From: antonygrooves (antonygrooves@gmail.com)
Date: Fri Dec 12 2008 - 23:17:14 ARST
Jason thanks for the answer.
I know that i have to authenticate on both side using the same type of
authentication and the same password.
But the question was if i show authenticate area 0 by doing it under
ospf process. By this way using area 0 authentication message-digest it
apply to all virtuali links because they are part of area 0, then area
1 virtual-link x.x.x.x message-digest 1 md5 password. With this two
commands i authenticate the virtual link in the side of the area 0.
But in the other side using area 1 virtual-link x.x.x.x authentication
message-digest and area 1 virtual-link x.x.x.x message-digest 1 md5
password i authenticate the virtual- link in this side.
The final question is if its ok using in one side.
OPTION 1
area 1 virtual-link x.x.x.x authentication message-digest
area 1 virtual-link x.x.x.x message-digest 1 md5 password
And in the other side.
area 0 authentication message-digest
area 1 virtual-link x.x.x.x message-digest 1 md5 password.
OR
OPTION 2
The final question is if its ok using in one side.
area 1 virtual-link x.x.x.x authentication message-digest
area 1 virtual-link x.x.x.x message-digest 1 md5 password
And in the other side.
area 0 authentication message-digest
area 1 virtual-link x.x.x.x authentication message-digest
area 1 virtual-link x.x.x.x message-digest 1 md5 password.
Thanks again for the help.
Tony.
Jason Madsen wrote:
> whoops, I forgot to answer part of your question. yes, you have to do
> the authentication on BOTH ends of your virtual link(s) for it to work
> properly.
>
> Jason
>
> On Fri, Dec 12, 2008 at 5:27 PM, Jason Madsen <madsen.jason@gmail.com
> <mailto:madsen.jason@gmail.com>> wrote:
>
> Virtual links are an extension of Area 0. I recommend doing a
> "show ip ospf inter bri" any time you do ospf authentication. It
> neatly lists what interfaces / links are in what areas. Virtual
> links always show up as Area 0.
>
> It looks as though you have duplicated commands in your example.
> If you use "area 0 authent messag", then you don't need "area x
> virtual x.x.x.x authen mess". You would only have to use "area x
> virtual x.x.x.x message-digest x md5 password". Basically here
> are your options for Virtual link authentication:
>
> 1.)
>
> router ospf 1
> area 0 authen mess
> area x virtual-link x.x.x.x messsage-digest-key x md5 password
>
> OR
>
> 2.)
>
> router ospf 1
> area x virtual-link x.x.x.x authen mess
> area x virtual-link x.x.x.x message-digest-key x md5 password
>
> Either way, do a "show ip ospf interface xxx" to confirm that you
> are in fact using authentication and with md5 ensure that you're
> NOT using key 0 (null key) unless you meant to use it.
>
> Jason
>
>
> On Fri, Dec 12, 2008 at 11:59 AM, antonygrooves
> <antonygrooves@gmail.com <mailto:antonygrooves@gmail.com>> wrote:
>
> Hi Guys.
> I would like to know which is the best way to configure
> authentication in OSPF if i have to configure it on area 0
> and for virtual links in a transit area.
>
> R1 in area 0 and area 1
> R2 in area 1 and area 2
>
>
> Is this correct.
> R1
> Under Ospf
> Area 0 authentication message-digest.
>
> Interface
> ip ospf message-digest 1 md5 cisco
>
>
> area 1 virtual link 1.1.1.1 <http://1.1.1.1> authentication
> message-digest
> area 1 virtual link 1.1.1.1 <http://1.1.1.1> message-digest 1
> md5 cisco
>
>
> R2
> Area 1 virtual-link 1.1.2.2 <http://1.1.2.2> authentication
> message-digest
> area 1 virtual-link 1.1.2.2 <http://1.1.2.2> message-digest 1
> md5 cisco
>
>
> I'm not sure if its correct to repeat in R1 for the virtual
> link authentication message-digest again or just by doing it
> for the backbone area its enough.
>
> I appreciate any help on this.
>
> Tony.
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST