Re: virtual link authentication from Nathan Falcon on 2011-06-29 (Ccielab archives 06/2011)

From: Nathan Falcon <nathan.falcon_at_gmail.com>
Date: Wed, 29 Jun 2011 16:16:39 -0400

Thanks Marko, I understand that it will function if configured correctly,
but I'm looking at this from an "interpretation or the question"
perspective.

Based off your topology:

If the lab states that Area 254 should be authenticated and it so happens
that you need to configure a virtual-link through area 254, would you need
to configure authentication on that link to satisfy the question? I'm
pretty sure the virtual-link will work with or without authentication, but I
understand virtual-links to be considered area 0, not 254 (in this case).

My deduction would be that if:
Area 254 requires authentication - NO authentication required by
the scenario on a virtual-link through Area254
Area 0 requires authentication - authentication required on the
virtual-link through Area254

Is my logic sound in this case, or am I missing something?

Much appreciated,
Nate

On Wed, Jun 29, 2011 at 3:42 PM, Marko Milivojevic <markom_at_ipexpert.com>wrote:

> On Wed, Jun 29, 2011 at 12:27, -Hammer- <bhmccie_at_gmail.com> wrote:
> > Thanks for clarifying Marko.
>
> Don't take my word for it though. Here's the quick verification:
>
> R2---R5---R4
>
> R2:
> Lo0: Area 0
> Se0/2/0: Area 254 to R5
>
> R5:
> Lo0: Area 254
> Se0/2/0: Area 254 to R2
> Se0/0/0: Area 254 to R4
>
> R4:
> Lo0: Area 0
> Se0/1/0: Area 254 to R5
>
> Configurations:
>
> R2:
>
> interface Loopback0
> ip address 192.168.0.2 255.255.255.255
> !
> interface Serial0/2/0
> ip address 192.168.25.2 255.255.255.0
> ip ospf message-digest-key 1 md5 ipexpert
> !
> router ospf 1
> router-id 2.2.2.2
> area 254 authentication message-digest
> area 254 virtual-link 4.4.4.4
> network 192.168.0.2 0.0.0.0 area 0
> network 192.168.25.0 0.0.0.255 area 254
> !
>
> R5:
>
> interface Loopback0
> ip address 192.168.0.5 255.255.255.255
> !
> interface Serial0/0/0
> ip address 192.168.45.5 255.255.255.0
> ip ospf message-digest-key 1 md5 ipexpert
> !
> interface Serial0/2/0
> ip address 192.168.25.5 255.255.255.0
> ip ospf message-digest-key 1 md5 ipexpert
> !
> router ospf 1
> router-id 5.5.5.5
> area 254 authentication message-digest
> network 192.168.0.5 0.0.0.0 area 254
> network 192.168.25.0 0.0.0.255 area 254
> network 192.168.45.0 0.0.0.255 area 254
> !
>
> R4:
>
> interface Loopback0
> ip address 192.168.0.4 255.255.255.255
> !
> interface Serial0/1/0
> ip address 192.168.45.4 255.255.255.0
> ip ospf message-digest-key 1 md5 ipexpert
> !
> router ospf 1
> router-id 4.4.4.4
> area 254 authentication message-digest
> area 254 virtual-link 2.2.2.2
> network 192.168.0.4 0.0.0.0 area 0
> network 192.168.45.0 0.0.0.255 area 254
> !
>
> Verification:
>
> R2#sh ip ospf int s0/2/0
> Serial0/2/0 is up, line protocol is up
> Internet Address 192.168.25.2/24, Area 254
> Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
> Transmit Delay is 1 sec, State POINT_TO_POINT
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:00
> Supports Link-local Signaling (LLS)
> Cisco NSF helper support enabled
> IETF NSF helper support enabled
> Index 1/2, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 5.5.5.5
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
>
> We can see authentication enabled on Serial 0/2/0
>
> R2#show ip ospf int br
> Interface PID Area IP Address/Mask Cost State Nbrs F/C
> VL0 1 0 192.168.25.2/24 128 P2P 1/1
> Lo0 1 0 192.168.0.2/32 1 LOOP 0/0
> Se0/2/0 1 254 192.168.25.2/24 64 P2P 1/1
>
> We see a neighbor on Virutal-link0. Let's check the neioghbors:
>
> R2#show ip ospf nei
>
> Neighbor ID Pri State Dead Time Address Interface
> 4.4.4.4 0 FULL/ - - 192.168.45.4 OSPF_VL0
> 5.5.5.5 0 FULL/ - 00:00:39 192.168.25.5
> Serial0/2/0
>
> Looks like R4 is our neighbor. How about the routes in the table?
>
> R2#show ip route ospf
> O 192.168.45.0/24 [110/128] via 192.168.25.5, 00:06:31, Serial0/2/0
> 192.168.0.0/32 is subnetted, 3 subnets
> O 192.168.0.4 [110/129] via 192.168.25.5, 00:04:41, Serial0/2/0
> O 192.168.0.5 [110/65] via 192.168.25.5, 00:06:31, Serial0/2/0
>
> Finally, reachability:
>
> R2#ping 192.168.0.4 so lo0
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
> Packet sent with a source address of 192.168.0.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> FREE CCIE training: http://bit.ly/vLecture
>
> Mailto: markom_at_ipexpert.com
> Telephone: +1.810.326.1444
> Web: http://www.ipexpert.com/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 29 2011 - 16:16:39 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART