From: Larson, Chris (CLarson@usaid.gov)
Date: Mon Aug 11 2003 - 12:46:37 GMT-3
I believe and this is my understanding:
That since you have area 0 authentication enabled on the router with the
virtual link, area 0 is authenticating. A virtual link is like any other
interface connected to area 0. Because you have no key on either end of your
virtual-link, that interface into area 0 is doing null authentication.
Similair to having the ability to do plain authentication on some interfaces
in area 0, while doing messege digest or null authentication on others with
different keys between them.
Since the Virtual link is just like any other interface in area 0 and there
is no key defined, it is using null authentication.
If you configure area 10 virtual-link messege-digest key 1 md5 blahblahblah
then the interface (virtual link) will be authenticated using the method
define in the virtual link syntax rather then null authentication.
> -----Original Message-----
> From: Jason Cash [SMTP:cash2001@swbell.net]
> Sent: Monday, August 11, 2003 10:59 AM
> To: ccielab@groupstudy.com
> Subject: Area 0 - OSPF vlink auth.
>
> I was under the impression that if A0 was using authentication, that the
> virtual link themselves would need to use that same key. It is even
> explained in the following link:
>
> http://www.cisco.com/warp/public/104/27.html
>
> The scenario that I have is such:
>
> (area50)R5(area10)R6(area0)R8
>
> The config for R6:!
>
> interface Serial0.2 point-to-point (to R5)
> ip address 150.4.10.9 255.255.255.248
> frame-relay interface-dlci 605
> interface Serial1 (to R8)
> ip address 150.4.68.1 255.255.255.252
> encapsulation ppp
> ip ospf message-digest-key 1 md5 cisco
> clockrate 250000
> ppp quality 80
> router ospf 1
> router-id 150.4.6.6
> log-adjacency-changes
> area 0 authentication message-digest
> area 10 virtual-link 150.4.5.5
> network 150.4.6.0 0.0.0.255 area 0
> network 150.4.10.0 0.0.0.7 area 20
> network 150.4.10.8 0.0.0.7 area 10
> network 150.4.68.0 0.0.0.3 area 0
>
> R5 config:
> interface Serial0.1 point-to-point
> ip address 150.4.10.10 255.255.255.248
> frame-relay interface-dlci 506
> router ospf 1
> router-id 150.4.5.5
> log-adjacency-changes
> area 0 authentication message-digest
> area 10 virtual-link 150.4.6.6
> network 150.4.10.8 0.0.0.7 area 10
> network 150.4.50.0 0.0.0.255 area 50
>
>
> R5#sh ip ospf vir
> Virtual Link OSPF_VL0 to router 150.4.6.6 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 10, via interface Serial0.1, Cost of using 64
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:06
> Adjacency State FULL (Hello suppressed)
> Index 1/2, retransmission queue length 0, number of retransmission 2
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Message digest authentication enabled
> No key configured, using default key id 0
>
> R5#si os
> 150.4.0.0/16 is variably subnetted, 10 subnets, 3 masks
> O 150.4.6.0/24 [110/65] via 150.4.10.9, 00:07:41, Serial0.1
> O IA 150.4.10.0/29 [110/192] via 150.4.10.9, 00:07:41, Serial0.1
> O 150.4.8.0/24 [110/129] via 150.4.10.9, 00:07:41, Serial0.1
> O IA 150.4.14.0/24 [110/129] via 150.4.10.9, 00:07:41, Serial0.1
> O 150.4.68.0/30 [110/128] via 150.4.10.9, 00:07:41, Serial0.1
>
>
> As you can see, R5 is getting the routes in the OSPF domain without the
> auth-key defined. Does this contradict the link provided above from
> cisco?
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3