From: gladston@br.ibm.com
Date: Tue May 24 2005 - 13:47:16 GMT-3
Thanks a lot Brian,
===============
You have the MD5 key applied to the virtual-link but not the MD5
authentication. The virtual-link is an area 0 interface so it's
inheriting the "area 0 authentication" that you have configured. Use
the "area 113 virtual-link 142.20.4.1 authentication message-digest"
command to enable MD5 on the virtual-link.
================
And the first problem that originated the topic is also working. I swear I
configured simple password on virtual link and it was not working. (there
was a mismatch result on debug ip os adj).
Now it is working. Crazy.
I think I remember a threat on GroupStudy recommending to initiate ospf
process after any authentication change. Maybe that was the problem. I did
not do it on the first test.
Correcting my previous post, these works (now):
-simple authentication on area 0, md5 on transit area and simple
authentication on virtual
-simple authentication on area 0, md5 on transit area and md5 on virtual
router ospf 1
router-id 142.20.4.1
log-adjacency-changes
area 0 authentication
area 4 nssa
area 112 authentication message-digest
area 113 authentication message-digest
area 113 virtual-link 142.20.5.1 authentication-key cisco
Rack2R4#sh ip os vir
Virtual Link OSPF_VL0 to router 142.20.5.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 113, via interface BRI0/0, Cost of using 1000
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Adjacency State FULL (Hello suppressed)
Index 1/4, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Simple password authentication enabled
router ospf 1
router-id 142.20.4.1
log-adjacency-changes
area 0 authentication
area 4 nssa
area 112 authentication message-digest
area 113 authentication message-digest
area 113 virtual-link 142.20.5.1 authentication message-digest
area 113 virtual-link 142.20.5.1 message-digest-key 5 md5 cisco5
Rack2R4#sh ip os vi
Virtual Link OSPF_VL0 to router 142.20.5.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 113, via interface BRI0/0, Cost of using 1000
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 1/4, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 5
Cordially,
------------------------------------------------------------------
Gladston
"Brian McGahan" <bmcgahan@internetworkexpert.com>
24/05/2005 11:47
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject
RE: Simple Authentication on Area 0 and MD5 on Virtual link
You have the MD5 key applied to the virtual-link but not the MD5
authentication. The virtual-link is an area 0 interface so it's
inheriting the "area 0 authentication" that you have configured. Use
the "area 113 virtual-link 142.20.4.1 authentication message-digest"
command to enable MD5 on the virtual-link.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> gladston@br.ibm.com
> Sent: Tuesday, May 24, 2005 8:02 AM
> To: ccielab@groupstudy.com
> Subject: Simple Authentication on Area 0 and MD5 on Virtual link
>
> router ospf 1
> router-id 142.20.5.1
> area 0 authentication
> area 113 authentication message-digest
> area 113 virtual-link 142.20.4.1 message-digest-key 11 md5 cisco2 <--
> A113-md5
> area 113 virtual-link 142.20.4.1 message-digest-key 13 md5 cisco3 <--
> rollover
>
>
> Rack2R5#sh ip os virtual-links
> Virtual Link OSPF_VL0 to router 142.20.4.1 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 113, via interface Dialer100, Cost of using 100
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Adjacency State FULL (Hello suppressed)
> Index 3/4, retransmission queue length 0, number of retransmission
1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Simple password authentication enabled <--
> simple?
>
> Parkhurst's OSPF book says:
> "...prior to 12.0, if authentication was enabled in Area 0, then all
> virtual links had to be configured with the same authentication type."
>
> On this example, if I configure simple authentication on virtual link,
> ospf complains.
> If I configure md5, all is good.
>
> Reading Parkhurst I had the idea that after 12.0 we have the
flexibility
> to choose the same authentication used on area 0 or not.
> But practice (ios 12.2T) shows the router only works using the
> authentication used on the transit area.
>
> Do you have the same results?
>
> If I try to test rollover on the Virtual link, I can not see the
result
> using show ip ospf interface or sh ip ospf, because it says virtual
link
> is using simple authentication, even though md5 is configured.
>
>
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:01 GMT-3