From: Asep Ruhimat (asep.ruhimat@asaba.co.id)
Date: Fri Oct 03 2003 - 00:25:39 GMT-3
Hi Guys !
Good for answer.
But if there are area 0 is used cleartext authentication and area 1 is used hash authentication.
then what is authentication for area 1 Virtual link, is it used cleartext authentication or hash authentication ?
ref. for your solution should used cleartext authentication.
Correct me if wrong!
regards,
Asep
-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Friday, October 03, 2003 12:17 AM
To: 'William Lijewski'; info@mpauli.de; ccielab@groupstudy.com
Subject: RE: OSPF idiot infront of the router ...
As an alternative we could override area 0 authentication on the virtual
link by setting it back to the default of null authentication.
R5:
router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 authentication null
R3:
router ospf 1
router-id 3.3.3.3
area 1 virtual-link 5.5.5.5
Also if we were not permitted to use the "area <area-id> authentication
message-digest" command on R3 we could just enable it for the virtual
link itself:
R5:
router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco
R3:
router ospf 1
router-id 3.3.3.3
area 1 virtual-link 5.5.5.5 authentication message-digest
area 1 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
William Lijewski
Sent: Thursday, October 02, 2003 9:57 AM
To: info@mpauli.de; ccielab@groupstudy.com
Subject: Re: OSPF idiot infront of the router ...
You are correct that you would need a virtual-link to connect Area 3
with
Area 0. However you do not need to put the same authentication on the
virtual-link that the transit area has. The virtual-link is an
extension of
Area 0 - your basically dragging Area 0 over to R3. Since the
virtual-link
is an extension of Area 0, if you are doing Area authentication on Area
0
you should use the same type of authentication on the virtual-link. The
configuration would look something like this if you were doing MD5
authentication on Area 0:
R5
router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco
R3
router ospf 1
router-id 3.3.3.3
area 0 authentication message-digest
area 1 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
On R3 we need the command 'area 0 authentication message-digest' since
we
have carried Area 0 over the virtual-link to R3, R3 is now running Area
0.
We have to tell R3 to use the message-digest-key that we have configured
on
the virtual-link. Both sides of the virtual-link will then use Key 1
with
the password Cisco to authenticate.
Bill Lijewski
CCIE #8642
Network Learning Inc
5 Day R&S CCIE Bootcamp Instructor
>From: info@mpauli.de
>Reply-To: info@mpauli.de
>To: ccielab@groupstudy.com
>Subject: OSPF idiot infront of the router ...
>Date: 02 Oct 2003 16:27:08 UT
>
>Hello guys,
>
>I've spend the whole day to troubleshoot my OSPF-lab and I would like
to
>share my gathered knowledge with you.
>
>Imagen the following situation:
>
>R4-----------------------R3----------------R5--------------R2
>OSPF-Demand, Area 3 Area 3/1 Area 1/0 Area 0
>
>My OSPF-Database was not euqal on all routers, because:
>
>Each ABR (R3 in my case) needs to be attached to area0 !!! (Now that I
know
>that, I read it everywhere....) :-)
>Thus I installed a virtual link to R5 and everything was fine.
>
>By the way, if the transit area is authenticated, the virt. link must
be
>authenticated as well.
>
>Cheers
>Marcus
>
>
>-------- Original Message --------
>Subject: RE: Cisco memory allocation problem--need advice (02-Okt-2003
>18:12)
>From: eteisbe@qwest.com
>To: alee@cccis.com
>
> > Arthur,
> >
> > Here's a quick way to check to see if the issue is virus ICMP
traffic
> > (likely).
> >
> > Create a two line access-list:
> >
> > access-list 101 deny icmp any any
> > access-list 101 permit ip any any
> >
> > Apply the list in-bound on the LAN interface:
> >
> > ip access-group 101 in
> >
> > You will likely see thousands of hits on the "deny icmp any any"
line of
> > the access-list in a short period of time when you do a "show
> > access-list".
> >
> > I have seen the exact same thing happen on several routers. It can
take
> > down a router with or without NAT running. It is likely a couple of
> > machines (or more) infected with Welshe or Nachi virus. It's amazing
how
> > much traffic one or two machines can generate when infected with
these
> > viruses.
> >
> > HTH
> > -Evan.
> >
> >
> > -----Original Message-----
> > From: alee@cccis.com [mailto:alee@cccis.com]
> > Sent: Thursday, October 02, 2003 10:40 AM
> > To: ccielab@groupstudy.com
> > Subject: Cisco memory allocation problem--need advice
> >
> >
> > Has anyone seen the following message in your router log? On Sep.
29, a
> > couple of our remote routers, plus ISP router had the memory problem
> > suddenly. I saw someone posted router rebooted due to virus. Not
sure
> > if
> > it's related. I think it's very likely since we never have the
problem
> > before. Any advice? BTW, here the IOS we are running. IOS (tm)
> > C2600
> > Software (C2600-JS-M), Version 12.1(20). Thanks.
> >
> >
> > Sep 29 08:40:42 EST: %SYS-2-MALLOCFAIL: Memory allocation of 20000
bytes
> > failed
> > from 0x802AFFE0, alignment 0
> > Pool: Processor Free: 8471376 Cause: Memory fragmentation
> > Alternate Pool: None Free: 0 Cause: No Alternate pool
> >
> >
> >
> > Arthur Lee
> > Senior Network Engineer
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> >
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:56 GMT-3