RE: What I understand about Virtual-link Authentication and

From: Calton, Doug (Doug.Calton@getronics.com)
Date: Thu Mar 18 2004 - 06:10:53 GMT-3

• Next message: Sam Meftahi: "RE: Redistribute connected route-map ?"
• Previous message: Richard Dumoulin: "RE: CCIE test verification question"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "What I understand about Virtual-link Authentication and"
• Next in thread: John Matijevic: "RE: What I understand about Virtual-link Authentication and"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd vote for the first. I think that the second config is still using
authentication for the virtual link, but defaulting to key 0, which
usually satisfies no real requirements.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Danny.Andaluz@triaton-na.com
Sent: Wednesday, March 17, 2004 10:22 PM
To: kwchen@netvigator.com; ccielab@groupstudy.com;
KWygand@customonline.com
Subject: RE: What I understand about Virtual-link Authentication and
Auth entic ation in General

Thanks for your responses, William and Kenneth. Which would you say is
a valid config?

R1
router ospf 1
 router-id 172.16.106.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.102.1 message-digest-key 1 md5 nmc
 

R2
router ospf 1
 router-id 172.16.102.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.106.1 message-digest-key 1 md5 nmc

Or:
 
R1
router ospf 1
 router-id 172.16.106.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.102.1

R2
router ospf 1
 router-id 172.16.102.1
 area 0 authentication message-digest
 area 26 virtual-link 172.16.106.1

In both cases, R2 has the following on its Serial facing R3:

interface Serial0
 ip ospf message-digest-key 1 md5 nmc

I've seen it work both ways. But which one is correct? I suppose it
depends on the requirement, but I'm not sure. I'm still a bit confused
about this.

Thanks,
Danny

-----Original Message-----
From: William Chen [mailto:kwchen@netvigator.com]
Sent: Wednesday, March 17, 2004 7:40 PM
To: Andaluz, Danilo, Triaton/NA; ccielab@groupstudy.com
Subject: Re: What I understand about Virtual-link Authentication and
Authentic ation in General

Dear Danny,

   If I don't misunderstand your question, I think OSPF authentication
in this way: Area authentication is like a global configuration, and if
it is enabled, then all the interfaces of that area will inherit the
authentication type. You need to use "ip ospf authentication null" to
override the area authentication in an interface. Moreover, the commands
"ip ospf authentication-key" and "ip ospf message-digest key" only
define the key to use, but not set the authentication type.

   Therefore, in the case of the link connected to R3 and R4, if you
have the area authentication in R3, but don't want the link to have any
authentication, then you have to use "ip ospf authentication null" in
the interface at R3. For the virtual link to work, you need either "area
0 authentication" in R1 (remember virtual-link is an interface in area
0), or explicitly set the virtual-link's authentication type by using
the command "area area-id virtual-link router-id
authenticatio|message-digest|null".

   HTH

Best Regards,
William Chen

----- Original Message -----
From: <Danny.Andaluz@triaton-na.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, March 18, 2004 6:32 AM
Subject: What I understand about Virtual-link Authentication and
Authentic ation in General

> Here's how I think Virtual-link authentication works. I know this has
been
> discussed at great length on this board, but I think I have it down
> now
and
> want to double check.
>
>
>
Area5-----R1----area20-------R2------Area0-------R3------Area0-----R4---
---a
> rea14
>
> Area 0 is being authenticated using MD5. On R2, R3 and R4 I have
> configured:
>
> Area 0 authentication message-digest
>
> Depending on the requirement, I can configure authentication on the
> link between R3 and R2 and not configure authentication between R3 and

> R4. As long as both sides have the same authentication configured (or

> not configured), it will work. Also, even though R4 does not have
> authentication configured on its only area 0 link, I still need to
> have "area 0 authentication message-digest" configured under router
> OSPF (I'd like to get an explanation for this. I think if you don't
> do it, you get mismatched authentication type errors, but why?).
>
> As far as the V-link goes, I only need to have "area 0 authentication
> message-digest" configured on R1. I see this V-link as I see the two
links
> on R3 to R2 and R4. It can either have authentication configured or
> not;
as
> long as both ends match. As far as the V-link goes, as long as both
> ends have the same config, it should work.
>
> I think this is it. If not, please be gentle....
>
> Thanks,
> Danny
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Sam Meftahi: "RE: Redistribute connected route-map ?"
• Previous message: Richard Dumoulin: "RE: CCIE test verification question"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "What I understand about Virtual-link Authentication and"
• Next in thread: John Matijevic: "RE: What I understand about Virtual-link Authentication and"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:34 GMT-3