:15 GMT-3

   
Bill,

I see what you're saying, you had IOS incompatiblity issues. So if you had
all 12.1 routers, what would be the most correct and best way of doing this?

Albert

-----Original Message-----
From: Bill Reilly [mailto:william.j.reilly@verizon.net]
Sent: Wednesday, November 21, 2001 12:57 PM
To: albert_ccie@yahoo.com
Cc: ccielab@groupstudy.com
Subject: Re: Virtual Link Auth Again

I think if you read the beginning of this string, I had routers with
very different IOS images 11.1 and 12.1 and for some reason this did not
work correctly. What I cam up with was a workaround, but I did try this
first.

Albert Lu wrote:

>Have you had a look at the CCO I included about virtual link
authentication.
>Could you have done it that way, if not then what were the requirements
that
>did not allow you to do so?
>
>Thanks
>
>Albert
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Bill Reilly
>Sent: Wednesday, November 21, 2001 11:57 AM
>To: albert_ccie@yahoo.com
>Cc: ccielab@groupstudy.com
>Subject: Re: Virtual Link Auth Again
>
>
>My goal was to only authenticate area 0 connections. So all routers in
>area 10 did not have to auth. to each other, that is why you do not see
>an area 10 authenticate message-digest. Since the VL must connect to
>area 0 it must be doing md5 auth. All other connections in area 10 is
>free to connect with any other router in area 10.
>
>Probably not the best practice but it was my lab.
>
>Bill
>
>Albert Lu wrote:
>
>>Bill,
>>
>>Now you got me a little confused =). Which is good, maybe I can learn
>>something.
>>
>>Looking at your config, you have two virtual links going to two different
>>ABR routers 1.1.1.1 and 4.4.4.4. Lets focus on the virtual link to
1.1.1.1.
>>
>>Area 0 is doing MD5 authentication, area 10 is not doing authentication,
>>
>but
>
>>the virtual link going over Area 10 is doing MD5 authentication.
>>
>>I just tried it out, and it works. I think what made it work was the 'area
>>10 virtual-link 1.1.1.1 authentication message-digest' statement on the
>>remote router. I've always done it by putting 'area 0 authentication
>>message-digest' on the remote router, since CCO described it that way:
>>
>>http://www.cisco.com/warp/public/104/27.html
>>
>>Now, I', abit confused on the difference with your method and CCO's
>>
>method??
>
>>
>>It seems like 'show ip ospf virtual-link' always shows the virtual link as
>>up, but when it really works it gives you this message: 1d01h:
>>%OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.7 on OSPF_VL0 from LOADING to
FULL,
>>Loading Done
>>
>>Albert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Bill Reilly
>>Sent: Wednesday, November 21, 2001 9:11 AM
>>To: Albert Lu
>>Cc: ccielab@groupstudy.com
>>Subject: Re: Virtual Link Auth Again
>>
>>
>>Albert,
>>
>>The config below worked. Because the remote router has to authenticate
>>through area 10 I did not need the area 0 auth message-digest there.
>>However I did need in my Area 0 router to authenticate.
>>
>>Bill
>>
>>Albert Lu wrote:
>>
>>>Bill,
>>>
>>>I think you need 'area 0 authentication message-digest' for the virtual
>>>
>>link
>>
>>>to be doing authentication, since the virtual link is like a link into
>>>
>area
>
>>>0.
>>>
>>>Albert
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>Bill Reilly
>>>Sent: Monday, November 12, 2001 11:56 AM
>>>To: Steve O'Ney; ccielab@groupstudy.com
>>>Subject: Re: Virtual Link Auth Again
>>>
>>>
>>>Sure.
>>>
>>>Here is my area 0 router:
>>>
>>>The VL is coming in over the e0 interface, but because i am only trying
to
>>>authenticate the VL router I do not put any authentication information
>>>there, it
>>>is under the ospf process.
>>>
>>>!
>>>interface Ethernet0
>>>ip address 10.0.1.1 255.255.255.0
>>>ip ospf priority 100
>>>no keepalive
>>>!
>>>interface Serial0
>>>ip address 130.10.1.1 255.255.255.0
>>>encapsulation frame-relay
>>>ip ospf message-digest-key 1 md5 cisco
>>>ip ospf priority 100
>>>!
>>>router ospf 64733
>>>network 10.0.1.0 0.0.0.255 area 10
>>>network 130.10.1.0 0.0.0.255 area 0
>>>network 1.1.1.0 0.0.0.255 area 1
>>>neighbor 130.10.1.6 priority 4
>>>neighbor 130.10.1.5 priority 2
>>>area 0 authentication message-digest
>>>area 10 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
>>>
>>>Here is my remote router:
>>>
>>>interface Ethernet0/0
>>>ip address 10.0.1.22 255.255.255.0
>>>full-duplex
>>>service-policy output QoS-Policy
>>>!
>>>interface Serial1/0
>>>ip address 50.40.1.1 255.255.255.252
>>>no ip mroute-cache
>>>clockrate 128000
>>>!
>>>router ospf 64733
>>>log-adjacency-changes
>>>area 5 virtual-link 4.4.4.4
>>>area 10 virtual-link 1.1.1.1 authentication message-digest
>>>area 10 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco
>>>network 10.0.1.0 0.0.0.255 area 10
>>>network 50.40.1.0 0.0.0.255 area 5
>>>
>>>Bill
>>>
>>>Steve O'Ney wrote:
>>>
>>>>Bill,
>>>>
>>>>Could I get a sample config from your router?
>>>>
>>>>THanks
>>>>
>>>>Steve
>>>>
>>>>----- Original Message -----
>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>To: "Steve O'Ney" <soney@proaptiv.com>; <ccielab@groupstudy.com>
>>>>Sent: Sunday, November 11, 2001 5:16 PM
>>>>Subject: Re: Virtual Link Auth Again
>>>>
>>>>>Steve,
>>>>>
>>>>>When you use the command listed below, you set up plain text
>>>>>
>>>>authentication on
>>>>
>>>>>both routers. This is the type 1 part of the message in the clip I
>>>>>
>>>sent.
>>>
>>>>>I was able to get this working, then changed my authentication type to
>>>>>message-digest with md5. Once I set my area 0 auth to message-digest
>>>>>
>>>and
>>>
>>>>set up
>>>>
>>>>>my keys on both my area 0 router and my remote router everything came
>>>>>
>>>up.
>>>
>>>>>Thanks,
>>>>>Bill
>>>>>
>>>>>Steve O'Ney wrote:
>>>>>
>>>>>>Bill,
>>>>>>
>>>>>>I have knocked my head against the wall on several occasions over this
>>>>>>
>>>>and I
>>>>
>>>>>>have found a fix, type this command on both ends of your virtual link.
>>>>>>
>>>I
>>>
>>>>>>can't say why this works because I don't have a clue, I can't find it
>>>>>>anywhere but this is what worked for me:
>>>>>>
>>>>>>area [#] virtual-link X.X.X.X authentication
>>>>>>
>>>>>>don't ask me why but it works.
>>>>>>
>>>>>>Steve
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>>>To: <ccielab@groupstudy.com>
>>>>>>Sent: Sunday, November 11, 2001 11:36 AM
>>>>>>Subject: Virtual Link Auth Again
>>>>>>
>>>>>>>I have been working on some VL labs with and without different types
>>>>>>>
>>>>of
>>>>
>>>>>>>authentication. Now the first issue I have is some of my routers
>>>>>>>
>>>are
>>>
>>>>>>>running 11.2 and some are running 12.1. I suspect my issue resides
>>>>>>>
>>>in
>>>
>>>>>>>the differences in IOS, but what I am seeing is when I try to use
>>>>>>>message-digest I am not able to authenticate my VL.
>>>>>>>
>>>>>>>My debug output on both routers states "Rcv pkt from 10.0.1.22,
>>>>>>>Ethernet0 : Mismatch Authentication type. Input pa
>>>>>>>cket specified type 0, we use type 1"
>>>>>>>
>>>>>>>Any help would be appreciated.
>>>>>>>
>>>>>>>Bill
>>>>>>>

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:19 GMT-3