From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Mar 17 2004 - 21:49:48 GMT-3
William,
I completely agree. Both your post and my post follow the exact same logic, so I now feel comfortable that my response was correct.
Thanks!
Ken
-----Original Message-----
From: nobody@groupstudy.com on behalf of William Chen
Sent: Wed 3/17/2004 7:39 PM
To: Danny.Andaluz@triaton-na.com; ccielab@groupstudy.com
Cc:
Subject: Re: What I understand about Virtual-link Authentication and Authentic ation in General
Dear Danny,
If I don't misunderstand your question, I think OSPF authentication in
this way: Area authentication is like a global configuration, and if it is
enabled, then all the interfaces of that area will inherit the
authentication type. You need to use "ip ospf authentication null" to
override the area authentication in an interface. Moreover, the commands "ip
ospf authentication-key" and "ip ospf message-digest key" only define the
key to use, but not set the authentication type.
Therefore, in the case of the link connected to R3 and R4, if you have
the area authentication in R3, but don't want the link to have any
authentication, then you have to use "ip ospf authentication null" in the
interface at R3. For the virtual link to work, you need either "area 0
authentication" in R1 (remember virtual-link is an interface in area 0), or
explicitly set the virtual-link's authentication type by using the command
"area area-id virtual-link router-id authenticatio|message-digest|null".
HTH
Best Regards,
William Chen
----- Original Message -----
From: <Danny.Andaluz@triaton-na.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, March 18, 2004 6:32 AM
Subject: What I understand about Virtual-link Authentication and Authentic
ation in General
> Here's how I think Virtual-link authentication works. I know this has
been
> discussed at great length on this board, but I think I have it down now
and
> want to double check.
>
>
>
Area5-----R1----area20-------R2------Area0-------R3------Area0-----R4------a
> rea14
>
> Area 0 is being authenticated using MD5. On R2, R3 and R4 I have
> configured:
>
> Area 0 authentication message-digest
>
> Depending on the requirement, I can configure authentication on the link
> between R3 and R2 and not configure authentication between R3 and R4. As
> long as both sides have the same authentication configured (or not
> configured), it will work. Also, even though R4 does not have
> authentication configured on its only area 0 link, I still need to have
> "area 0 authentication message-digest" configured under router OSPF (I'd
> like to get an explanation for this. I think if you don't do it, you get
> mismatched authentication type errors, but why?).
>
> As far as the V-link goes, I only need to have "area 0 authentication
> message-digest" configured on R1. I see this V-link as I see the two
links
> on R3 to R2 and R4. It can either have authentication configured or not;
as
> long as both ends match. As far as the V-link goes, as long as both ends
> have the same config, it should work.
>
> I think this is it. If not, please be gentle....
>
> Thanks,
> Danny
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:33 GMT-3