Re: Virtual Link Auth Again

From: Bill Reilly (william.j.reilly@xxxxxxxxxxx)
Date: Wed Nov 21 2001 - 10:45:24 GMT-3

   
They both work correctly, and I would rather know two ways to do
something than just one.

Bill

Albert Lu wrote:

>Bill,
>
>I see what you're saying, you had IOS incompatiblity issues. So if you had
>all 12.1 routers, what would be the most correct and best way of doing this?
>
>Albert
>
>-----Original Message-----
>From: Bill Reilly [mailto:william.j.reilly@verizon.net]
>Sent: Wednesday, November 21, 2001 12:57 PM
>To: albert_ccie@yahoo.com
>Cc: ccielab@groupstudy.com
>Subject: Re: Virtual Link Auth Again
>
>
>I think if you read the beginning of this string, I had routers with
>very different IOS images 11.1 and 12.1 and for some reason this did not
>work correctly. What I cam up with was a workaround, but I did try this
>first.
>
>Albert Lu wrote:
>
>>Have you had a look at the CCO I included about virtual link
>>
>authentication.
>
>>Could you have done it that way, if not then what were the requirements
>>
>that
>
>>did not allow you to do so?
>>
>>Thanks
>>
>>Albert
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>Bill Reilly
>>Sent: Wednesday, November 21, 2001 11:57 AM
>>To: albert_ccie@yahoo.com
>>Cc: ccielab@groupstudy.com
>>Subject: Re: Virtual Link Auth Again
>>
>>
>>My goal was to only authenticate area 0 connections. So all routers in
>>area 10 did not have to auth. to each other, that is why you do not see
>>an area 10 authenticate message-digest. Since the VL must connect to
>>area 0 it must be doing md5 auth. All other connections in area 10 is
>>free to connect with any other router in area 10.
>>
>>Probably not the best practice but it was my lab.
>>
>>Bill
>>
>>Albert Lu wrote:
>>
>>>Bill,
>>>
>>>Now you got me a little confused =). Which is good, maybe I can learn
>>>something.
>>>
>>>Looking at your config, you have two virtual links going to two different
>>>ABR routers 1.1.1.1 and 4.4.4.4. Lets focus on the virtual link to
>>>
>1.1.1.1.
>
>>>Area 0 is doing MD5 authentication, area 10 is not doing authentication,
>>>
>>but
>>
>>>the virtual link going over Area 10 is doing MD5 authentication.
>>>
>>>I just tried it out, and it works. I think what made it work was the 'area
>>>10 virtual-link 1.1.1.1 authentication message-digest' statement on the
>>>remote router. I've always done it by putting 'area 0 authentication
>>>message-digest' on the remote router, since CCO described it that way:
>>>
>>>http://www.cisco.com/warp/public/104/27.html
>>>
>>>Now, I', abit confused on the difference with your method and CCO's
>>>
>>method??
>>
>>>It seems like 'show ip ospf virtual-link' always shows the virtual link as
>>>up, but when it really works it gives you this message: 1d01h:
>>>%OSPF-5-ADJCHG: Process 10, Nbr 200.0.0.7 on OSPF_VL0 from LOADING to
>>>
>FULL,
>
>>>Loading Done
>>>
>>>Albert
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>Bill Reilly
>>>Sent: Wednesday, November 21, 2001 9:11 AM
>>>To: Albert Lu
>>>Cc: ccielab@groupstudy.com
>>>Subject: Re: Virtual Link Auth Again
>>>
>>>
>>>Albert,
>>>
>>>The config below worked. Because the remote router has to authenticate
>>>through area 10 I did not need the area 0 auth message-digest there.
>>>However I did need in my Area 0 router to authenticate.
>>>
>>>Bill
>>>
>>>Albert Lu wrote:
>>>
>>>>Bill,
>>>>
>>>>I think you need 'area 0 authentication message-digest' for the virtual
>>>>
>>>link
>>>
>>>>to be doing authentication, since the virtual link is like a link into
>>>>
>>area
>>
>>>>0.
>>>>
>>>>Albert
>>>>
>>>>-----Original Message-----
>>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>>Bill Reilly
>>>>Sent: Monday, November 12, 2001 11:56 AM
>>>>To: Steve O'Ney; ccielab@groupstudy.com
>>>>Subject: Re: Virtual Link Auth Again
>>>>
