From: Sage Vadi (sagevadi@yahoo.co.uk)
Date: Fri Dec 27 2002 - 01:50:07 GMT-3
Janto,
In this instance, you are correct.
My Area0 router-
area 3 authentication message-digest
area 3 virtual-link 2.2.2.2 authentication
message-digest
My Area3/Area4 router-
area 3 authentication message-digest
area 3 virtual-link 3.3.3.3 authentication
message-digest
I have not configured any area0 authentication in my
Area3/Area4 router.
****
In ANOTHER instance I have this -
ABR
area 0 authentication
area 1 virtual-link 5.5.5.5 authentication-key cisco
Area0 Router
area 0 authentication
area 1 virtual-link 2.2.2.2 authentication-key cisco
So by lab experience to me it would seem, that if you
done all the appropriate configuration in your
virtual-link statement you can AVOID adding the area 0
config. But if you have not done the full statements,
under your virtual-link you can use area 0 command
config.
--- Janto Cin <jantocin@datacomm.co.id> wrote: > All,
>
> I posted a weeks ago.
>
> (lo0)R1(e0)---------(e0)R2(lo0)
>
> R1(e0)---(e0)R2 -> Area 12
> R1(lo0) -> Area 1
> R2(lo0) -> Area 0
>
> R1
> ------
> Area 12 virtual-link 192.168.2.2 authentication
> message-digest
> Area 12 virtual-link 192.168.2.2 message-digest-key
> 1 md5 cisco
>
> R2
> ------
> Area 0 authentication message-digest
> Area 12 virtual-link 192.168.1.1 authentication
> message-digest
> Area 12 virtual-link 192.168.1.1 message-digest-key
> 1 md5 cisco
>
> We don't have to put 'area 0 authentication
> message-digest' in R1.
> Correct me if I'm wrong.
>
> Janto
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> OhioHondo
> Sent: Friday, December 27, 2002 7:03 AM
> To: Brian McGahan; 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Brian/Kym
>
> I did not have any authenticatio specified for area
> 0. (Since I did not
> have any area 0 links defined in my config I
> overlooked that.) I changed
> area 0 to require authentication and now it works as
> advertised!!
>
> Brian -- thank you for the clarification on what is
> considered interface
> authentication using virtual links.
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Brian McGahan
> Sent: Thursday, December 26, 2002 6:06 PM
> To: 'Jerry Haverkos'; 'Lysyuk Andrew'
> Cc: ccielab@groupstudy.com
> Subject: RE: Help me pls with OSPF authentication.
>
>
> Jerry,
>
> There are two types of authentication in OSPF, area
> and
> interface. If area authentication is enabled, all
> interfaces which have
> adjacencies on them must authenticate. A
> virtual-link *is* an area 0
> interface, therefore if you have a virtual-link, and
> are authenticating
> area 0, you must authenticate the virtual-link.
>
> Interface authentication is independent of area
> authentication,
> and interface authentication overrides area
> authentication. This means
> that you could be using clear-text authentication
> throughout and area,
> and implement md5 authentication on a particular
> link within that area.
> In the case that you have presented, interface
> authentication is enabled
> on the virtual-link. This is a perfectly valid
> configuration.
>
> If in your example you had said 'area 0
> authentication', the
> remote router where the virtual-link terminates
> would also have to say
> 'area 0 authentication'. It is not completely
> necessary that you
> configure a key on the interface (or virtual-link in
> this case). OSPF
> authentication uses a "null" key by default.
> Practically, security
> through obscurity is not a very safe practice,
> therefore you should
> configure a key on each interface which is
> authenticating.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Jerry Haverkos
> > Sent: Thursday, December 26, 2002 2:42 PM
> > To: 'Lysyuk Andrew'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> > Lysuk
> >
> > I am on IOS 12.1.13 and my configs show no
> correlation between
> > authentication of area 0 and authentication on the
> virtual link. The
> > following are excerpts from my configs on the
> router that houses area
> 0
> > and
> > participates as part of the virtual link in my
> network. They show that
>
> > there is no correlation in my network.
> >
> > 3640-1_R1#sho ip ospf virtual-links
> > Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> > Run as demand circuit
> > DoNotAge LSA allowed.
> > Transit area 4, via interface Serial1/0.4, Cost
> of using 781
> > Transmit Delay is 1 sec, State POINT_TO_POINT,
> > Timer intervals configured, Hello 10, Dead 40,
> Wait 40, Retransmit 5
> > Hello due in 00:00:05
> > Adjacency State FULL (Hello suppressed)
> > Index 1/4, retransmission queue length 0,
> number of retransmission
> 1
> > First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> > Last retransmission scan length is 1, maximum
> is 1
> > Last retransmission scan time is 0 msec,
> maximum is 0 msec
> > Message digest authentication enabled
> > Youngest key id is 1
> >
> >
> > Note -- on the router there is only one interface
> in area 0 and it
> does
> > not
> > specify authentication
> >
> > 3640-1_R1#
> > router ospf 100
> > router-id 0.0.0.1
> > log-adjacency-changes
> > no discard-route internal
> > area 0 range 149.1.254.0 255.255.255.0
> > area 0 range 149.1.0.0 255.255.0.0
> > area 1 range 149.1.1.0 255.255.255.0
> > area 2 authentication message-digest
> > area 2 stub no-summary
> > area 2 range 149.1.2.0 255.255.255.0
> > area 4 range 149.1.4.0 255.255.255.0
> > area 4 virtual-link 0.0.0.4 authentication
> message-digest area 4
> > virtual-link 0.0.0.4 message-digest-key 1 md5
> cubbies area 5
> > authentication message-digest area 5 nssa
> no-summary
> > area 5 range 149.1.5.0 255.255.255.0
> > summary-address 17.0.0.0 255.0.0.0 not-advertise
> > network 149.1.1.0 0.0.0.255 area 1
> > network 149.1.2.0 0.0.0.255 area 2
> > network 149.1.4.0 0.0.0.255 area 4
> > network 149.1.5.0 0.0.0.255 area 5
> > network 149.1.254.254 0.0.0.0 area 0
> > neighbor 149.1.2.254
> > neighbor 149.1.4.254
> > neighbor 149.1.5.254
> >
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:53 GMT-3