From: Jason Madsen (madsen.jason@gmail.com)
Date: Fri Dec 12 2008 - 23:58:06 ARST
Option 1 is valid, but whether or not it's the required method depends on
the exact wording of the scenario your reading. I typically use the
following unless specified otherwise:
router ospf 1
area 0 authen mess
area x virt x.x.x.x message-digest-key x md5 password
I guess technically this method conflicts with the OSPF RFC, but it is
supported by Cisco and for me it's the easiest.
Even though one end of your virtual link has no interfaces in Area 0, you
can still use the "area 0 authen mess" since your virtual link is an
extension of Area 0.
Jason
On Fri, Dec 12, 2008 at 6:44 PM, antonygrooves <antonygrooves@gmail.com>wrote:
> Ok so OPTION 1 would be ok, the thing is that the task ask me to
> authenticate area 0 under ospf process and also authenticate virtual-links,
> thats why is a little confusing having a mix. With this requirement OPTION 1
> will be ok??
>
> Thanks again.
>
> Tony.
>
> Jason Madsen wrote:
>
>> to possibly clarify a little, in option 2 you EITHER need "area 0 authen
>> mess" OR "area 1 virtual-link x.x.x.x authen messs", but NOT both.
>>
>> Jason
>>
>> On Fri, Dec 12, 2008 at 6:17 PM, antonygrooves <antonygrooves@gmail.com<mailto:
>> antonygrooves@gmail.com>> wrote:
>>
>> Jason thanks for the answer.
>>
>> I know that i have to authenticate on both side using the same
>> type of authentication and the same password.
>> But the question was if i show authenticate area 0 by doing it
>> under ospf process. By this way using area 0 authentication
>> message-digest it apply to all virtuali links because they are
>> part of area 0, then area 1 virtual-link x.x.x.x message-digest 1
>> md5 password. With this two commands i authenticate the virtual
>> link in the side of the area 0.
>> But in the other side using area 1 virtual-link x.x.x.x
>> authentication message-digest and area 1 virtual-link x.x.x.x
>> message-digest 1 md5 password i authenticate the virtual- link in
>> this side.
>>
>>
>> The final question is if its ok using in one side.
>> OPTION 1
>> area 1 virtual-link x.x.x.x authentication message-digest
>> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>>
>>
>> And in the other side.
>> area 0 authentication message-digest
>> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>>
>> OR
>> OPTION 2
>>
>> The final question is if its ok using in one side.
>>
>> area 1 virtual-link x.x.x.x authentication message-digest
>> area 1 virtual-link x.x.x.x message-digest 1 md5 password
>>
>>
>> And in the other side.
>> area 0 authentication message-digest
>> area 1 virtual-link x.x.x.x authentication message-digest
>> area 1 virtual-link x.x.x.x message-digest 1 md5 password.
>>
>>
>>
>> Thanks again for the help.
>>
>> Tony.
>>
>> Jason Madsen wrote:
>>
>> whoops, I forgot to answer part of your question. yes, you
>> have to do the authentication on BOTH ends of your virtual
>> link(s) for it to work properly.
>>
>> Jason
>>
>> On Fri, Dec 12, 2008 at 5:27 PM, Jason Madsen
>> <madsen.jason@gmail.com <mailto:madsen.jason@gmail.com>
>> <mailto:madsen.jason@gmail.com
>> <mailto:madsen.jason@gmail.com>>> wrote:
>>
>> Virtual links are an extension of Area 0. I recommend doing a
>> "show ip ospf inter bri" any time you do ospf
>> authentication. It
>> neatly lists what interfaces / links are in what areas.
>> Virtual
>> links always show up as Area 0.
>>
>> It looks as though you have duplicated commands in your
>> example. If you use "area 0 authent messag", then you don't
>> need "area x
>> virtual x.x.x.x authen mess". You would only have to use
>> "area x
>> virtual x.x.x.x message-digest x md5 password". Basically here
>> are your options for Virtual link authentication:
>>
>> 1.)
>>
>> router ospf 1
>> area 0 authen mess
>> area x virtual-link x.x.x.x messsage-digest-key x md5 password
>>
>> OR
>>
>> 2.)
>>
>> router ospf 1
>> area x virtual-link x.x.x.x authen mess
>> area x virtual-link x.x.x.x message-digest-key x md5 password
>>
>> Either way, do a "show ip ospf interface xxx" to confirm
>> that you
>> are in fact using authentication and with md5 ensure that
>> you're
>> NOT using key 0 (null key) unless you meant to use it.
>>
>> Jason
>>
>>
>> On Fri, Dec 12, 2008 at 11:59 AM, antonygrooves
>> <antonygrooves@gmail.com <mailto:antonygrooves@gmail.com>
>> <mailto:antonygrooves@gmail.com
>> <mailto:antonygrooves@gmail.com>>> wrote:
>>
>> Hi Guys.
>> I would like to know which is the best way to configure
>> authentication in OSPF if i have to configure it on area 0
>> and for virtual links in a transit area.
>>
>> R1 in area 0 and area 1
>> R2 in area 1 and area 2
>>
>>
>> Is this correct.
>> R1
>> Under Ospf
>> Area 0 authentication message-digest.
>>
>> Interface
>> ip ospf message-digest 1 md5 cisco
>>
>>
>> area 1 virtual link 1.1.1.1 <http://1.1.1.1>
>> <http://1.1.1.1> authentication
>> message-digest
>> area 1 virtual link 1.1.1.1 <http://1.1.1.1>
>> <http://1.1.1.1> message-digest 1
>> md5 cisco
>>
>>
>> R2
>> Area 1 virtual-link 1.1.2.2 <http://1.1.2.2>
>> <http://1.1.2.2> authentication
>> message-digest
>> area 1 virtual-link 1.1.2.2 <http://1.1.2.2>
>> <http://1.1.2.2> message-digest 1
>>
>> md5 cisco
>>
>>
>> I'm not sure if its correct to repeat in R1 for the virtual
>> link authentication message-digest again or just by
>> doing it
>> for the backbone area its enough.
>>
>> I appreciate any help on this.
>>
>> Tony.
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:08 ARST