RE: OSPF Virtual-LInk Authentication

From: Brian Dennis (brian@5g.net)
Date: Thu May 22 2003 - 17:33:51 GMT-3

• Next message: Ozgur: "Re: BGP route decision"
• Previous message: Ozgur: "Re:DLSW Backup Peer"
• Maybe in reply to: Re-act: "OSPF Virtual-LInk Authentication"
• Next in thread: Joe Martin: "RE: OSPF Virtual-LInk Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes you can. Here is an example of plain text (type 1) authentication
just for the virtual link on R1 and for the area on R2.

R1
router ospf 1
 router-id 1.1.1.1
 area 1 virtual-link 2.2.2.2 authentication
 area 1 virtual-link 2.2.2.2 authentication-key cisco

R2
router ospf 1
 router-id 2.2.2.2
 area 0 authentication
 area 1 virtual-link 1.1.1.1 authentication-key cisco
 

This example the virtual link on R1 is overriding the plain text
authentication for area 0.
 
R1
router ospf 1
 router-id 1.1.1.1
 area 0 authentication
 area 1 virtual-link 2.2.2.2 authentication null

R2
router ospf 1
 router-id 2.2.2.2
 area 1 virtual-link 1.1.1.1

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Oliver Ziltener
Sent: Thursday, May 22, 2003 12:24 PM
To: G. R. Correia; jhays@jtan.com
Cc: ccielab@groupstudy.com
Subject: AW: OSPF Virtual-LInk Authentication

Other question to VL.

Can I have VL with authentication, but under the ospf process nothing
with
area 0 authentication?

Example:

area 77 virual-link <ip> authentication authentication-key cisco
no area 0 authentication

Oliver

-----Urspr|ngliche Nachricht-----
Von: G. R. Correia [mailto:razzolini80@hotmail.com]
Gesendet: Donnerstag, 22. Mai 2003 19:51
An: jhays@jtan.com
Cc: ccielab@groupstudy.com
Betreff: RE: OSPF Virtual-LInk Authentication

Hi Jonathan

your config may work, but it is not what Cisco does..

http://www.cisco.com/warp/public/104/27.html

From: "Jonathan V Hays" <jhays@jtan.com>
To: <ccielab@groupstudy.com>
CC: "'G. R. Correia'"
<razzolini80@hotmail.com>,<wantingfeng@hotmail.com>
Subject: RE: OSPF Virtual-LInk Authentication
Date: Thu, 22 May 2003 12:54:21 -0400

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of G. R. Correia
> Sent: Thursday, May 22, 2003 7:51 AM
> To: wantingfeng@hotmail.com; ccielab@groupstudy.com
> Subject: Re: OSPF Virtual-LInk Authentication
>
>
> that's because the virtual-link is considered an extension
> from area 0, and
> so it has to have the same authentication type as area 0; in
> this case,
> clear text.
> The transit area authentication type does not affect the virtual-link
> authentication type, that has to be same as the area 0.
>
> hth
>
> Guilherme
>

Sorry but that is not true.

The virtual-link authentication type does NOT have to be the same as
that of area 0. You can configure any link's authentication type
independently of the area's authentication type, and that rule applies
to a virtual-link's authentication type as well.

The example below is from my home lab, where I configured area 0 as
message-digest, with a mesage-digest-key on the serial link. But the
virtual-link (on r1 and r4) was configured for plain text
authentication. Even after rebooting all three routers I had full OSPF
connectivity. Note the command output for "sh ip ospf virtual-links" and
"show ip ospf interface" which show the two different types of
authentication.

Router r2 is in area 0, router r1 is an ABR in area 0 and area 1, and
router r4 is an ABR in area 1 and area 2 (which needs the virtual link).

r2--area 0--r1--area 1--r4--area 2 (1.2.3.4)

r2#
!
interface Serial1
  ip address 10.21.1.1 255.255.0.0
  ip ospf message-digest-key 1 md5 cisco
!
router ospf 1
  area 0 authentication message-digest
  network 10.21.1.1 0.0.0.0 area 0
!
-----
r1#
interface Serial1
  ip address 10.21.1.2 255.255.0.0
  ip ospf message-digest-key 1 md5 cisco
  clockrate 64000
!
router ospf 1
  area 0 authentication message-digest
  area 1 virtual-link 1.3.5.7 authentication authentication-key nortel
  network 10.21.1.2 0.0.0.0 area 0
  network 10.51.1.2 0.0.0.0 area 1
!
r1#sh ip ospf virtual-links
Virtual Link OSPF_VL1 to router 1.3.5.7 is up
   Run as demand circuit
   DoNotAge LSA allowed.
   Transit area 1, via interface Ethernet0, Cost of using 10
   Transmit Delay is 1 sec, State POINT_TO_POINT,
   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
     Hello due in 00:00:09
     Adjacency State FULL (Hello suppressed)
     Index 2/3, retransmission queue length 0, number of retransmission
1
     First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
     Last retransmission scan length is 1, maximum is 1
     Last retransmission scan time is 0 msec, maximum is 0 msec
   Simple password authentication enabled
r1#sh ip ospf int s1
Serial1 is up, line protocol is up
   Internet Address 10.21.1.2/16, Area 0
   Process ID 1, Router ID 10.51.1.2, Network Type POINT_TO_POINT,
Cost:
64
   Transmit Delay is 1 sec, State POINT_TO_POINT,
   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
     Hello due in 00:00:05
   Index 2/2, flood queue length 0
   Next 0x0(0)/0x0(0)
   Last flood scan length is 1, maximum is 1
   Last flood scan time is 0 msec, maximum is 4 msec
   Neighbor Count is 1, Adjacent neighbor count is 1
     Adjacent with neighbor 200.200.200.1
   Suppress hello for 0 neighbor(s)
   Message digest authentication enabled
     Youngest key id is 1
r1#
-----
r4#
router ospf 1
  area 1 virtual-link 10.51.1.2 authentication authentication-key
nortel
  network 1.3.5.7 0.0.0.0 area 2
  network 10.51.1.1 0.0.0.0 area 1
!
----------

The routing tables show full OSPF connectivity:

r2#sh ip route | exclude -

Gateway of last resort is not set
C 200.200.200.0/24 is directly connected, Loopback0
      1.0.0.0/32 is subnetted, 1 subnets
O IA 1.3.5.7 [110/75] via 10.21.1.2, 00:12:30, Serial1
      137.20.0.0/24 is subnetted, 1 subnets
C 137.20.20.0 is directly connected, Ethernet0
      10.0.0.0/16 is subnetted, 2 subnets
C 10.21.0.0 is directly connected, Serial1
O IA 10.51.0.0 [110/74] via 10.21.1.2, 00:12:30, Serial1
r2#

r1#
r1#sh ip route | exclude -

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O IA 1.3.5.7 [110/11] via 10.51.1.1, 00:12:09, Ethernet0
      10.0.0.0/16 is subnetted, 2 subnets
C 10.21.0.0 is directly connected, Serial1
C 10.51.0.0 is directly connected, Ethernet0
r1#

r4_ts#sh ip route | exclude -

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
C 1.3.5.7 is directly connected, Loopback135
      10.0.0.0/16 is subnetted, 3 subnets
O 10.21.0.0 [110/74] via 10.51.1.2, 00:12:45, Ethernet0
C 10.51.0.0 is directly connected, Ethernet0
C 10.65.0.0 is directly connected, Serial1
r4_ts#

• Next message: Ozgur: "Re: BGP route decision"
• Previous message: Ozgur: "Re:DLSW Backup Peer"
• Maybe in reply to: Re-act: "OSPF Virtual-LInk Authentication"
• Next in thread: Joe Martin: "RE: OSPF Virtual-LInk Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:46 GMT-3