Re: virtual link authentication

Marko is spot on, but I will just offer another way to look at this. You
can picture the virtual-link like a virtual crossover cable between your two
terminating routers. The interfaces that the virtual crossover cable is
plugged into are members of area 0. Therefore, area 0 requiring
authentication is the only time you need to worry about authenticating a
virtual link.

The transit area has no bearing on the authentication because the virtual
link itself is not part of that area.

HTH

On Wed, Jun 29, 2011 at 4:53 PM, Marko Milivojevic <markom_at_ipexpert.com>wrote:

> Your reasoning is sound.
>
> --
> Marko Milivojevic - CCIE #18427
> Senior Technical Instructor - IPexpert
>
> FREE CCIE training: http://bit.ly/vLecture
>
> Mailto: markom_at_ipexpert.com
> Telephone: +1.810.326.1444
> Web: http://www.ipexpert.com/
>
> On Wed, Jun 29, 2011 at 13:16, Nathan Falcon <nathan.falcon_at_gmail.com>
> wrote:
> > Thanks Marko, I understand that it will function if configured correctly,
> > but I'm looking at this from an "interpretation or the question"
> > perspective.
> > Based off your topology:
> > If the lab states that Area 254 should be authenticated and it so happens
> > that you need to configure a virtual-link through area 254, would you
> need
> > to configure authentication on that link to satisfy the question? B I'm
> > pretty sure the virtual-link will work with or without authentication,
> but I
> > understand virtual-links to be considered area 0, not 254 (in this case).
> > My deduction would be that if:
> > Area 254 requiresB authenticationB - NO authentication required by
> > theB scenarioB on a virtual-link through Area254
> > Area 0 requiresB authenticationB - B authentication requiredB on the
> > virtual-linkB through Area254
> > Is my logic sound in this case, or am I missing something?
> > Much appreciated,
> > Nate
> >
> > On Wed, Jun 29, 2011 at 3:42 PM, Marko Milivojevic <markom_at_ipexpert.com>
> > wrote:
> >>
> >> On Wed, Jun 29, 2011 at 12:27, -Hammer- <bhmccie_at_gmail.com> wrote:
> >> > Thanks for clarifying Marko.
> >>
> >> Don't take my word for it though. Here's the quick verification:
> >>
> >> R2---R5---R4
> >>
> >> R2:
> >> Lo0: Area 0
> >> Se0/2/0: Area 254 to R5
> >>
> >> R5:
> >> Lo0: Area 254
> >> Se0/2/0: Area 254 to R2
> >> Se0/0/0: Area 254 to R4
> >>
> >> R4:
> >> Lo0: Area 0
> >> Se0/1/0: Area 254 to R5
> >>
> >> Configurations:
> >>
> >> R2:
> >>
> >> interface Loopback0
> >> B ip address 192.168.0.2 255.255.255.255
> >> !
> >> interface Serial0/2/0
> >> B ip address 192.168.25.2 255.255.255.0
> >> B ip ospf message-digest-key 1 md5 ipexpert
> >> !
> >> router ospf 1
> >> B router-id 2.2.2.2
> >> B area 254 authentication message-digest
> >> B area 254 virtual-link 4.4.4.4
> >> B network 192.168.0.2 0.0.0.0 area 0
> >> B network 192.168.25.0 0.0.0.255 area 254
> >> !
> >>
> >> R5:
> >>
> >> interface Loopback0
> >> B ip address 192.168.0.5 255.255.255.255
> >> !
> >> interface Serial0/0/0
> >> B ip address 192.168.45.5 255.255.255.0
> >> B ip ospf message-digest-key 1 md5 ipexpert
> >> !
> >> interface Serial0/2/0
> >> B ip address 192.168.25.5 255.255.255.0
> >> B ip ospf message-digest-key 1 md5 ipexpert
> >> !
> >> router ospf 1
> >> B router-id 5.5.5.5
