From: Tarek Sabry (tsabry@xxxxxxxxxxxxxxxxxxx)
Date: Thu Apr 18 2002 - 00:10:24 GMT-3
Kym
You're configs are still not correct!!! I know it's a bit strange but you do
need to put the md5 authentication on your virtual link as I said earlier.
Otherwise your virtual link itself will be cleartext. As you can see from
your own output below it says "No key configures, using default key id 0".
But as long as this virtual link now belongs to area 0 then you'd better
also give it md5 authentication. In the real test I think I'll just as the
proctor to be 100% but otherwise authenticate all that belongs to the area
to satisfy the question.
I'm sure someone will correct me if I'm wrong.
Tarek
-----Original Message-----
From: kym blair [mailto:kymblair@hotmail.com]
Sent: Wednesday, April 17, 2002 9:39 PM
To: tsabry@houston.sns.slb.com; ccielab@groupstudy.com
Subject: RE: Virtual Links
Tarek,
You're right, I removed the authentication key from the physical interfaces
(but left "area 0 authentication message-digest" under the ospf routing
processes) and the virtual-links still worked. The extra command I was
using didn't hurt, but it wasn't necessary. (Thanks for the tip.) With and
without the key on the remote router, the remote area routes installed
throughout ospf and the "show" output was identical:
R3#show ip ospf virtual-link
Virtual Link OSPF_VL3 to router 140.4.5.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:00
Adjacency State FULL (Hello suppressed)
Index 3/5, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
No key configured, using default key id 0
If you're having a problem getting the virtual-links to come up, it is
probably the IP addresses you're using for the virtual-link ... they must be
the RIDs. On each router, use "show ip ospf database" to learn the correct
RID (will probably be your highest loopback address), then use that RID in
the virtual-link command at the other end.
You probably don't need this, but my actual configs are as follows:
AREA 0 ABR ROUTER:
interface Loopback0
ip address 140.4.3.1 255.255.255.0
!
interface Ethernet0
ip address 140.4.4.3 255.255.255.0
ip ospf message-digest-key 1 md5 KEY5
ip ospf priority 200
media-type 10BaseT
!
interface Serial1
ip address 140.4.1.3 255.255.255.240
encapsulation frame-relay
ip ospf hello-interval 10
ip ospf priority 200
clockrate 64000
frame-relay map ip 140.4.1.2 302 broadcast
frame-relay map ip 140.4.1.3 302 broadcast
frame-relay map ip 140.4.1.5 305 broadcast
no frame-relay inverse-arp
!
router ospf 64
log-adjacency-changes
area 0 authentication message-digest
area 1 virtual-link 140.4.5.1
area 1 virtual-link 140.4.2.1
network 140.4.1.3 0.0.0.0 area 1
network 140.4.3.1 0.0.0.0 area 0
network 140.4.4.3 0.0.0.0 area 0
network 140.4.30.1 0.0.0.0 area 30
neighbor 140.4.1.5
neighbor 140.4.1.2
REMOTE ROUTER FOR AREA 20:
interface Loopback0
ip address 140.4.2.1 255.255.255.0
!
interface Serial0
ip address 140.4.1.2 255.255.255.240
encapsulation frame-relay
ip ospf hello-interval 10
ip ospf priority 0
no fair-queue
clockrate 64000
frame-relay map ip 140.4.1.2 203 broadcast
frame-relay map ip 140.4.1.3 203 broadcast
frame-relay map ip 140.4.1.5 203 broadcast
no frame-relay inverse-arp
!
interface TokenRing0
ip address 140.4.21.1 255.255.255.0
ring-speed 16
!
router ospf 64
log-adjacency-changes
area 0 authentication message-digest
area 1 virtual-link 140.4.3.1
network 140.4.1.2 0.0.0.0 area 1
network 140.4.2.1 0.0.0.0 area 1
network 140.4.21.1 0.0.0.0 area 20
HTH, Kym
>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
>To: "'kym blair'" <kymblair@hotmail.com>, ccielab@groupstudy.com
>Subject: RE: Virtual Links
>Date: Wed, 17 Apr 2002 17:33:08 -0500
>
>Hmmm are you sure about this? I think you should put the authentication on
>the "virtual link" in your example and NOT on the physical s0 as I
>understand. I just tried it in fact!
>
>OK about my first question, this is killing me now as one day it works and
>the other day it kept complaining. Basically on my hub router I could only
>see one of the authenticated virtual links up at a time. Right now they'e
>both us after I reloaded both spoke ABRs. Is using 2 parallel links causing
>some loop of some kind?? I know it sounds dumb but this thing has been
>bothering me for almost 2 years now!!!! Really.
>
>Thanks again
>Tarek
>
>-----Original Message-----
>From: kym blair [mailto:kymblair@hotmail.com]
>Sent: Wednesday, April 17, 2002 5:28 PM
>To: tsabry@houston.sns.slb.com; ccielab@groupstudy.com
>Subject: Re: Virtual Links
>
>
>
>Tarek,
>
>I could only guess on the answer to your first question, so I'll let
>someone
>else answer. On your second question, "If area 0 is authenticated, do I
>have to put authentication on the virtual link?", the answer is yes. For
>example:
>
>Router A (has area 0 and area 2)
>
>Router B (has area 2 and area 3):
> router ospf 64
> network 192.168.1.2 0.0.0.0 area 2
> network 172.48.3.2 0.0.0.0 area 3
> area 2 virtual-link 192.168.1.1
> area 0 authentication message-digest
>interface serial 0
> ip ospf message-digest-key 1 md5 KEY1
>
>
>HTH, Kym
>
>
>
>
> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
> >To: ccielab@groupstudy.com
> >Subject: Virtual Links
> >Date: Wed, 17 Apr 2002 16:58:53 -0500
> >
> >Hi
> >
> >This is a quick one. When I have 2 spokes that can act as ABRs between
>area
> >1 and area 2 let's say, do I need 2 virtual links to area 0? Or should I
> >only have one virtual link that I choose?
> >
> >Another question, if area 0 is authenticated then do I have to enable
> >authentication on the virtual link? I thought I should, but the only way
> >I'm
> >able to bring one of the virtual links up is to remove the md5
> >authentication!! Is there a problem because I'm using 2 parallel VLinks
>or
> >this is the way it is supposed to work?
> >
> >Thanks
> >Tarek
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:11 GMT-3