Re: virtual link authentication

Your reasoning is sound.

--
Marko Milivojevic - CCIE #18427
Senior Technical Instructor - IPexpert
FREE CCIE training: http://bit.ly/vLecture
Mailto: markom_at_ipexpert.com
Telephone: +1.810.326.1444
Web: http://www.ipexpert.com/
On Wed, Jun 29, 2011 at 13:16, Nathan Falcon <nathan.falcon_at_gmail.com> wrote:
> Thanks Marko, I understand that it will function if configured correctly,
> but I'm looking at this from an "interpretation or the question"
> perspective.
> Based off your topology:
> If the lab states that Area 254 should be authenticated and it so happens
> that you need to configure a virtual-link through area 254, would you need
> to configure authentication on that link to satisfy the question? B I'm
> pretty sure the virtual-link will work with or without authentication, but I
> understand virtual-links to be considered area 0, not 254 (in this case).
> My deduction would be that if:
> Area 254 requiresB authenticationB - NO authentication required by
> theB scenarioB on a virtual-link through Area254
> Area 0 requiresB authenticationB - B authentication requiredB on the
> virtual-linkB through Area254
> Is my logic sound in this case, or am I missing something?
> Much appreciated,
> Nate
>
> On Wed, Jun 29, 2011 at 3:42 PM, Marko Milivojevic <markom_at_ipexpert.com>
> wrote:
>>
>> On Wed, Jun 29, 2011 at 12:27, -Hammer- <bhmccie_at_gmail.com> wrote:
>> > Thanks for clarifying Marko.
>>
>> Don't take my word for it though. Here's the quick verification:
>>
>> R2---R5---R4
>>
>> R2:
>> Lo0: Area 0
>> Se0/2/0: Area 254 to R5
>>
>> R5:
>> Lo0: Area 254
>> Se0/2/0: Area 254 to R2
>> Se0/0/0: Area 254 to R4
>>
>> R4:
>> Lo0: Area 0
>> Se0/1/0: Area 254 to R5
>>
>> Configurations:
>>
>> R2:
>>
>> interface Loopback0
>> B ip address 192.168.0.2 255.255.255.255
>> !
>> interface Serial0/2/0
>> B ip address 192.168.25.2 255.255.255.0
>> B ip ospf message-digest-key 1 md5 ipexpert
>> !
>> router ospf 1
>> B router-id 2.2.2.2
>> B area 254 authentication message-digest
>> B area 254 virtual-link 4.4.4.4
>> B network 192.168.0.2 0.0.0.0 area 0
>> B network 192.168.25.0 0.0.0.255 area 254
>> !
>>
>> R5:
>>
>> interface Loopback0
>> B ip address 192.168.0.5 255.255.255.255
>> !
>> interface Serial0/0/0
>> B ip address 192.168.45.5 255.255.255.0
>> B ip ospf message-digest-key 1 md5 ipexpert
>> !
>> interface Serial0/2/0
>> B ip address 192.168.25.5 255.255.255.0
>> B ip ospf message-digest-key 1 md5 ipexpert
>> !
>> router ospf 1
>> B router-id 5.5.5.5
>> B area 254 authentication message-digest
>> B network 192.168.0.5 0.0.0.0 area 254
>> B network 192.168.25.0 0.0.0.255 area 254
>> B network 192.168.45.0 0.0.0.255 area 254
>> !
>>
>> R4:
>>
>> interface Loopback0
>> B ip address 192.168.0.4 255.255.255.255
>> !
>> interface Serial0/1/0
>> B ip address 192.168.45.4 255.255.255.0
>> B ip ospf message-digest-key 1 md5 ipexpert
>> !
>> router ospf 1
>> B router-id 4.4.4.4
>> B area 254 authentication message-digest
>> B area 254 virtual-link 2.2.2.2
>> B network 192.168.0.4 0.0.0.0 area 0
>> B network 192.168.45.0 0.0.0.255 area 254
>> !
>>
>> Verification:
>>
>> R2#sh ip ospf int s0/2/0
>> Serial0/2/0 is up, line protocol is up
>> B Internet Address 192.168.25.2/24, Area 254
>> B Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
>> B Transmit Delay is 1 sec, State POINT_TO_POINT
>> B Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
>> B  B oob-resync timeout 40
>> B  B Hello due in 00:00:00
>> B Supports Link-local Signaling (LLS)
>> B Cisco NSF helper support enabled
>> B IETF NSF helper support enabled
>> B Index 1/2, flood queue length 0
>> B Next 0x0(0)/0x0(0)
>> B Last flood scan length is 1, maximum is 1
>> B Last flood scan time is 0 msec, maximum is 0 msec
>> B Neighbor Count is 1, Adjacent neighbor count is 1
>> B  B Adjacent with neighbor 5.5.5.5
>> B Suppress hello for 0 neighbor(s)
>> B Message digest authentication enabled
>> B  B Youngest key id is 1
>>
>> We can see authentication enabled on Serial 0/2/0
>>
>> R2#show ip ospf int br
>> Interface B  B PID B  Area B  B  B  B  B  B IP Address/Mask B  B Cost B State Nbrs F/C
>> VL0 B  B  B  B  B 1 B  B  0 B  B  B  B  B  B  B  192.168.25.2/24 B  B 128 B  P2P B  1/1
>> Lo0 B  B  B  B  B 1 B  B  0 B  B  B  B  B  B  B  192.168.0.2/32 B  B  1 B  B  LOOP B 0/0
>> Se0/2/0 B  B  B 1 B  B  254 B  B  B  B  B  B  192.168.25.2/24 B  B 64 B  B P2P B  1/1
>>
>> We see a neighbor on Virutal-link0. Let's check the neioghbors:
>>
>> R2#show ip ospf nei
>>
>> Neighbor ID B  B  Pri B  State B  B  B  B  B  Dead Time B  Address
>> Interface
>> 4.4.4.4 B  B  B  B  B  0 B  FULL/ B - B  B  B  B  B  - B  B  B  B 192.168.45.4 B  B OSPF_VL0
>> 5.5.5.5 B  B  B  B  B  0 B  FULL/ B - B  B  B  B 00:00:39 B  B 192.168.25.5
>> B Serial0/2/0
>>
>> Looks like R4 is our neighbor. How about the routes in the table?
>>
>> R2#show ip route ospf
>> O B  B 192.168.45.0/24 [110/128] via 192.168.25.5, 00:06:31, Serial0/2/0
>> B  B  192.168.0.0/32 is subnetted, 3 subnets
>> O B  B  B  192.168.0.4 [110/129] via 192.168.25.5, 00:04:41, Serial0/2/0
>> O B  B  B  192.168.0.5 [110/65] via 192.168.25.5, 00:06:31, Serial0/2/0
>>
>> Finally, reachability:
>>
>> R2#ping 192.168.0.4 so lo0
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
>> Packet sent with a source address of 192.168.0.2
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
>>
>> --
>> Marko Milivojevic - CCIE #18427
>> Senior Technical Instructor - IPexpert
>>
>> FREE CCIE training: http://bit.ly/vLecture
>>
>> Mailto: markom_at_ipexpert.com
>> Telephone: +1.810.326.1444
>> Web: http://www.ipexpert.com/
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net