From: Daniel Free (danrose111@earthlink.net)
Date: Thu May 22 2003 - 15:50:06 GMT-3
Jonathan,
I believe the reason your virtual-link config worked
is because you were using per interface authentication on the vir-link. Per
interface supersedes area authentication. Notice that you
did not include "Area 0 authentication message-digest" in R4's ospf process
but did include both
"authentication and authentication-key on the virtual link, thus defining
interface authentication.
On R1 you needed the Area 0 authentication because it has an interface in
Area 0. So it looks like you've taught us something new, that you can
define per interface authentication on a vir-link!!
Thanks.
Danny
----- Original Message -----
From: "Jonathan V Hays" <jhays@jtan.com>
To: <ccielab@groupstudy.com>
Cc: "'G. R. Correia'" <razzolini80@hotmail.com>; <wantingfeng@hotmail.com>
Sent: Thursday, May 22, 2003 12:54 PM
Subject: RE: OSPF Virtual-LInk Authentication
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of G. R. Correia
> > Sent: Thursday, May 22, 2003 7:51 AM
> > To: wantingfeng@hotmail.com; ccielab@groupstudy.com
> > Subject: Re: OSPF Virtual-LInk Authentication
> >
> >
> > that's because the virtual-link is considered an extension
> > from area 0, and
> > so it has to have the same authentication type as area 0; in
> > this case,
> > clear text.
> > The transit area authentication type does not affect the virtual-link
> > authentication type, that has to be same as the area 0.
> >
> > hth
> >
> > Guilherme
> >
>
> Sorry but that is not true.
>
> The virtual-link authentication type does NOT have to be the same as
> that of area 0. You can configure any link's authentication type
> independently of the area's authentication type, and that rule applies
> to a virtual-link's authentication type as well.
>
> The example below is from my home lab, where I configured area 0 as
> message-digest, with a mesage-digest-key on the serial link. But the
> virtual-link (on r1 and r4) was configured for plain text
> authentication. Even after rebooting all three routers I had full OSPF
> connectivity. Note the command output for "sh ip ospf virtual-links" and
> "show ip ospf interface" which show the two different types of
> authentication.
>
> Router r2 is in area 0, router r1 is an ABR in area 0 and area 1, and
> router r4 is an ABR in area 1 and area 2 (which needs the virtual link).
>
> r2--area 0--r1--area 1--r4--area 2 (1.2.3.4)
>
>
> r2#
> !
> interface Serial1
> ip address 10.21.1.1 255.255.0.0
> ip ospf message-digest-key 1 md5 cisco
> !
> router ospf 1
> area 0 authentication message-digest
> network 10.21.1.1 0.0.0.0 area 0
> !
> -----
> r1#
> interface Serial1
> ip address 10.21.1.2 255.255.0.0
> ip ospf message-digest-key 1 md5 cisco
> clockrate 64000
> !
> router ospf 1
> area 0 authentication message-digest
> area 1 virtual-link 1.3.5.7 authentication authentication-key nortel
> network 10.21.1.2 0.0.0.0 area 0
> network 10.51.1.2 0.0.0.0 area 1
> !
> r1#sh ip ospf virtual-links
> Virtual Link OSPF_VL1 to router 1.3.5.7 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 1, via interface Ethernet0, Cost of using 10
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:09
> Adjacency State FULL (Hello suppressed)
> Index 2/3, retransmission queue length 0, number of retransmission
> 1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Simple password authentication enabled
> r1#sh ip ospf int s1
> Serial1 is up, line protocol is up
> Internet Address 10.21.1.2/16, Area 0
> Process ID 1, Router ID 10.51.1.2, Network Type POINT_TO_POINT, Cost:
> 64
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Index 2/2, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 4 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 200.200.200.1
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
> r1#
> -----
> r4#
> router ospf 1
> area 1 virtual-link 10.51.1.2 authentication authentication-key nortel
> network 1.3.5.7 0.0.0.0 area 2
> network 10.51.1.1 0.0.0.0 area 1
> !
> ----------
>
> The routing tables show full OSPF connectivity:
>
> r2#sh ip route | exclude -
>
> Gateway of last resort is not set
> C 200.200.200.0/24 is directly connected, Loopback0
> 1.0.0.0/32 is subnetted, 1 subnets
> O IA 1.3.5.7 [110/75] via 10.21.1.2, 00:12:30, Serial1
> 137.20.0.0/24 is subnetted, 1 subnets
> C 137.20.20.0 is directly connected, Ethernet0
> 10.0.0.0/16 is subnetted, 2 subnets
> C 10.21.0.0 is directly connected, Serial1
> O IA 10.51.0.0 [110/74] via 10.21.1.2, 00:12:30, Serial1
> r2#
>
>
> r1#
> r1#sh ip route | exclude -
>
> Gateway of last resort is not set
>
> 1.0.0.0/32 is subnetted, 1 subnets
> O IA 1.3.5.7 [110/11] via 10.51.1.1, 00:12:09, Ethernet0
> 10.0.0.0/16 is subnetted, 2 subnets
> C 10.21.0.0 is directly connected, Serial1
> C 10.51.0.0 is directly connected, Ethernet0
> r1#
>
>
> r4_ts#sh ip route | exclude -
>
> Gateway of last resort is not set
>
> 1.0.0.0/32 is subnetted, 1 subnets
> C 1.3.5.7 is directly connected, Loopback135
> 10.0.0.0/16 is subnetted, 3 subnets
> O 10.21.0.0 [110/74] via 10.51.1.2, 00:12:45, Ethernet0
> C 10.51.0.0 is directly connected, Ethernet0
> C 10.65.0.0 is directly connected, Serial1
> r4_ts#
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:46 GMT-3