From: "Hoonpongsimanont
Date: Wed Nov 10 2004 - 10:18:01 GMT-3
Hi Swaroop,
This is a complicated issue. Yes, you are right that virtual link can be
formed with authentication enabled with no key assigned to the virtual link.
But you will need "area 0 authentication" command on both sides. This is
very important, otherwise you may be trapped because once virtual link is
up, and it will not be tearing down because of hello suppression.
Please try following these steps and see what happen. I'm sorry for long
thread.
This is before configuring authentication
Rack1R2#sh ip ospf virtual-links | inc (VL|Adjacen)
Virtual Link OSPF_VL0 to router 150.1.7.7 is up
Adjacency State FULL (Hello suppressed)
Rack1R2#sh ip ospf neigh | inc VL
150.1.7.7 0 FULL/ - 00:00:16 162.1.27.7 OSPF_VL0
Everything is working fine, virtual link is up, adjacency state is FULL.
--Then, enable authentication ..
Rack1R2#sh ip ospf virtual-links | inc (VL|Adjacen|auth|key)
Virtual Link OSPF_VL0 to router 150.1.7.7 is up
Adjacency State FULL (Hello suppressed)
Message digest authentication enabled
No key configured, using default key id 0
On the last line, we can see "No key configured". Amazing enough, virtual
link is still up, and adjacency state is still FULL. This is because hello
packet is suppressed over virtual link.
So, I tried to tear down all adjacency by either clear ip ospf process or
rebooting router.
After that, virtual link will be up, but adjacency state will never reach
FULL. Here's the output.
Rack1R2#sh ip ospf virtual-links | inc (VL|Adjacen|auth|key)
Virtual Link OSPF_VL0 to router 150.1.7.7 is up
Message digest authentication enabled
No key configured, using default key id 0
Rack1R2#sh ip ospf neigh | inc VL
Rack1R2#
Debug ip ospf adj clearly state that authentication type mismatch.
Rack1R2#debug ip osp
*Mar 1 05:27:29.811: OSPF: Rcv pkt from 162.1.27.7, OSPF_VL0 : Mismatch
Authentication type. Input packet specified type 0, we use type 2
*Mar 1 05:27:29.895: OSPF: Send with youngest Key 0
Now, the catch is adjacency cannot be formed because authentication flag
mismatched in hello packet. Therefore, I go back to another end and put
"area 0 authentication message-digest" in.
After few seconds, adjacency is FULL, everything is working fine.
Rack1R2#show ip ospf virtual-links | inc (VL|Adjacen|auth|key)
Virtual Link OSPF_VL0 to router 150.1.7.7 is up
Adjacency State FULL (Hello suppressed)
Message digest authentication enabled
No key configured, using default key id 0
Rack1R2#show ip ospf neigh | inc VL
150.1.7.7 0 FULL/ - - 162.1.27.7 OSPF_VL0
The other side's configuration is strange,
Rack1SW1#sh run | be router ospf 1
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
area 27 virtual-link 150.1.2.2
network 150.1.7.0 0.0.0.255 area 27
network 162.1.27.0 0.0.0.255 area 27
Area 0 authentication is enabled on the router even though there is no
physical interface belongs to area 0.
Adjacency can now be fully formed without key assigned to virtual-link, but
we need to enable authentication for area 0 on both side.
Hope this help.
Cheers,
David
-----Original Message-----
From: Swaroop Potdar [mailto:swarooppotdar@hotmail.com]
Sent: Wednesday, November 10, 2004 3:42 PM
To: swm@emanon.com; inlink@klsc.co.kr; ccielab@groupstudy.com
Subject: RE: ospf area0 authenticaion - virtual link
Hi Scott,
I totally agree with you that virtual link belongs to area 0.
but what i observed while configuration was even if area 0 authentication
was enabled and
i created a virtual link without authentication on it...it didnt go down and
formed the adjacencies too.
(IOS 12.2(15)T14)
And this has happened many a times.????
is it a best practise to enable authentication on virtual link or without
that it shouldnt come up.
Am puzzled...may be i am working against some bugs..
as i had some different output while manipulating the distance of routes
from the source received.
>From: "Scott Morris" <swm@emanon.com>
>Reply-To: "Scott Morris" <swm@emanon.com>
>To: "'inlink'" <inlink@klsc.co.kr>, <ccielab@groupstudy.com>
>Subject: RE: ospf area0 authenticaion - virtual link
>Date: Tue, 9 Nov 2004 23:16:10 -0500
>
>A virtual link by definition belongs to area 0. So whatever you are doing
>to area 0 should be done to the virtual link. You can define the
>parameters
>individually on the VL config line.
>
>In the end what you are doing is extending area 0 out to the further ABR
>via
>the virtual link.
>
>HTH,
>
>Scott
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>inlink
>Sent: Tuesday, November 09, 2004 11:22 PM
>To: ccielab@groupstudy.com
>Subject: ospf area0 authenticaion - virtual link
>
>Hi
>area0 - md5 authentication
>area1 - clear text authenticaion
>
>What kind of method does used to virutal link area ?
>I am test both method( md5, clear text) about virtual link.
>
>I am confused to virtual-link authenticaion.( area0 method or sub area
>method)? [IMAGE]
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
Regards,
Swaroop.
------------------------------------------------------------------
Life Is Short & Sweet.
Live It To The Fullest.
------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:41 GMT-3