From: Jason Cash (cash2001@swbell.net)
Date: Mon Aug 11 2003 - 15:33:48 GMT-3
Well, that is the issue, R6 and R8 (area 0) do have a key defined:
R6
interface Serial1
ip address 150.4.68.1 255.255.255.252
encapsulation ppp
ip ospf message-digest-key 1 md5 cisco
no peer neighbor-route
clockrate 250000
ppp quality 80
However, Area 10 (virtual link) is not assigned a key and is just configured
with the same auth-type:
R6
router ospf 1
router-id 150.4.6.6
log-adjacency-changes
area 0 authentication message-digest
area 10 virtual-link 150.4.5.5
area 56 virtual-link 150.4.5.5
This is working as I have rebooted the router and restarted the process and
all routes are still present. My question is, under what circumstances is
Virtual-link auth required? In the cisco example at:
http://www.cisco.com/warp/public/104/27.html
They are authenticating on the Virtual link as I usually do. What is the
best practice?
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Joe
Martin
Sent: Monday, August 11, 2003 1:02 PM
To: Jason Cash; ccielab@groupstudy.com
Jason,
Scenario
R1------R2--------R3-------R4
<-Area0->|<-Area1->|<-Area2->
The virtual link is configured on r2 and r3 Area 0 is using type 2
authentication so the "area 0 authentication message-digest" command has
been issued on routers r1 and r2. This command simply specifies the
authentication type to be used for this area, it doesn't actually enable
authentication.
It tells the router that all updates to and from neighbors in area 0 should
use type 2 authentication. Until I actually configure a key id and key
value on the specific interfaces in area 0, it is using null authentication.
I then issue the following command on each interface in area 0:
ip ospf message-digest-key n md5 xxxx
where n is the key id and xxxx is the key value. the value can be any thing
and can be different for every interface in the area. However, all routers
connected to the same network must use the same value and key id.
If I wanted to, I could override the area authentication type on a per
interface basis by using the following interface commands:
ip ospf authentication
ip ospf authentication-key xxxx
or
ip ospf authentication message-digest
ip ospf message-digest-key n nd5 xxxx
Depending on what authentication type you were trying to override ( type 2
and type 1, respectively).
As for a virtual link, it is really just a "virtual" interface to area 0.
if area 0 is using tyoe 2 authentication then the virtual link should also
be configured with the "ip ospf message-digest-key n md5 xxxx" command.
Also, in this scenario, r3 should be configured with the "area 0
authentication message-digest". Even though it has no physical interfaces
in area 0, it does have a "virtual" interface in area 0.
Hope that wasn't too confusing.
Joe Martin
CCIE #12035
-----Original Message-----
From: Jason Cash [mailto:cash2001@swbell.net]
Sent: August 11, 2003 9:44 AM
To: 'Joe Martin'; ccielab@groupstudy.com
Subject: RE: Area 0 - OSPF vlink auth.
Then when would you want to use the md5 key on the virtual link? When a
different password than the a0 password is needed?
-----Original Message-----
From: Joe Martin [mailto:jmartin@capitalpremium.net]
Sent: Monday, August 11, 2003 10:11 AM
To: Jason Cash; ccielab@groupstudy.com
Jason,
The area 0 authentication [message-digest] command does enable
authentication for that area, but the key and key values are still
configured on an interface-byinterface basis. So if you have interfaces e0
and s0 in area 0 you will still need to configure the "ip ospf
message-digest-key 1 md5 cisco" command on those interfaces. In fact you
could use different keys on each interface.
HTH,
Joe Martin
CCIE #12035
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Jason
Cash
Sent: August 11, 2003 8:59 AM
To: ccielab@groupstudy.com
Subject: Area 0 - OSPF vlink auth.
I was under the impression that if A0 was using authentication, that the
virtual link themselves would need to use that same key. It is even
explained in the following link:
http://www.cisco.com/warp/public/104/27.html
The scenario that I have is such:
(area50)R5(area10)R6(area0)R8
The config for R6:!
interface Serial0.2 point-to-point (to R5) ip address 150.4.10.9
255.255.255.248 frame-relay interface-dlci 605 interface Serial1 (to R8)
ip address 150.4.68.1 255.255.255.252 encapsulation ppp ip ospf
message-digest-key 1 md5 cisco clockrate 250000 ppp quality 80 router ospf
1 router-id 150.4.6.6 log-adjacency-changes area 0 authentication
message-digest area 10 virtual-link 150.4.5.5 network 150.4.6.0 0.0.0.255
area 0 network 150.4.10.0 0.0.0.7 area 20 network 150.4.10.8 0.0.0.7 area
10 network 150.4.68.0 0.0.0.3 area 0
R5 config:
interface Serial0.1 point-to-point
ip address 150.4.10.10 255.255.255.248
frame-relay interface-dlci 506
router ospf 1
router-id 150.4.5.5
log-adjacency-changes
area 0 authentication message-digest
area 10 virtual-link 150.4.6.6
network 150.4.10.8 0.0.0.7 area 10
network 150.4.50.0 0.0.0.255 area 50
R5#sh ip ospf vir
Virtual Link OSPF_VL0 to router 150.4.6.6 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface Serial0.1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Adjacency State FULL (Hello suppressed)
Index 1/2, retransmission queue length 0, number of retransmission 2
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
No key configured, using default key id 0
R5#si os
150.4.0.0/16 is variably subnetted, 10 subnets, 3 masks
O 150.4.6.0/24 [110/65] via 150.4.10.9, 00:07:41, Serial0.1
O IA 150.4.10.0/29 [110/192] via 150.4.10.9, 00:07:41, Serial0.1
O 150.4.8.0/24 [110/129] via 150.4.10.9, 00:07:41, Serial0.1
O IA 150.4.14.0/24 [110/129] via 150.4.10.9, 00:07:41, Serial0.1
O 150.4.68.0/30 [110/128] via 150.4.10.9, 00:07:41, Serial0.1
As you can see, R5 is getting the routes in the OSPF domain without the
auth-key defined. Does this contradict the link provided above from cisco?
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3