Re: OSPF Area 0 and Virtual Links Authentication in a transit

From: Jason Madsen (madsen.jason@gmail.com)
Date: Fri Dec 12 2008 - 23:30:59 ARST

• Next message: antonygrooves: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Previous message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Maybe in reply to: Jason Morris: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Next in thread: antonygrooves: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

to possibly clarify a little, in option 2 you EITHER need "area 0 authen
mess" OR "area 1 virtual-link x.x.x.x authen messs", but NOT both.

Jason

On Fri, Dec 12, 2008 at 6:17 PM, antonygrooves <antonygrooves@gmail.com>wrote:

> Jason thanks for the answer.
>
> I know that i have to authenticate on both side using the same type of
> authentication and the same password.
> But the question was if i show authenticate area 0 by doing it under ospf
> process. By this way using area 0 authentication message-digest it apply to
> all virtuali links because they are part of area 0, then area 1
> virtual-link x.x.x.x message-digest 1 md5 password. With this two commands i
> authenticate the virtual link in the side of the area 0.
> But in the other side using area 1 virtual-link x.x.x.x authentication
> message-digest and area 1 virtual-link x.x.x.x message-digest 1 md5 password
> i authenticate the virtual- link in this side.
>
>
> The final question is if its ok using in one side.
> OPTION 1
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>
>
> And in the other side.
> area 0 authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>
> OR
> OPTION 2
>
> The final question is if its ok using in one side.
>
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>
>
> And in the other side.
> area 0 authentication message-digest
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>
>
>
> Thanks again for the help.
>
> Tony.
>
> Jason Madsen wrote:
>
>> whoops, I forgot to answer part of your question. yes, you have to do the
>> authentication on BOTH ends of your virtual link(s) for it to work properly.
>>
>> Jason
>>
>> On Fri, Dec 12, 2008 at 5:27 PM, Jason Madsen <madsen.jason@gmail.com<mailto:
>> madsen.jason@gmail.com>> wrote:
>>
>> Virtual links are an extension of Area 0. I recommend doing a
>> "show ip ospf inter bri" any time you do ospf authentication. It
>> neatly lists what interfaces / links are in what areas. Virtual
>> links always show up as Area 0.
>>
>> It looks as though you have duplicated commands in your example. If
>> you use "area 0 authent messag", then you don't need "area x
>> virtual x.x.x.x authen mess". You would only have to use "area x
>> virtual x.x.x.x message-digest x md5 password". Basically here
>> are your options for Virtual link authentication:
>>
>> 1.)
>>
>> router ospf 1
>> area 0 authen mess
>> area x virtual-link x.x.x.x messsage-digest-key x md5 password
>>
>> OR
>>
>> 2.)
>>
>> router ospf 1
>> area x virtual-link x.x.x.x authen mess
>> area x virtual-link x.x.x.x message-digest-key x md5 password
>>
>> Either way, do a "show ip ospf interface xxx" to confirm that you
>> are in fact using authentication and with md5 ensure that you're
>> NOT using key 0 (null key) unless you meant to use it.
>>
>> Jason
>>
>>
>> On Fri, Dec 12, 2008 at 11:59 AM, antonygrooves
>> <antonygrooves@gmail.com <mailto:antonygrooves@gmail.com>> wrote:
>>
>> Hi Guys.
>> I would like to know which is the best way to configure
>> authentication in OSPF if i have to configure it on area 0
>> and for virtual links in a transit area.
>>
>> R1 in area 0 and area 1
>> R2 in area 1 and area 2
>>
>>
>> Is this correct.
>> R1
>> Under Ospf
>> Area 0 authentication message-digest.
>>
>> Interface
>> ip ospf message-digest 1 md5 cisco
>>
>>
>> area 1 virtual link 1.1.1.1 <http://1.1.1.1> authentication
>> message-digest
>> area 1 virtual link 1.1.1.1 <http://1.1.1.1> message-digest 1
>> md5 cisco
>>
>>
>> R2
>> Area 1 virtual-link 1.1.2.2 <http://1.1.2.2> authentication
>> message-digest
>> area 1 virtual-link 1.1.2.2 <http://1.1.2.2> message-digest 1
>> md5 cisco
>>
>>
>> I'm not sure if its correct to repeat in R1 for the virtual
>> link authentication message-digest again or just by doing it
>> for the backbone area its enough.
>>
>> I appreciate any help on this.
>>
>> Tony.
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: antonygrooves: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Previous message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Maybe in reply to: Jason Morris: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Next in thread: antonygrooves: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST