From: kym blair (kymblair@xxxxxxxxxxx)
Date: Thu Apr 18 2002 - 00:25:56 GMT-3
Tarek,
You're right. Just added it. Thanks.
Kym
>From: Tarek Sabry <tsabry@houston.sns.slb.com>
>Reply-To: tsabry@slb.com
>To: 'kym blair' <kymblair@hotmail.com>, ccielab@groupstudy.com
>Subject: RE: Virtual Links
>Date: Wed, 17 Apr 2002 22:10:24 -0500
>
>Kym
>
>You're configs are still not correct!!! I know it's a bit strange but you
>do
>need to put the md5 authentication on your virtual link as I said earlier.
>Otherwise your virtual link itself will be cleartext. As you can see from
>your own output below it says "No key configures, using default key id 0".
>But as long as this virtual link now belongs to area 0 then you'd better
>also give it md5 authentication. In the real test I think I'll just as the
>proctor to be 100% but otherwise authenticate all that belongs to the area
>to satisfy the question.
>
>I'm sure someone will correct me if I'm wrong.
>
>Tarek
>
>-----Original Message-----
>From: kym blair [mailto:kymblair@hotmail.com]
>Sent: Wednesday, April 17, 2002 9:39 PM
>To: tsabry@houston.sns.slb.com; ccielab@groupstudy.com
>Subject: RE: Virtual Links
>
>
>Tarek,
>
>You're right, I removed the authentication key from the physical interfaces
>(but left "area 0 authentication message-digest" under the ospf routing
>processes) and the virtual-links still worked. The extra command I was
>using didn't hurt, but it wasn't necessary. (Thanks for the tip.) With
>and
>without the key on the remote router, the remote area routes installed
>throughout ospf and the "show" output was identical:
>
>R3#show ip ospf virtual-link
>Virtual Link OSPF_VL3 to router 140.4.5.1 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 1, via interface Serial1, Cost of using 64
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:00
> Adjacency State FULL (Hello suppressed)
> Index 3/5, retransmission queue length 0, number of retransmission 1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> No key configured, using default key id 0
>
>If you're having a problem getting the virtual-links to come up, it is
>probably the IP addresses you're using for the virtual-link ... they must
>be
>the RIDs. On each router, use "show ip ospf database" to learn the correct
>RID (will probably be your highest loopback address), then use that RID in
>the virtual-link command at the other end.
>
>You probably don't need this, but my actual configs are as follows:
>
>AREA 0 ABR ROUTER:
>
>interface Loopback0
>ip address 140.4.3.1 255.255.255.0
>!
>interface Ethernet0
>ip address 140.4.4.3 255.255.255.0
>ip ospf message-digest-key 1 md5 KEY5
>ip ospf priority 200
>media-type 10BaseT
>!
>interface Serial1
>ip address 140.4.1.3 255.255.255.240
>encapsulation frame-relay
>ip ospf hello-interval 10
>ip ospf priority 200
>clockrate 64000
>frame-relay map ip 140.4.1.2 302 broadcast
>frame-relay map ip 140.4.1.3 302 broadcast
>frame-relay map ip 140.4.1.5 305 broadcast
>no frame-relay inverse-arp
>!
>router ospf 64
>log-adjacency-changes
>area 0 authentication message-digest
>area 1 virtual-link 140.4.5.1
>area 1 virtual-link 140.4.2.1
>network 140.4.1.3 0.0.0.0 area 1
>network 140.4.3.1 0.0.0.0 area 0
>network 140.4.4.3 0.0.0.0 area 0
>network 140.4.30.1 0.0.0.0 area 30
>neighbor 140.4.1.5
>neighbor 140.4.1.2
>
>
>REMOTE ROUTER FOR AREA 20:
>
>interface Loopback0
>ip address 140.4.2.1 255.255.255.0
>!
>interface Serial0
>ip address 140.4.1.2 255.255.255.240
>encapsulation frame-relay
>ip ospf hello-interval 10
>ip ospf priority 0
>no fair-queue
>clockrate 64000
>frame-relay map ip 140.4.1.2 203 broadcast
>frame-relay map ip 140.4.1.3 203 broadcast
>frame-relay map ip 140.4.1.5 203 broadcast
>no frame-relay inverse-arp
>!
>interface TokenRing0
>ip address 140.4.21.1 255.255.255.0
>ring-speed 16
>!
>router ospf 64
>log-adjacency-changes
>area 0 authentication message-digest
>area 1 virtual-link 140.4.3.1
>network 140.4.1.2 0.0.0.0 area 1
>network 140.4.2.1 0.0.0.0 area 1
>network 140.4.21.1 0.0.0.0 area 20
>
>
>
>HTH, Kym
>
>
>
>
> >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> >Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
> >To: "'kym blair'" <kymblair@hotmail.com>, ccielab@groupstudy.com
> >Subject: RE: Virtual Links
> >Date: Wed, 17 Apr 2002 17:33:08 -0500
> >
> >Hmmm are you sure about this? I think you should put the authentication
>on
> >the "virtual link" in your example and NOT on the physical s0 as I
> >understand. I just tried it in fact!
> >
> >OK about my first question, this is killing me now as one day it works
>and
> >the other day it kept complaining. Basically on my hub router I could
>only
> >see one of the authenticated virtual links up at a time. Right now they'e
> >both us after I reloaded both spoke ABRs. Is using 2 parallel links
>causing
> >some loop of some kind?? I know it sounds dumb but this thing has been
> >bothering me for almost 2 years now!!!! Really.
> >
> >Thanks again
> >Tarek
> >
> >-----Original Message-----
> >From: kym blair [mailto:kymblair@hotmail.com]
> >Sent: Wednesday, April 17, 2002 5:28 PM
> >To: tsabry@houston.sns.slb.com; ccielab@groupstudy.com
> >Subject: Re: Virtual Links
> >
> >
> >
> >Tarek,
> >
> >I could only guess on the answer to your first question, so I'll let
> >someone
> >else answer. On your second question, "If area 0 is authenticated, do I
> >have to put authentication on the virtual link?", the answer is yes. For
> >example:
> >
> >Router A (has area 0 and area 2)
> >
> >Router B (has area 2 and area 3):
> > router ospf 64
> > network 192.168.1.2 0.0.0.0 area 2
> > network 172.48.3.2 0.0.0.0 area 3
> > area 2 virtual-link 192.168.1.1
> > area 0 authentication message-digest
> >interface serial 0
> > ip ospf message-digest-key 1 md5 KEY1
> >
> >
> >HTH, Kym
> >
> >
> >
> >
> > >From: Tarek Sabry <tsabry@houston.sns.slb.com>
> > >Reply-To: Tarek Sabry <tsabry@houston.sns.slb.com>
> > >To: ccielab@groupstudy.com
> > >Subject: Virtual Links
> > >Date: Wed, 17 Apr 2002 16:58:53 -0500
> > >
> > >Hi
> > >
> > >This is a quick one. When I have 2 spokes that can act as ABRs between
> >area
> > >1 and area 2 let's say, do I need 2 virtual links to area 0? Or should
>I
> > >only have one virtual link that I choose?
> > >
> > >Another question, if area 0 is authenticated then do I have to enable
> > >authentication on the virtual link? I thought I should, but the only
>way
> > >I'm
> > >able to bring one of the virtual links up is to remove the md5
> > >authentication!! Is there a problem because I'm using 2 parallel VLinks
> >or
> > >this is the way it is supposed to work?
> > >
> > >Thanks
> > >Tarek
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3