RE: OSPF Virtual Links

From: Brian McGahan (brian@cyscoexpert.com)
Date: Tue Jan 14 2003 - 21:26:49 GMT-3

• Next message: Rick: "ISDN callback"
• Previous message: Joe: "RE: OSPF Virtual Links"
• Maybe in reply to: Jeffery S Kimes: "OSPF Virtual Links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jeff,

        The virtual-link is an area 0 interface. If you are
authenticating area 0, and have a virtual-link, you must authenticate
the virtual-link. Here is a thread that explains it, I don't think it's
in the archives yet:

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625

> -----Original Message-----
> From: Brian McGahan [mailto:brian@cyscoexpert.com]
> Sent: Thursday, December 26, 2002 5:06 PM
> To: 'Jerry Haverkos'; 'Lysyuk Andrew'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: Help me pls with OSPF authentication.
>
> Jerry,
>
> There are two types of authentication in OSPF, area and
interface.
> If area authentication is enabled, all interfaces which have
adjacencies
> on them must authenticate. A virtual-link *is* an area 0 interface,
> therefore if you have a virtual-link, and are authenticating area 0,
you
> must authenticate the virtual-link.
>
> Interface authentication is independent of area authentication,
and
> interface authentication overrides area authentication. This means
that
> you could be using clear-text authentication throughout and area, and
> implement md5 authentication on a particular link within that area.
In
> the case that you have presented, interface authentication is enabled
on
> the virtual-link. This is a perfectly valid configuration.
>
> If in your example you had said 'area 0 authentication', the
remote
> router where the virtual-link terminates would also have to say 'area
0
> authentication'. It is not completely necessary that you configure a
key
> on the interface (or virtual-link in this case). OSPF authentication
uses
> a "null" key by default. Practically, security through obscurity is
not a
> very safe practice, therefore you should configure a key on each
interface
> which is authenticating.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Voice: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Jerry Haverkos
> > Sent: Thursday, December 26, 2002 2:42 PM
> > To: 'Lysyuk Andrew'
> > Cc: ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> > Lysuk
> >
> > I am on IOS 12.1.13 and my configs show no correlation between
> > authentication of area 0 and authentication on the virtual link. The
> > following are excerpts from my configs on the router that houses
area 0
> > and
> > participates as part of the virtual link in my network. They show
that
> > there
> > is no correlation in my network.
> >
> > 3640-1_R1#sho ip ospf virtual-links
> > Virtual Link OSPF_VL0 to router 0.0.0.4 is up
> > Run as demand circuit
> > DoNotAge LSA allowed.
> > Transit area 4, via interface Serial1/0.4, Cost of using 781
> > Transmit Delay is 1 sec, State POINT_TO_POINT,
> > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
5
> > Hello due in 00:00:05
> > Adjacency State FULL (Hello suppressed)
> > Index 1/4, retransmission queue length 0, number of
retransmission 1
> > First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> > Last retransmission scan length is 1, maximum is 1
> > Last retransmission scan time is 0 msec, maximum is 0 msec
> > Message digest authentication enabled
> > Youngest key id is 1
> >
> >
> > Note -- on the router there is only one interface in area 0 and it
does
> > not
> > specify authentication
> >
> > 3640-1_R1#
> > router ospf 100
> > router-id 0.0.0.1
> > log-adjacency-changes
> > no discard-route internal
> > area 0 range 149.1.254.0 255.255.255.0
> > area 0 range 149.1.0.0 255.255.0.0
> > area 1 range 149.1.1.0 255.255.255.0
> > area 2 authentication message-digest
> > area 2 stub no-summary
> > area 2 range 149.1.2.0 255.255.255.0
> > area 4 range 149.1.4.0 255.255.255.0
> > area 4 virtual-link 0.0.0.4 authentication message-digest
> > area 4 virtual-link 0.0.0.4 message-digest-key 1 md5 cubbies
> > area 5 authentication message-digest
> > area 5 nssa no-summary
> > area 5 range 149.1.5.0 255.255.255.0
> > summary-address 17.0.0.0 255.0.0.0 not-advertise
> > network 149.1.1.0 0.0.0.255 area 1
> > network 149.1.2.0 0.0.0.255 area 2
> > network 149.1.4.0 0.0.0.255 area 4
> > network 149.1.5.0 0.0.0.255 area 5
> > network 149.1.254.254 0.0.0.0 area 0
> > neighbor 149.1.2.254
> > neighbor 149.1.4.254
> > neighbor 149.1.5.254
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> > Justin Menga
> > Sent: Thursday, December 26, 2002 1:11 AM
> > To: Jude Servi; 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Also, if you enable authentication for a virtual link, you must also
> > ensure
> > area 0 has authentication enabled:
> >
> > router ospf 1
> > area 0 authentication
> > area 1 virtual-link .....
> >
> > Regards,
> > Justin
> >
> > -----Original Message-----
> > From: Jude Servi [mailto:jservi@cisco.com]
> > Sent: Wednesday, December 25, 2002 12:36 PM
> > To: 'Robert Slaski'; 'Manish Gupta'
> > Cc: 'Lysyuk Andrew'; ccielab@groupstudy.com
> > Subject: RE: Help me pls with OSPF authentication.
> >
> >
> > Don't forget to add authentication to a virtual link if needed.
Example
> > for
> > md5 auth:
> >
> > router ospf 1
> > area # virtual-link <neighbor ip addr> authentication
message-digest
> > message-digest-key # <key>
> >
> > Jude
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Robert Slaski
> > Sent: Saturday, December 21, 2002 11:16 AM
> > To: Manish Gupta
> > Cc: Lysyuk Andrew; ccielab@groupstudy.com
> > Subject: Re: Help me pls with OSPF authentication.
> >
> >
> > Manish Gupta wrote:
> > > I always prefer
> > >
> > > Under router ospf x
> > > area x authentication (plain or MD5)
> > >
> > > Under interface:
> > > ip opsf authetication <password> if plain
> >
> > You meant 'ip ospf authentication-key' I think, but this does not
answer
> >
> > the Andrew's question.
> >
> > There are two authentication types available in OSPF: per area and
per
> > interface, if both are configured then per interface authentication
> > takes precedence. Both have plain-text and MD5 checksum variants.
> >
> > Per area:
> > 1. enable area authentication
> > (config-router)# area <area> authentication [message-digest]
> > 2. setup keys (this should be done on each area interface)
> > (config-if)# ip ospf authentication-key <text> # for plain text
> > or
> > (config-if)# ip ospf message-digest-key <key_id> md5 0 <text> # for
MD5
> >
> > Per interface:
> > 1. enable interface authentication
> > (config-if)# ip ospf authentication [message-digest | null]
> > 2. setup keys (same as above)
> >
> > mikrobi,
> > --
> > .
> > .
.

• Next message: Rick: "ISDN callback"
• Previous message: Joe: "RE: OSPF Virtual Links"
• Maybe in reply to: Jeffery S Kimes: "OSPF Virtual Links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:49 GMT-3