>>>>
>>>>Sure.
>>>>
>>>>Here is my area 0 router:
>>>>
>>>>The VL is coming in over the e0 interface, but because i am only trying
>>>>
>to
>
>>>>authenticate the VL router I do not put any authentication information
>>>>there, it
>>>>is under the ospf process.
>>>>
>>>>!
>>>>interface Ethernet0
>>>>ip address 10.0.1.1 255.255.255.0
>>>>ip ospf priority 100
>>>>no keepalive
>>>>!
>>>>interface Serial0
>>>>ip address 130.10.1.1 255.255.255.0
>>>>encapsulation frame-relay
>>>>ip ospf message-digest-key 1 md5 cisco
>>>>ip ospf priority 100
>>>>!
>>>>router ospf 64733
>>>>network 10.0.1.0 0.0.0.255 area 10
>>>>network 130.10.1.0 0.0.0.255 area 0
>>>>network 1.1.1.0 0.0.0.255 area 1
>>>>neighbor 130.10.1.6 priority 4
>>>>neighbor 130.10.1.5 priority 2
>>>>area 0 authentication message-digest
>>>>area 10 virtual-link 5.5.5.5 message-digest-key 1 md5 cisco
>>>>
>>>>Here is my remote router:
>>>>
>>>>interface Ethernet0/0
>>>>ip address 10.0.1.22 255.255.255.0
>>>>full-duplex
>>>>service-policy output QoS-Policy
>>>>!
>>>>interface Serial1/0
>>>>ip address 50.40.1.1 255.255.255.252
>>>>no ip mroute-cache
>>>>clockrate 128000
>>>>!
>>>>router ospf 64733
>>>>log-adjacency-changes
>>>>area 5 virtual-link 4.4.4.4
>>>>area 10 virtual-link 1.1.1.1 authentication message-digest
>>>>area 10 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco
>>>>network 10.0.1.0 0.0.0.255 area 10
>>>>network 50.40.1.0 0.0.0.255 area 5
>>>>
>>>>Bill
>>>>
>>>>Steve O'Ney wrote:
>>>>
>>>>>Bill,
>>>>>
>>>>>Could I get a sample config from your router?
>>>>>
>>>>>THanks
>>>>>
>>>>>Steve
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>>To: "Steve O'Ney" <soney@proaptiv.com>; <ccielab@groupstudy.com>
>>>>>Sent: Sunday, November 11, 2001 5:16 PM
>>>>>Subject: Re: Virtual Link Auth Again
>>>>>
>>>>>>Steve,
>>>>>>
>>>>>>When you use the command listed below, you set up plain text
>>>>>>
>>>>>authentication on
>>>>>
>>>>>>both routers. This is the type 1 part of the message in the clip I
>>>>>>
>>>>sent.
>>>>
>>>>>>I was able to get this working, then changed my authentication type to
>>>>>>message-digest with md5. Once I set my area 0 auth to message-digest
>>>>>>
>>>>and
>>>>
>>>>>set up
>>>>>
>>>>>>my keys on both my area 0 router and my remote router everything came
>>>>>>
>>>>up.
>>>>
>>>>>>Thanks,
>>>>>>Bill
>>>>>>
>>>>>>Steve O'Ney wrote:
>>>>>>
>>>>>>>Bill,
>>>>>>>
>>>>>>>I have knocked my head against the wall on several occasions over this
>>>>>>>
>>>>>and I
>>>>>
>>>>>>>have found a fix, type this command on both ends of your virtual link.
>>>>>>>
>>>>I
>>>>
>>>>>>>can't say why this works because I don't have a clue, I can't find it
>>>>>>>anywhere but this is what worked for me:
>>>>>>>
>>>>>>>area [#] virtual-link X.X.X.X authentication
>>>>>>>
>>>>>>>don't ask me why but it works.
>>>>>>>
>>>>>>>Steve
>>>>>>>
>>>>>>>----- Original Message -----
>>>>>>>From: "Bill Reilly" <william.j.reilly@verizon.net>
>>>>>>>To: <ccielab@groupstudy.com>
>>>>>>>Sent: Sunday, November 11, 2001 11:36 AM
>>>>>>>Subject: Virtual Link Auth Again
>>>>>>>
>>>>>>>>I have been working on some VL labs with and without different types
>>>>>>>>
>>>>>of
>>>>>
>>>>>>>>authentication. Now the first issue I have is some of my routers
>>>>>>>>
>>>>are
>>>>
>>>>>>>>running 11.2 and some are running 12.1. I suspect my issue resides
>>>>>>>>
>>>>in
>>>>
>>>>>>>>the differences in IOS, but what I am seeing is when I try to use
>>>>>>>>message-digest I am not able to authenticate my VL.
>>>>>>>>
>>>>>>>>My debug output on both routers states "Rcv pkt from 10.0.1.22,
>>>>>>>>Ethernet0 : Mismatch Authentication type. Input pa
>>>>>>>>cket specified type 0, we use type 1"
>>>>>>>>
>>>>>>>>Any help would be appreciated.
>>>>>>>>
>>>>>>>>Bill
>>>>>>>>

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:20 GMT-3