Re: OSPF Area 0 and Virtual Links Authentication in a transit

From: antonygrooves (antonygrooves@gmail.com)
Date: Fri Dec 12 2008 - 23:44:40 ARST

• Next message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Previous message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Maybe in reply to: Jason Morris: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Next in thread: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok so OPTION 1 would be ok, the thing is that the task ask me to
authenticate area 0 under ospf process and also authenticate
virtual-links, thats why is a little confusing having a mix. With this
requirement OPTION 1 will be ok??

Thanks again.

Tony.

Jason Madsen wrote:
> to possibly clarify a little, in option 2 you EITHER need "area 0
> authen mess" OR "area 1 virtual-link x.x.x.x authen messs", but NOT both.
>
> Jason
>
> On Fri, Dec 12, 2008 at 6:17 PM, antonygrooves
> <antonygrooves@gmail.com <mailto:antonygrooves@gmail.com>> wrote:
>
> Jason thanks for the answer.
>
> I know that i have to authenticate on both side using the same
> type of authentication and the same password.
> But the question was if i show authenticate area 0 by doing it
> under ospf process. By this way using area 0 authentication
> message-digest it apply to all virtuali links because they are
> part of area 0, then area 1 virtual-link x.x.x.x message-digest 1
> md5 password. With this two commands i authenticate the virtual
> link in the side of the area 0.
> But in the other side using area 1 virtual-link x.x.x.x
> authentication message-digest and area 1 virtual-link x.x.x.x
> message-digest 1 md5 password i authenticate the virtual- link in
> this side.
>
>
> The final question is if its ok using in one side.
> OPTION 1
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>
>
> And in the other side.
> area 0 authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>
> OR
> OPTION 2
>
> The final question is if its ok using in one side.
>
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>
>
> And in the other side.
> area 0 authentication message-digest
> area 1 virtual-link x.x.x.x authentication message-digest
> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>
>
>
> Thanks again for the help.
>
> Tony.
>
> Jason Madsen wrote:
>
> whoops, I forgot to answer part of your question. yes, you
> have to do the authentication on BOTH ends of your virtual
> link(s) for it to work properly.
>
> Jason
>
> On Fri, Dec 12, 2008 at 5:27 PM, Jason Madsen
> <madsen.jason@gmail.com <mailto:madsen.jason@gmail.com>
> <mailto:madsen.jason@gmail.com
> <mailto:madsen.jason@gmail.com>>> wrote:
>
> Virtual links are an extension of Area 0. I recommend doing a
> "show ip ospf inter bri" any time you do ospf
> authentication. It
> neatly lists what interfaces / links are in what areas.
> Virtual
> links always show up as Area 0.
>
> It looks as though you have duplicated commands in your
> example. If you use "area 0 authent messag", then you don't
> need "area x
> virtual x.x.x.x authen mess". You would only have to use
> "area x
> virtual x.x.x.x message-digest x md5 password". Basically here
> are your options for Virtual link authentication:
>
> 1.)
>
> router ospf 1
> area 0 authen mess
> area x virtual-link x.x.x.x messsage-digest-key x md5 password
>
> OR
>
> 2.)
>
> router ospf 1
> area x virtual-link x.x.x.x authen mess
> area x virtual-link x.x.x.x message-digest-key x md5 password
>
> Either way, do a "show ip ospf interface xxx" to confirm
> that you
> are in fact using authentication and with md5 ensure that
> you're
> NOT using key 0 (null key) unless you meant to use it.
>
> Jason
>
>
> On Fri, Dec 12, 2008 at 11:59 AM, antonygrooves
> <antonygrooves@gmail.com <mailto:antonygrooves@gmail.com>
> <mailto:antonygrooves@gmail.com
> <mailto:antonygrooves@gmail.com>>> wrote:
>
> Hi Guys.
> I would like to know which is the best way to configure
> authentication in OSPF if i have to configure it on area 0
> and for virtual links in a transit area.
>
> R1 in area 0 and area 1
> R2 in area 1 and area 2
>
>
> Is this correct.
> R1
> Under Ospf
> Area 0 authentication message-digest.
>
> Interface
> ip ospf message-digest 1 md5 cisco
>
>
> area 1 virtual link 1.1.1.1 <http://1.1.1.1>
> <http://1.1.1.1> authentication
> message-digest
> area 1 virtual link 1.1.1.1 <http://1.1.1.1>
> <http://1.1.1.1> message-digest 1
> md5 cisco
>
>
> R2
> Area 1 virtual-link 1.1.2.2 <http://1.1.2.2>
> <http://1.1.2.2> authentication
> message-digest
> area 1 virtual-link 1.1.2.2 <http://1.1.2.2>
> <http://1.1.2.2> message-digest 1
>
> md5 cisco
>
>
> I'm not sure if its correct to repeat in R1 for the virtual
> link authentication message-digest again or just by
> doing it
> for the backbone area its enough.
>
> I appreciate any help on this.
>
> Tony.
>
> Blogs and organic groups at http://www.ccie.net
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Previous message: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Maybe in reply to: Jason Morris: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Next in thread: Jason Madsen: "Re: OSPF Area 0 and Virtual Links Authentication in a transit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST