Re: Virtual Link Auth Again

From: Mas Kato (loomis_towcar@xxxxxxxxxxxxxx)
Date: Wed Nov 21 2001 - 23:11:12 GMT-3

   
[demime could not interpret encoding binary - treating as plain text]
Forgive me if you've already drawn these conclusions, but for some reason, the
messages I receive from this list are usually out of order...

On earlier (pre-12.something) releases of the IOS you could only do per-router
OSPF authentication. When you create a virtual-link on a non-backbone router yo
u basically make the router a "virtual ABR," so if you're doing authentication
in area 0 you need to specify area 0 authentication globally on the "virtual AB
R."

Later releases (uh, post-12.something) support per link authentication as well,
 with whatever specified on the link taking precedence over anything specified
at the global level. In this case, you could either specify area 0 authenticati
on at the global level on the virtual ABR and have the VL inherit the property,
 or specify it on the VL definition statement itself, whether or not it was def
ined at the global level.

Regards,

Mas Kato
https://ecardfile.com/id/mkato

>Date: Tue, 20 Nov 2001 19:56:54 -0500
> Bill Reilly <william.j.reilly@verizon.net> albert_ccie@yahoo.comCC: ccielab@g
roupstudy.com
> Re: Virtual Link Auth AgainReply-To: Bill Reilly <william.j.reilly@verizon.ne
t>
>
>My goal was to only authenticate area 0 connections. So all routers in
>area 10 did not have to auth. to each other, that is why you do not see
>an area 10 authenticate message-digest. Since the VL must connect to
>area 0 it must be doing md5 auth. All other connections in area 10 is
>free to connect with any other router in area 10.
>
>Probably not the best practice but it was my lab.
>
>Bill
>
>Albert Lu wrote:
>
>>Bill,
>>
>>Now you got me a little confused =). Which is good, maybe I can learn
>>something.
>>
>>Looking at your config, you have two virtual links going to two different
>>ABR routers 1.1.1.1 and 4.4.4.4. Lets focus on the virtual link to 1.1.1.1.
>>
>>Area 0 is doing MD5 authentication, area 10 is not doing authentication, but
>>the virtual link going over Area 10 is doing MD5 authentication.
>>
>>I just tried it out, and it works. I think what made it work was the 'area
>>10 virtual-link 1.1.1.1 authentication message-digest' statement on the
>>remote router. I've always done it by putting 'area 0 authentication
>>message-digest' on the remote router, since CCO described it that way:
>>
>>http://www.cisco.com/warp/public/104/27.html
>>
>>Now, I', abit confused on the difference with your method and CCO's method??
>>
>>
>>It seems like 'show ip ospf virtual-link' always shows the virtual link as
>>up, but when it really works it gives you this message: 1d01h:
>>%OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.7 on OSPF_VL0 from LOADING to FULL,
>>Loading Done
>>
>>Albert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Bill Reilly
>>Sent: Wednesday, November 21, 2001 9:11 AM
>>To: Albert Lu
>>Cc: ccielab@groupstudy.com
>>Subject: Re: Virtual Link Auth Again
>>
>>
>>Albert,
>>
>>The config below worked. Because the remote router has to authenticate
>>through area 10 I did not need the area 0 auth message-digest there.
>> However I did need in my Area 0 router to authenticate.
>>
>>Bill
>>
>>Albert Lu wrote:
>>
>>>Bill,
>>>
>>>I think you need 'area 0 authentication message-digest' for the virtual
>>>
>>link
>>
>>>to be doing authentication, since the virtual link is like a link into area
>>>0.
>>>
>>>Albert
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>Bill Reilly
>>>Sent: Monday, November 12, 2001 11:56 AM
>>>To: Steve O'Ney; ccielab@groupstudy.com
>>>Subject: Re: Virtual Link Auth Again
>>>
>>>
>>>Sure.
>>>
>>>Here is my area 0 router:
>>>
>>>The VL is coming in over the e0 interface, but because i am only trying to
>>>authenticate the VL router I do not put any authentication information
>>>there, it
>>>is under the ospf process.
>>>
>>>!
>>>interface Ethernet0
>>>ip address 10.0.1.1 255.255.255.0
>>>ip ospf priority 100
>>>no keepalive
>>>!
>>>interface Serial0
>>>ip address 130.10.1.1 255.255.255.0
>>>encapsulation frame-relay
>>>ip ospf message-digest-key 1 md5 cisco
>>>ip ospf priority 100
>>>!
>>>router ospf 64733
>>>network 10.0.1.0 0.0.0.255 area 10
>>>network 130.10.1.0 0.0.0.255 area 0
>>>network 1.1.1.0 0.0.0.255 area 1
>>>neighbor 130.10.1.6 priority 4
>>>neighbor 130.10.1.5 priority 2
>>>area 0 authentication message-digest
>>>area 10 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
>>>
>>>Here is my remote router:
>>>
>>>interface Ethernet0/0
>>>ip address 10.0.1.22 255.255.255.0
>>>full-duplex
>>>service-policy output QoS-Policy
>>>!
>>>interface Serial1/0
>>>ip address 50.40.1.1 255.255.255.252
>>>no ip mroute-cache
>>>clockrate 128000
>>>!
>>>router ospf 64733
>>>log-adjacency-changes
>>>area 5 virtual-link 4.4.4.4
>>>area 10 virtual-link 1.1.1.1 authentication message-digest
>>>area 10 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco
>>>network 10.0.1.0 0.0.0.255 area 10
>>>network 50.40.1.0 0.0.0.255 area 5
>>>
>>>Bill
>>>
>>>Steve O'Ney wrote:
>>>
>>>>Bill,
>>>>
>>>>Could I get a sample config from your router?
>>>>
>>>>THanks
>>>>
>>>>Steve
>>>>
>>>>----- Original Message -----
>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>To: "Steve O'Ney" <soney@proaptiv.com>; <ccielab@groupstudy.com>
>>>>Sent: Sunday, November 11, 2001 5:16 PM
>>>>Subject: Re: Virtual Link Auth Again
>>>>
>>>>>Steve,
>>>>>
>>>>>When you use the command listed below, you set up plain text
>>>>>
>>>>authentication on
>>>>
>>>>>both routers. This is the type 1 part of the message in the clip I
>>>>>
>>>sent.
>>>
>>>>>I was able to get this working, then changed my authentication type to
>>>>>message-digest with md5. Once I set my area 0 auth to message-digest
>>>>>
>>>and
>>>
>>>>set up
>>>>
>>>>>my keys on both my area 0 router and my remote router everything came
>>>>>
>>>up.
>>>
>>>>>Thanks,
>>>>>Bill
>>>>>
>>>>>Steve O'Ney wrote:
>>>>>
>>>>>>Bill,
>>>>>>
>>>>>>I have knocked my head against the wall on several occasions over this
>>>>>>
>>>>and I
>>>>
>>>>>>have found a fix, type this command on both ends of your virtual link.
>>>>>>
>>>I
>>>
>>>>>>can't say why this works because I don't have a clue, I can't find it
>>>>>>anywhere but this is what worked for me:
>>>>>>
>>>>>>area [#] virtual-link X.X.X.X authentication
>>>>>>
>>>>>>don't ask me why but it works.
>>>>>>
>>>>>>Steve
>>>>>>
>>>>>>----- Original Message -----
>>>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>>>To: <ccielab@groupstudy.com>
>>>>>>Sent: Sunday, November 11, 2001 11:36 AM
>>>>>>Subject: Virtual Link Auth Again
>>>>>>
>>>>>>>I have been working on some VL labs with and without different types
>>>>>>>
>>>>of
>>>>
>>>>>>>authentication. Now the first issue I have is some of my routers
>>>>>>>
>>>are
>>>
>>>>>>>running 11.2 and some are running 12.1. I suspect my issue resides
>>>>>>>
>>>in
>>>
>>>>>>>the differences in IOS, but what I am seeing is when I try to use
>>>>>>>message-digest I am not able to authenticate my VL.
>>>>>>>
>>>>>>>My debug output on both routers states "Rcv pkt from 10.0.1.22,
>>>>>>>Ethernet0 : Mismatch Authentication type. Input pa
>>>>>>>cket specified type 0, we use type 1"
>>>>>>>
>>>>>>>Any help would be appreciated.
>>>>>>>
>>>>>>>Bill
>>>>>>>

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:21 GMT-3