From: Chris Larson (clarson52@comcast.net)
Date: Thu Mar 18 2004 - 10:09:16 GMT-3
If the requirement is area 0 should use strong encryption, then a virtual
link is an interface in area 0 and should meet the same requirement making
the first set correct . The second set will work but will not be using
strong encryption and would therefore fail the requirements.
Chris
----- Original Message -----
From: <Danny.Andaluz@triaton-na.com>
To: <matijevi@bellsouth.net>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, March 18, 2004 12:20 AM
Subject: RE: What I understand about Virtual-link Authentication and Aut h
entic ation in General
> John,
>
> I actually have tested this and seen how it works. I still had some
questions on it and was hoping to find some help here. I have Doyle, I have
Parkhurst and I have looked at the doc cd. I'm not the kind of person that
comes here first for quick and easy answers. I do as much research as I
can, then use the group when I run out of options. I may be dense at times,
but not lazy. Isn't this a forum to share ideas and ask questions on
everything R&S???
>
> Please accept my apologies if my post "offended" you.
>
> Danny
>
> -----Original Message-----
> From: John Matijevic [mailto:matijevi@bellsouth.net]
> Sent: Wednesday, March 17, 2004 10:43 PM
> To: Andaluz, Danilo, Triaton/NA; kwchen@netvigator.com;
ccielab@groupstudy.com; KWygand@customonline.com
> Subject: RE: What I understand about Virtual-link Authentication and Auth
entic ation in General
>
> Danny,
> You should be able to test this out and find the answer yourself. I
> think that is the best way to learn we could tell you the answer, but
> you are more likely to learn it and remember it better if you lab it out
> and do some testing. For example you can enable authentication on Area 0
> and advertise routes into area 0, setup your virtual link and see if you
> see the routes on the remote side of the virtual-link. Also, for books
> on OSPF authentication I would highly recommend Parkhurst and Doyle.
> Maybe Cisco website and Doccd has it as well. Hope that helps.
> Sincerely,
> Matijevic
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Danny.Andaluz@triaton-na.com
> Sent: Wednesday, March 17, 2004 10:22 PM
> To: kwchen@netvigator.com; ccielab@groupstudy.com;
> KWygand@customonline.com
> Subject: RE: What I understand about Virtual-link Authentication and
> Auth entic ation in General
>
> Thanks for your responses, William and Kenneth. Which would you say is
> a valid config?
>
> R1
> router ospf 1
> router-id 172.16.106.1
> area 0 authentication message-digest
> area 26 virtual-link 172.16.102.1 message-digest-key 1 md5 nmc
>
>
> R2
> router ospf 1
> router-id 172.16.102.1
> area 0 authentication message-digest
> area 26 virtual-link 172.16.106.1 message-digest-key 1 md5 nmc
>
> Or:
>
> R1
> router ospf 1
> router-id 172.16.106.1
> area 0 authentication message-digest
> area 26 virtual-link 172.16.102.1
>
> R2
> router ospf 1
> router-id 172.16.102.1
> area 0 authentication message-digest
> area 26 virtual-link 172.16.106.1
>
> In both cases, R2 has the following on its Serial facing R3:
>
> interface Serial0
> ip ospf message-digest-key 1 md5 nmc
>
> I've seen it work both ways. But which one is correct? I suppose it
> depends on the requirement, but I'm not sure. I'm still a bit confused
> about this.
>
> Thanks,
> Danny
>
> -----Original Message-----
> From: William Chen [mailto:kwchen@netvigator.com]
> Sent: Wednesday, March 17, 2004 7:40 PM
> To: Andaluz, Danilo, Triaton/NA; ccielab@groupstudy.com
> Subject: Re: What I understand about Virtual-link Authentication and
> Authentic ation in General
>
> Dear Danny,
>
> If I don't misunderstand your question, I think OSPF authentication
> in
> this way: Area authentication is like a global configuration, and if it
> is
> enabled, then all the interfaces of that area will inherit the
> authentication type. You need to use "ip ospf authentication null" to
> override the area authentication in an interface. Moreover, the commands
> "ip
> ospf authentication-key" and "ip ospf message-digest key" only define
> the
> key to use, but not set the authentication type.
>
> Therefore, in the case of the link connected to R3 and R4, if you
> have
> the area authentication in R3, but don't want the link to have any
> authentication, then you have to use "ip ospf authentication null" in
> the
> interface at R3. For the virtual link to work, you need either "area 0
> authentication" in R1 (remember virtual-link is an interface in area 0),
> or
> explicitly set the virtual-link's authentication type by using the
> command
> "area area-id virtual-link router-id authenticatio|message-digest|null".
>
> HTH
>
> Best Regards,
> William Chen
>
> ----- Original Message -----
> From: <Danny.Andaluz@triaton-na.com>
> To: <ccielab@groupstudy.com>
> Sent: Thursday, March 18, 2004 6:32 AM
> Subject: What I understand about Virtual-link Authentication and
> Authentic
> ation in General
>
>
> > Here's how I think Virtual-link authentication works. I know this has
> been
> > discussed at great length on this board, but I think I have it down
> now
> and
> > want to double check.
> >
> >
> >
> Area5-----R1----area20-------R2------Area0-------R3------Area0-----R4---
> ---a
> > rea14
> >
> > Area 0 is being authenticated using MD5. On R2, R3 and R4 I have
> > configured:
> >
> > Area 0 authentication message-digest
> >
> > Depending on the requirement, I can configure authentication on the
> link
> > between R3 and R2 and not configure authentication between R3 and R4.
> As
> > long as both sides have the same authentication configured (or not
> > configured), it will work. Also, even though R4 does not have
> > authentication configured on its only area 0 link, I still need to
> have
> > "area 0 authentication message-digest" configured under router OSPF
> (I'd
> > like to get an explanation for this. I think if you don't do it, you
> get
> > mismatched authentication type errors, but why?).
> >
> > As far as the V-link goes, I only need to have "area 0 authentication
> > message-digest" configured on R1. I see this V-link as I see the two
> links
> > on R3 to R2 and R4. It can either have authentication configured or
> not;
> as
> > long as both ends match. As far as the V-link goes, as long as both
> ends
> > have the same config, it should work.
> >
> > I think this is it. If not, please be gentle....
> >
> > Thanks,
> > Danny
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:34 GMT-3