RE: OSPF idiot infront of the router ...

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Oct 03 2003 - 00:52:36 GMT-3

• Next message: Pierre-Alex: "bgp - prepending to locally source routes"
• Previous message: Arifur Rahman: "RE: snmp config for CPU utilization"
• Maybe in reply to: info@mpauli.de: "OSPF idiot infront of the router ..."
• Next in thread: Micah Byers: "RE: OSPF idiot infront of the router ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can use whatever authentication you want for the virtual link. There
is no requirement for the virtual link's authentication based on what
authentication the transit area is using.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: Asep Ruhimat [mailto:asep.ruhimat@asaba.co.id]
Sent: Thursday, October 02, 2003 8:26 PM
To: Brian Dennis; William Lijewski; info@mpauli.de;
ccielab@groupstudy.com
Subject: RE: OSPF idiot infront of the router ...

Hi Guys !
Good for answer.

But if there are area 0 is used cleartext authentication and area 1 is
used hash authentication.
then what is authentication for area 1 Virtual link, is it used
cleartext authentication or hash authentication ?
ref. for your solution should used cleartext authentication.
Correct me if wrong!

regards,

Asep

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Friday, October 03, 2003 12:17 AM
To: 'William Lijewski'; info@mpauli.de; ccielab@groupstudy.com
Subject: RE: OSPF idiot infront of the router ...

As an alternative we could override area 0 authentication on the virtual
link by setting it back to the default of null authentication.

R5:
router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 authentication null

R3:
router ospf 1
router-id 3.3.3.3
area 1 virtual-link 5.5.5.5

Also if we were not permitted to use the "area <area-id> authentication
message-digest" command on R3 we could just enable it for the virtual
link itself:

R5:
router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco

R3:
router ospf 1
router-id 3.3.3.3
area 1 virtual-link 5.5.5.5 authentication message-digest
area 1 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
Internetwork Expert, Inc.
http://www.InternetworkExpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
William Lijewski
Sent: Thursday, October 02, 2003 9:57 AM
To: info@mpauli.de; ccielab@groupstudy.com
Subject: Re: OSPF idiot infront of the router ...

You are correct that you would need a virtual-link to connect Area 3
with
Area 0. However you do not need to put the same authentication on the
virtual-link that the transit area has. The virtual-link is an
extension of
Area 0 - your basically dragging Area 0 over to R3. Since the
virtual-link
is an extension of Area 0, if you are doing Area authentication on Area
0
you should use the same type of authentication on the virtual-link. The

configuration would look something like this if you were doing MD5
authentication on Area 0:

R5

router ospf 1
router-id 5.5.5.5
area 0 authentication message-digest
area 1 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco

R3

router ospf 1
router-id 3.3.3.3
area 0 authentication message-digest
area 1 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco

On R3 we need the command 'area 0 authentication message-digest' since
we
have carried Area 0 over the virtual-link to R3, R3 is now running Area
0.
We have to tell R3 to use the message-digest-key that we have configured
on
the virtual-link. Both sides of the virtual-link will then use Key 1
with
the password Cisco to authenticate.

Bill Lijewski
CCIE #8642
Network Learning Inc
5 Day R&S CCIE Bootcamp Instructor

>From: info@mpauli.de
>Reply-To: info@mpauli.de
>To: ccielab@groupstudy.com
>Subject: OSPF idiot infront of the router ...
>Date: 02 Oct 2003 16:27:08 UT
>
>Hello guys,
>
>I've spend the whole day to troubleshoot my OSPF-lab and I would like
to
>share my gathered knowledge with you.
>
>Imagen the following situation:
>
>R4-----------------------R3----------------R5--------------R2
>OSPF-Demand, Area 3 Area 3/1 Area 1/0 Area 0
>
>My OSPF-Database was not euqal on all routers, because:
>
>Each ABR (R3 in my case) needs to be attached to area0 !!! (Now that I
know
>that, I read it everywhere....) :-)
>Thus I installed a virtual link to R5 and everything was fine.
>
>By the way, if the transit area is authenticated, the virt. link must
be
>authenticated as well.
>
>Cheers
>Marcus
>
>
>-------- Original Message --------
>Subject: RE: Cisco memory allocation problem--need advice (02-Okt-2003
>18:12)
>From: eteisbe@qwest.com
>To: alee@cccis.com
>
> > Arthur,
> >
> > Here's a quick way to check to see if the issue is virus ICMP
traffic
> > (likely).
> >
> > Create a two line access-list:
> >
> > access-list 101 deny icmp any any
> > access-list 101 permit ip any any
> >
> > Apply the list in-bound on the LAN interface:
> >
> > ip access-group 101 in
> >
> > You will likely see thousands of hits on the "deny icmp any any"
line of
> > the access-list in a short period of time when you do a "show
> > access-list".
> >
> > I have seen the exact same thing happen on several routers. It can
take
> > down a router with or without NAT running. It is likely a couple of
> > machines (or more) infected with Welshe or Nachi virus. It's amazing
how
> > much traffic one or two machines can generate when infected with
these
> > viruses.
> >
> > HTH
> > -Evan.
> >
> >
> > -----Original Message-----
> > From: alee@cccis.com [mailto:alee@cccis.com]
> > Sent: Thursday, October 02, 2003 10:40 AM
> > To: ccielab@groupstudy.com
> > Subject: Cisco memory allocation problem--need advice
> >
> >
> > Has anyone seen the following message in your router log? On Sep.
29, a
> > couple of our remote routers, plus ISP router had the memory problem
> > suddenly. I saw someone posted router rebooted due to virus. Not
sure
> > if
> > it's related. I think it's very likely since we never have the
problem
> > before. Any advice? BTW, here the IOS we are running. IOS (tm)
> > C2600
> > Software (C2600-JS-M), Version 12.1(20). Thanks.
> >
> >
> > Sep 29 08:40:42 EST: %SYS-2-MALLOCFAIL: Memory allocation of 20000
bytes
> > failed
> > from 0x802AFFE0, alignment 0
> > Pool: Processor Free: 8471376 Cause: Memory fragmentation
> > Alternate Pool: None Free: 0 Cause: No Alternate pool
> >
> >
> >
> > Arthur Lee
> > Senior Network Engineer
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> >

• Next message: Pierre-Alex: "bgp - prepending to locally source routes"
• Previous message: Arifur Rahman: "RE: snmp config for CPU utilization"
• Maybe in reply to: info@mpauli.de: "OSPF idiot infront of the router ..."
• Next in thread: Micah Byers: "RE: OSPF idiot infront of the router ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:56 GMT-3