From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue May 24 2005 - 18:26:17 GMT-3
This ospf authentication business made me suffer quite a bit for a long
time. I would learn it many times but forget how to configure it just as
many times until I started thinking about it in terms of inheritance.
This was my perpetual problem. I knew ospf could be authenticated at either
the interface level or the area level. I also knew that either md5 or clear
text authentication could be configured.
I had also studied and practiced implementing ospf authentication many times
in all the different ways it could be done. However, if just a fairly short
amount of time had passed, the next time I tried to configure some type of
authentication, I would always forget exactly which commands to use.
I found the interface commands and the virtual link commands confusing and
whenever I used the "?" key, I was never positive which version of the
commands to use.
Eventually, I always figured it out and got it to work but it was always a
pain in the ass.
Thankfully, this problem is behind me now.
For me, the key was as I said before, inheritance.
Now, I have so much less to remember which makes me very happy.
Now, all I need to know is that to implement ospf authentication, 2 and only
2 commands are ever needed: 1 command to specify if encrypted or clear text
will be used and the other command to specify the password.
If, you're doing area authentication, you specify which type with the area #
authen command. If you're doing link authen, you specify which type on the
interface or virtual link itself.
But, regardless of which type of authen you're doing, you specify the
password on the interface or virtual link.
I think if you can keep this in mind, you're days of ospf authen problems
will be over.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Tuesday, May 24, 2005 12:47 PM
To: Brian McGahan
Cc: ccielab@groupstudy.com
Subject: RE: Simple Authentication on Area 0 and MD5 on Virtual link
Thanks a lot Brian,
===============
You have the MD5 key applied to the virtual-link but not the MD5
authentication. The virtual-link is an area 0 interface so it's
inheriting the "area 0 authentication" that you have configured. Use
the "area 113 virtual-link 142.20.4.1 authentication message-digest"
command to enable MD5 on the virtual-link.
================
And the first problem that originated the topic is also working. I swear I
configured simple password on virtual link and it was not working. (there
was a mismatch result on debug ip os adj).
Now it is working. Crazy.
I think I remember a threat on GroupStudy recommending to initiate ospf
process after any authentication change. Maybe that was the problem. I did
not do it on the first test.
Correcting my previous post, these works (now):
-simple authentication on area 0, md5 on transit area and simple
authentication on virtual
-simple authentication on area 0, md5 on transit area and md5 on virtual
router ospf 1
router-id 142.20.4.1
log-adjacency-changes
area 0 authentication
area 4 nssa
area 112 authentication message-digest
area 113 authentication message-digest
area 113 virtual-link 142.20.5.1 authentication-key cisco
Rack2R4#sh ip os vir
Virtual Link OSPF_VL0 to router 142.20.5.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 113, via interface BRI0/0, Cost of using 1000
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Adjacency State FULL (Hello suppressed)
Index 1/4, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Simple password authentication enabled
router ospf 1
router-id 142.20.4.1
log-adjacency-changes
area 0 authentication
area 4 nssa
area 112 authentication message-digest
area 113 authentication message-digest
area 113 virtual-link 142.20.5.1 authentication message-digest
area 113 virtual-link 142.20.5.1 message-digest-key 5 md5 cisco5
Rack2R4#sh ip os vi
Virtual Link OSPF_VL0 to router 142.20.5.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 113, via interface BRI0/0, Cost of using 1000
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 1/4, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Message digest authentication enabled
Youngest key id is 5
Cordially,
------------------------------------------------------------------
Gladston
"Brian McGahan" <bmcgahan@internetworkexpert.com>
24/05/2005 11:47
To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR, <ccielab@groupstudy.com>
cc
Subject
RE: Simple Authentication on Area 0 and MD5 on Virtual link
You have the MD5 key applied to the virtual-link but not the MD5
authentication. The virtual-link is an area 0 interface so it's
inheriting the "area 0 authentication" that you have configured. Use
the "area 113 virtual-link 142.20.4.1 authentication message-digest"
command to enable MD5 on the virtual-link.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> gladston@br.ibm.com
> Sent: Tuesday, May 24, 2005 8:02 AM
> To: ccielab@groupstudy.com
> Subject: Simple Authentication on Area 0 and MD5 on Virtual link
>
> router ospf 1
> router-id 142.20.5.1
> area 0 authentication
> area 113 authentication message-digest
> area 113 virtual-link 142.20.4.1 message-digest-key 11 md5 cisco2 <--
> A113-md5
> area 113 virtual-link 142.20.4.1 message-digest-key 13 md5 cisco3 <--
> rollover
>
>
> Rack2R5#sh ip os virtual-links
> Virtual Link OSPF_VL0 to router 142.20.4.1 is up
> Run as demand circuit
> DoNotAge LSA allowed.
> Transit area 113, via interface Dialer100, Cost of using 100
> Transmit Delay is 1 sec, State POINT_TO_POINT,
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> Hello due in 00:00:05
> Adjacency State FULL (Hello suppressed)
> Index 3/4, retransmission queue length 0, number of retransmission
1
> First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
> Last retransmission scan length is 1, maximum is 1
> Last retransmission scan time is 0 msec, maximum is 0 msec
> Simple password authentication enabled <--
> simple?
>
> Parkhurst's OSPF book says:
> "...prior to 12.0, if authentication was enabled in Area 0, then all
> virtual links had to be configured with the same authentication type."
>
> On this example, if I configure simple authentication on virtual link,
> ospf complains.
> If I configure md5, all is good.
>
> Reading Parkhurst I had the idea that after 12.0 we have the
flexibility
> to choose the same authentication used on area 0 or not.
> But practice (ios 12.2T) shows the router only works using the
> authentication used on the transit area.
>
> Do you have the same results?
>
> If I try to test rollover on the Virtual link, I can not see the
result
> using show ip ospf interface or sh ip ospf, because it says virtual
link
> is using simple authentication, even though md5 is configured.
>
>
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:01 GMT-3