RE: ospf question

From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Thu Apr 24 2003 - 21:45:19 GMT-3

• Next message: Wayne Hines: "RE: DLSW+ Icanreach DO NOT BLOCK"
• Previous message: Niksa Tomulic: "Distribute list with IGPs/BGP"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "ospf question"
• Next in thread: Teck PhrEAk!!: "RE: ospf question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd like to share some thoughts about this..... Hopefully may help.

(1) When we enable area authentication (eg area 0 authentication message-digest), do we have to configure passwords on all interfaces? In practice, NO. The adj still comes up, and "key 0" is used, something like a blank password I guess. Give it a go. In the lab, we need to do it the proper "cisco" way, and we configure passwords on all links in area 0. Everyone agree?

(2) Now, a virtual link is an extension of area 0. Look at it as another link in area 0. If area 0 is using authentication, then the virtual link needs authentication. A practical solution is "area 0 authentication message-digest" on the router that is not physically connected to area 0. What does this do? It sets up authentication on the virtual link using "key 0" for the password - ie the so called blank password that I mentioned earlier. What is the "lab" or "cisco" answer? I would suspect we follow the same rules that we would for all links within area 0 - configure a password on the virtual link.

In my view, the correct answer is something link:

router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 area 1 virtual-link 172.16.135.5 message-digest-key 1 md5 cisco
 area 2 range 172.16.104.0 255.255.255.0
 network 172.16.104.9 0.0.0.0 area 2
 network 172.16.135.0 0.0.0.15 area 1

This not only enables auth for area 0, but sets a password on the virtual link.

Comments?

Daniel

-----Original Message-----
From: Kris Minarcin [mailto:kristen.minarcin@digiconasp.com]
Sent: Friday, 25 April 2003 08:03
To: Daniel Free; Teck PhrEAk!!; Danny.Andaluz@triaton-na.com;
ccielab@groupstudy.com
Subject: RE: ospf question

this is what i have - without the password configured on the virtual link- i
included the sh ip ospf virtual-link command and it shows that it did come
up full, and is using a default key?? any ideas why this is happening ?
Shouldn't it not allow the adjacency..

interface Ethernet0
 ip address 172.16.135.1 255.255.255.240
 ip pim sparse-mode
 ip ospf message-digest-key 1 md5 cisco
 ip ospf priority 100

router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 area 1 virtual-link 172.16.135.5
 area 1 virtual-link 172.16.135.3
 area 2 range 172.16.104.0 255.255.255.0
 network 172.16.104.9 0.0.0.0 area 2
 network 172.16.135.0 0.0.0.15 area 1

Virtual Link OSPF_VL1 to router 172.16.135.5 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Ethernet0, Cost of using 10
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
    Adjacency State FULL (Hello suppressed)
    Index 1/3, retransmission queue length 0, number of retransmission 3
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled
      No key configured, using default key id 0
Virtual Link OSPF_VL0 to router 172.16.135.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Ethernet0, Cost of using 10
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
    Adjacency State FULL (Hello suppressed)
    Index 2/4, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled
      No key configured, using default key id 0

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Daniel Free
Sent: Thursday, April 24, 2003 12:38 AM
To: Teck PhrEAk!!; Danny.Andaluz@triaton-na.com; ccielab@groupstudy.com
Subject: Re: ospf question

    Hi,
Sorry to have to disagree but you need to configure the password on the
virtual link in your
sample scenario. Check ip ospf virtual and see if
the adjacency is full. Probably not. Check the below link. Thanks. Best of
luck.
    Danny
http://www.cisco.com/warp/public/104/27.html

----- Original Message -----
From: "Teck PhrEAk!!" <phreakinphunk@hotmail.com>
To: <Danny.Andaluz@triaton-na.com>; <ccielab@groupstudy.com>
Sent: Thursday, April 24, 2003 2:24 AM
Subject: Re: ospf question

> Hi Danny,
>
> Yes, creating a virtual-link is like extending the boundary of area
> 0.....the implementation of a virtual-link requires area 0 authentication
on
> the other side of the virtual-link , the one which does not have any
> interfaces in area 0.
>
> also b'coz you are creating a virtual-link......and no actual interfaces
are
> involved in creating a virtual-link you dont require interface
> authentication.
>
> cheers,
>
> sumit.
>
>
>
>
> >From: Danny.Andaluz@triaton-na.com
> >Reply-To: Danny.Andaluz@triaton-na.com
> >To: ccielab@groupstudy.com
> >Subject: ospf question
> >Date: Thu, 24 Apr 2003 00:44:13 -0400
> >
> >router ospf 1000
> > log-adjacency-changes
> > area 0 authentication message-digest
> > area 6 virtual-link x.x.x.x
> > network x.x.x.x 0.0.0.255 area 6
> > network x.x.x.x 0.0.0.255 area 10
> >
> >Hello,
> >
> >This router has a virtual link to area 0 through area 6. Area 0 is doing
> >authentication. I could not get the routes on the this router into the
> >rest
> >of the ospf network unless I added the "area 0 authentication
> >message-digest" on this router. This is very strange since this router
> >does
> >not have any interfaces in area 0. Unless the virtual link is like an
> >interface in Area 0. Also, I did not have to add the password anywhere
on
> >the router. Strange. It's almost like half authentication. Can someone
> >explain this?
> >
> >TIA,
> >Danny
>
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

• Next message: Wayne Hines: "RE: DLSW+ Icanreach DO NOT BLOCK"
• Previous message: Niksa Tomulic: "Distribute list with IGPs/BGP"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "ospf question"
• Next in thread: Teck PhrEAk!!: "RE: ospf question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:05 GMT-3