Re: When is "area 23 virtual-link 150.1.2.2 authentication

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Sep 10 2007 - 16:12:34 ART

• Next message: Keith Bizzell: "Re: failed on my 1st attempt (R&S)"
• Previous message: Kunle Ayodele: "Re: failed on my 1st attempt (R&S)"
• Maybe in reply to: ISolveSystems: "When is "area 23 virtual-link 150.1.2.2 authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On R3 and R4 the message-digest key isn't doing anything since
message-digest authentication isn't enabled. Also remember that since
virtual links are run as demand circuits you should either trigger an
update or clear the OSPF process after you make changes to ensure the
virtual link still works.

Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

>----- Original Message -----
Subject: Re: When is "area 23 virtual-link 150.1.2.2 authentication
message-digest" needed
Date: Mon, September 10, 2007 10:30
From: "ISolveSystems" <support@isolvesystems.com>

> On R3 and R4, I don't have "area 0 authentication message-digest" command
> and "area x virtual-link a.b.c.d authentication message-digest", and the
> virtual-link neighbor up. Check it out below.
>
>
> Rack1R4#sh run | sec osp
> router ospf 1
> router-id 150.1.4.4
> log-adjacency-changes
> area 34 authentication
> area 34 virtual-link 150.1.3.3 message-digest-key 1 md5 CISCO
> area 45 authentication
> area 45 virtual-link 150.1.5.5 message-digest-key 1 md5 CISCO
> area 48 authentication
> area 90 authentication
> redistribute connected subnets route-map CONN>OSPF
> network 191.1.34.4 0.0.0.0 area 34
> network 191.1.40.4 0.0.0.0 area 90
> network 191.1.45.4 0.0.0.0 area 45
> network 191.1.48.4 0.0.0.0 area 48
> network 191.1.49.4 0.0.0.0 area 90
> Rack1R4#sh ip osp nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 150.1.5.5 0 FULL/ - 00:00:36 191.1.45.5 OSPF_VL2
> 150.1.3.3 0 FULL/ - - 191.1.34.3 OSPF_VL1
> 150.1.3.3 0 FULL/ - 00:00:37 191.1.34.3
> Serial0/0/0
> 150.1.5.5 1 FULL/DR 00:00:38 191.1.45.5
> FastEthernet0/0.45
> 150.1.8.8 1 FULL/DR 00:00:31 191.1.48.8
> FastEthernet0/1
> 150.1.9.9 1 FULL/DR 00:00:30 191.1.49.9
> FastEthernet0/0.49
> 150.1.10.10 1 FULL/DR 00:00:36 191.1.40.10
> FastEthernet0/0.40
>
>
>
> Rack1R3(config-router)#do sh run | sec osp
> router ospf 1
> router-id 150.1.3.3
> log-adjacency-changes
> area 13 authentication
> area 23 authentication
> area 23 virtual-link 150.1.2.2 authentication message-digest
> area 23 virtual-link 150.1.2.2 message-digest-key 1 md5 CISCO
> area 34 authentication
> area 34 virtual-link 150.1.4.4 message-digest-key 1 md5 CISCO
> redistribute connected subnets route-map CONN>OSPF
> redistribute rip subnets route-map RIP>OSPF
> network 191.1.13.3 0.0.0.0 area 13
> network 191.1.23.3 0.0.0.0 area 23
> network 191.1.34.3 0.0.0.0 area 34
> default-information originate route-map CONN_TO_BB2orBB3
> redistribute ospf 1 metric 1
> Rack1R3(config-router)#do sh ip osp nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 150.1.2.2 0 FULL/ - - 191.1.23.2 OSPF_VL2
> 150.1.4.4 0 FULL/ - - 191.1.34.4 OSPF_VL1
> 150.1.1.1 0 FULL/ - 00:00:39 191.1.13.1
> Serial0/2/0
> 150.1.2.2 0 FULL/ - 00:00:30 191.1.23.2
> Serial0/3/0
> 150.1.4.4 0 FULL/ - 00:00:37 191.1.34.4
> Serial0/0/0
>
>
>
>
>
> On 9/10/07, Brian McGahan <bmcgahan@internetworkexpert.com> wrote:
> >
> > You need to enable authentication in addition to applying the
key.
> > You can either enable it on all interfaces in area 0 (including any
> > virtual
> > links) with the "area 0 authentication message-digest" command, or you
can
> > enable it on a per interface basis. For real interfaces this is the "ip
> > ospf authentication message-digest" interface level command, for the
> > virtual-link it's the "area x virtual-link a.b.c.d authentication
> > message-digest" command. Look at the "show ip ospf interface" to see
> > which
> > links have authentication enabled.
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593 (R&amp;S/SP/Security)
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > > ISolveSystems
> > > Sent: Monday, September 10, 2007 11:32 AM
> > > To: Cisco certification
> > > Subject: When is "area 23 virtual-link 150.1.2.2 authentication
message-
> > > digest" needed
> > >
> > > I have configured virtual-link md5 auth on a few neighbors. One of
them
> > > won't become adjacent without "area 23 virtual-link 150.1.2.2
> > > authentication
> > > message-digest". Any idea why?
> > >
> > > area 23 virtual-link 150.1.2.2 authentication message-digest
> > > area 23 virtual-link 150.1.2.2 message-digest-key 1 md5 CISCO
> > >
> > > Thanks.
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

• Next message: Keith Bizzell: "Re: failed on my 1st attempt (R&S)"
• Previous message: Kunle Ayodele: "Re: failed on my 1st attempt (R&S)"
• Maybe in reply to: ISolveSystems: "When is "area 23 virtual-link 150.1.2.2 authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:10 ART