> >> B area 254 authentication message-digest
> >> B network 192.168.0.5 0.0.0.0 area 254
> >> B network 192.168.25.0 0.0.0.255 area 254
> >> B network 192.168.45.0 0.0.0.255 area 254
> >> !
> >>
> >> R4:
> >>
> >> interface Loopback0
> >> B ip address 192.168.0.4 255.255.255.255
> >> !
> >> interface Serial0/1/0
> >> B ip address 192.168.45.4 255.255.255.0
> >> B ip ospf message-digest-key 1 md5 ipexpert
> >> !
> >> router ospf 1
> >> B router-id 4.4.4.4
> >> B area 254 authentication message-digest
> >> B area 254 virtual-link 2.2.2.2
> >> B network 192.168.0.4 0.0.0.0 area 0
> >> B network 192.168.45.0 0.0.0.255 area 254
> >> !
> >>
> >> Verification:
> >>
> >> R2#sh ip ospf int s0/2/0
> >> Serial0/2/0 is up, line protocol is up
> >> B Internet Address 192.168.25.2/24, Area 254
> >> B Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
> >> B Transmit Delay is 1 sec, State POINT_TO_POINT
> >> B Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> >> B B oob-resync timeout 40
> >> B B Hello due in 00:00:00
> >> B Supports Link-local Signaling (LLS)
> >> B Cisco NSF helper support enabled
> >> B IETF NSF helper support enabled
> >> B Index 1/2, flood queue length 0
> >> B Next 0x0(0)/0x0(0)
> >> B Last flood scan length is 1, maximum is 1
> >> B Last flood scan time is 0 msec, maximum is 0 msec
> >> B Neighbor Count is 1, Adjacent neighbor count is 1
> >> B B Adjacent with neighbor 5.5.5.5
> >> B Suppress hello for 0 neighbor(s)
> >> B Message digest authentication enabled
> >> B B Youngest key id is 1
> >>
> >> We can see authentication enabled on Serial 0/2/0
> >>
> >> R2#show ip ospf int br
> >> Interface B B PID B Area B B B B B B IP Address/Mask B B Cost B
> State Nbrs F/C
> >> VL0 B B B B B 1 B B 0 B B B B B B B 192.168.25.2/24 B B
> 128 B P2P B 1/1
> >> Lo0 B B B B B 1 B B 0 B B B B B B B 192.168.0.2/32 B B 1
> B B LOOP B 0/0
> >> Se0/2/0 B B B 1 B B 254 B B B B B B 192.168.25.2/24 B B 64 B
> B P2P B 1/1
> >>
> >> We see a neighbor on Virutal-link0. Let's check the neioghbors:
> >>
> >> R2#show ip ospf nei
> >>
> >> Neighbor ID B B Pri B State B B B B B Dead Time B Address
> >> Interface
> >> 4.4.4.4 B B B B B 0 B FULL/ B - B B B B B - B B B B
> 192.168.45.4 B B OSPF_VL0
> >> 5.5.5.5 B B B B B 0 B FULL/ B - B B B B 00:00:39 B B
> 192.168.25.5
> >> B Serial0/2/0
> >>
> >> Looks like R4 is our neighbor. How about the routes in the table?
> >>
> >> R2#show ip route ospf
> >> O B B 192.168.45.0/24 [110/128] via 192.168.25.5, 00:06:31,
> Serial0/2/0
> >> B B 192.168.0.0/32 is subnetted, 3 subnets
> >> O B B B 192.168.0.4 [110/129] via 192.168.25.5, 00:04:41, Serial0/2/0
> >> O B B B 192.168.0.5 [110/65] via 192.168.25.5, 00:06:31, Serial0/2/0
> >>
> >> Finally, reachability:
> >>
> >> R2#ping 192.168.0.4 so lo0
> >>
> >> Type escape sequence to abort.
> >> Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
> >> Packet sent with a source address of 192.168.0.2
> >> !!!!!
> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
> >>
> >> --
> >> Marko Milivojevic - CCIE #18427
> >> Senior Technical Instructor - IPexpert
> >>
> >> FREE CCIE training: http://bit.ly/vLecture
> >>
> >> Mailto: markom_at_ipexpert.com
> >> Telephone: +1.810.326.1444
> >> Web: http://www.ipexpert.com/
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net