From: Teck PhrEAk!! (phreakinphunk@hotmail.com)
Date: Fri Apr 25 2003 - 00:37:24 GMT-3
yes daniel....u've nailed it !
cheers,
sumit.
>From: "Daniel Cisco Group Study" <danielcgs@imc.net.au>
>Reply-To: "Daniel Cisco Group Study" <danielcgs@imc.net.au>
>To: "Kris Minarcin" <kristen.minarcin@digiconasp.com>, "Daniel Free"
><danrose111@earthlink.net>, "Teck PhrEAk!!" <phreakinphunk@hotmail.com>,
> <Danny.Andaluz@triaton-na.com>, <ccielab@groupstudy.com>
>Subject: RE: ospf question
>Date: Fri, 25 Apr 2003 10:45:19 +1000
>
>I'd like to share some thoughts about this..... Hopefully may help.
>
>(1) When we enable area authentication (eg area 0 authentication
>message-digest), do we have to configure passwords on all interfaces? In
>practice, NO. The adj still comes up, and "key 0" is used, something like a
>blank password I guess. Give it a go. In the lab, we need to do it the
>proper "cisco" way, and we configure passwords on all links in area 0.
>Everyone agree?
>
>(2) Now, a virtual link is an extension of area 0. Look at it as another
>link in area 0. If area 0 is using authentication, then the virtual link
>needs authentication. A practical solution is "area 0 authentication
>message-digest" on the router that is not physically connected to area 0.
>What does this do? It sets up authentication on the virtual link using "key
>0" for the password - ie the so called blank password that I mentioned
>earlier. What is the "lab" or "cisco" answer? I would suspect we follow the
>same rules that we would for all links within area 0 - configure a password
>on the virtual link.
>
>In my view, the correct answer is something link:
>
>router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> area 1 virtual-link 172.16.135.5 message-digest-key 1 md5 cisco
> area 2 range 172.16.104.0 255.255.255.0
> network 172.16.104.9 0.0.0.0 area 2
> network 172.16.135.0 0.0.0.15 area 1
>
>
>This not only enables auth for area 0, but sets a password on the virtual
>link.
>
>Comments?
>
>Daniel
>
>
>
>
>-----Original Message-----
>From: Kris Minarcin [mailto:kristen.minarcin@digiconasp.com]
>Sent: Friday, 25 April 2003 08:03
>To: Daniel Free; Teck PhrEAk!!; Danny.Andaluz@triaton-na.com;
>ccielab@groupstudy.com
>Subject: RE: ospf question
>
>
>this is what i have - without the password configured on the virtual link-
>i
>included the sh ip ospf virtual-link command and it shows that it did come
>up full, and is using a default key?? any ideas why this is happening ?
>Shouldn't it not allow the adjacency..
>
>interface Ethernet0
> ip address 172.16.135.1 255.255.255.240
> ip pim sparse-mode
> ip ospf message-digest-key 1 md5 cisco
> ip ospf priority 100
>
>router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> area 1 virtual-link 172.16.135.5
> area 1 virtual-link 172.16.135.3
> area 2 range 172.16.104.0 255.255.255.0
> network 172.16.104.9 0.0.0.0 area 2
> network 172.16.135.0 0.0.0.15 area 1
>
>
>Virtual Link OSPF_VL1 to router 172.16.135.5 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 1, via interface Ethernet0, Cost of using 10
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:06
> Adjacency State FULL (Hello suppressed)
> Index 1/3, retransmission queue length 0, number of retransmission 3
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> No key configured, using default key id 0
>Virtual Link OSPF_VL0 to router 172.16.135.3 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 1, via interface Ethernet0, Cost of using 10
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:06
> Adjacency State FULL (Hello suppressed)
> Index 2/4, retransmission queue length 0, number of retransmission 1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> No key configured, using default key id 0
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Daniel Free
>Sent: Thursday, April 24, 2003 12:38 AM
>To: Teck PhrEAk!!; Danny.Andaluz@triaton-na.com; ccielab@groupstudy.com
>Subject: Re: ospf question
>
>
> Hi,
>Sorry to have to disagree but you need to configure the password on the
>virtual link in your
>sample scenario. Check ip ospf virtual and see if
>the adjacency is full. Probably not. Check the below link. Thanks. Best of
>luck.
> Danny
>http://www.cisco.com/warp/public/104/27.html
>
>----- Original Message -----
>From: "Teck PhrEAk!!" <phreakinphunk@hotmail.com>
>To: <Danny.Andaluz@triaton-na.com>; <ccielab@groupstudy.com>
>Sent: Thursday, April 24, 2003 2:24 AM
>Subject: Re: ospf question
>
>
> > Hi Danny,
> >
> > Yes, creating a virtual-link is like extending the boundary of area
> > 0.....the implementation of a virtual-link requires area 0
>authentication
>on
> > the other side of the virtual-link , the one which does not have any
> > interfaces in area 0.
> >
> > also b'coz you are creating a virtual-link......and no actual interfaces
>are
> > involved in creating a virtual-link you dont require interface
> > authentication.
> >
> > cheers,
> >
> > sumit.
> >
> >
> >
> >
> > >From: Danny.Andaluz@triaton-na.com
> > >Reply-To: Danny.Andaluz@triaton-na.com
> > >To: ccielab@groupstudy.com
> > >Subject: ospf question
> > >Date: Thu, 24 Apr 2003 00:44:13 -0400
> > >
> > >router ospf 1000
> > > log-adjacency-changes
> > > area 0 authentication message-digest
> > > area 6 virtual-link x.x.x.x
> > > network x.x.x.x 0.0.0.255 area 6
> > > network x.x.x.x 0.0.0.255 area 10
> > >
> > >Hello,
> > >
> > >This router has a virtual link to area 0 through area 6. Area 0 is
>doing
> > >authentication. I could not get the routes on the this router into the
> > >rest
> > >of the ospf network unless I added the "area 0 authentication
> > >message-digest" on this router. This is very strange since this router
> > >does
> > >not have any interfaces in area 0. Unless the virtual link is like an
> > >interface in Area 0. Also, I did not have to add the password anywhere
>on
> > >the router. Strange. It's almost like half authentication. Can
>someone
> > >explain this?
> > >
> > >TIA,
> > >Danny
> >
> >
> > _________________________________________________________________
> > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager.
>This footnote also confirms that this email message has been swept by
>MIMEsweeper for the presence of computer viruses.
>www.mimesweeper.com
>**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:06 GMT-3