2-17 area transit-area-id virtual-link router-id authentication-key password

2-17 area transit-area-id virtual-link router-id authentication-key password

Syntax Description:

• transit-area-id ” The OSPF area ID of the area connecting the two ABRs that the virtual link will cross. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address form in the range 0.0.0.0 to 255.255.255.255. The transit area cannot be a stub area.

• router-id ” OSPF router ID of the router at the remote end of the virtual link.

• password ” Password to be used for authentication in the selected area on the selected interface or virtual link. The password is an alphanumeric string from 1 to 8 characters .

Purpose: If simple password authentication is enabled in Area 0, then all virtual links need to be configured with the same authentication type. This command is used to configure simple password authentication over a virtual link. In Cisco IOS Software Release 12.0 and later, virtual link authentication can be configured independently of Area 0 (see Section 2-14).

Initial Cisco IOS Software Release: 10.0

Configuration Example 1: Simple Password Authentication Over a Virtual Link

In Figure 2-17, simple password authentication has been enabled for Area 0. Initially, authentication is not enabled over the virtual link so you can see the effect of enabling authentication in Area 0 but not over the virtual link.

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252    ip ospf authentication-key cisco    clockrate 64000   !   router ospf 1    area 0 authentication    network 10.1.1.0 0.0.0.3 area 0   network 1.1.1.1 0.0.0.0 area 0  _______________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Serial0   ip address 10.1.1.2 255.255.255.252    ip ospf authentication-key cisco    !   interface Serial1   ip address 10.1.1.5 255.255.255.252   clockrate 64000   !   router ospf 1    area 0 authentication     area 1 virtual-link 3.3.3.3    network 10.1.1.0 0.0.0.3 area 0   network 2.2.2.2 0.0.0.0 area 0   network 10.1.1.4 0.0.0.3 area 1  _______________________________________________________________________ Router C  interface Loopback0   ip address 3.3.3.3 255.255.255.255   !   interface Serial0   ip address 10.1.1.6 255.255.255.252   !   router ospf 1    area 1 virtual-link 2.2.2.2    network 3.3.3.3 0.0.0.0 area 2   network 10.1.1.4 0.0.0.3 area 1  

Verify that authentication has been enabled for Area 0.

 rtrA#  show ip ospf  Routing Process "ospf 1" with ID 1.1.1.1  Supports only single TOS(TOS0) routes  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 1. 1 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 2  Area has simple password authentication  SPF algorithm executed 2 times         Area ranges are         Number of LSA 6. Checksum Sum 0x3B837         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 3 _______________________________________________________________________ rtrB#  show ip ospf  Routing Process "ospf 1" with ID 2.2.2.2  Supports only single TOS(TOS0) routes  It is an area border router  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 2. 2 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 3  Area has simple password authentication  SPF algorithm executed 8 times         Area ranges are         Number of LSA 6. Checksum Sum 0x3B837         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 3     Area 1         Number of interfaces in this area is 1         Area has no authentication         SPF algorithm executed 4 times         Area ranges are         Number of LSA 6. Checksum Sum 0x364E1         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0 

When authentication is enabled in Area 0, then this authentication type will be applied to all interfaces in Area 0, including virtual links. Any routing updates from neighbors in Area 0 will be rejected if the authentication type and password do not match. Because a virtual link is considered to be in Area 0, routing updates passing over the virtual link will be rejected. This can be verified by examining the IP routing table on Router B.

 rtrB#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets O       1.1.1.1 [110/65] via 10.1.1.1, 00:06:34, Serial0      2.0.0.0/32 is subnetted, 1 subnets C       2.2.2.2 is directly connected, Loopback0      10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0 C       10.1.1.4 is directly connected, Serial1 

Router B has learned the routes being advertised by Router A but not the routes advertised by Router C. Simple password authentication needs to be enabled on the virtual link so that routing updates can be exchanged between routers B and C. You can also use a different authentication type on the virtual link using command 2-14, 2-15, or 2-16. In this case, configure the same authentication type that is being used in Area 0. Change the password over the virtual link to demonstrate that the passwords for different interfaces do not need to be the same. Remember that the password for a common link must be the same at both ends of the link. Modify the configurations on Routers B and C to enable simple password authentication over the virtual link using the password bosco.

 Router B  router ospf 1   area 0 authentication    area 1 virtual-link 3.3.3.3 authentication-key bosco    network 2.2.2.2 0.0.0.0 area 0   network 10.1.1.0 0.0.0.3 area 0   network 10.1.1.4 0.0.0.3 area 1  _______________________________________________________________________ Router C  router ospf 1    area 0 authentication     area 1 virtual-link 2.2.2.2 authentication-key bosco    network 3.3.3.3 0.0.0.0 area 2   network 10.1.1.4 0.0.0.3 area 1  

Notice that the command area 0 authentication was used on Router C because the virtual link is in Area 0.

Verification

Verify that authentication has been enabled over the virtual link.

 rtrC#  show ip ospf  Routing Process "ospf 1" with ID 3.3.3.3  Supports only single TOS(TOS0) routes  It is an area border router  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 3. 3 normal 0 stub 0 nssa  Area BACKBONE(0)  Number of interfaces in this area is 1  Area has simple password authentication  SPF algorithm executed 4 times         Area ranges are         Number of LSA 6. Checksum Sum 0x3CFAD         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 3     Area 1         Number of interfaces in this area is 1         Area has no authentication         SPF algorithm executed 22 times         Area ranges are         Number of LSA 10. Checksum Sum 0x4ACBB         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0     Area 2         Number of interfaces in this area is 1         Area has no authentication         SPF algorithm executed 18 times         Area ranges are         Number of LSA 5. Checksum Sum 0x238E3         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0 

Verify that all OSPF routes are now being exchanged.

 rtrA#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  C       1.1.1.1 is directly connected, Loopback0  2.0.0.0/32 is subnetted, 1 subnets  O       2.2.2.2 [110/65] via 10.1.1.2, 00:09:04, Serial0/1  3.0.0.0/32 is subnetted, 1 subnets  O IA    3.3.3.3 [110/129] via 10.1.1.2, 00:09:04, Serial0/1  10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0/1 O IA    10.1.1.4 [110/128] via 10.1.1.2, 00:09:04, Serial0/1 _______________________________________________________________________ rtrB#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  O       1.1.1.1 [110/65] via 10.1.1.1, 00:10:19, Serial0  2.0.0.0/32 is subnetted, 1 subnets  C       2.2.2.2 is directly connected, Loopback0  3.0.0.0/32 is subnetted, 1 subnets  O IA    3.3.3.3 [110/65] via 10.1.1.6, 00:10:20, Serial1  10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0 C       10.1.1.4 is directly connected, Serial1 _______________________________________________________________________ rtrC#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  O       1.1.1.1 [110/129] via 10.1.1.5, 00:11:10, Serial0  2.0.0.0/32 is subnetted, 1 subnets  O       2.2.2.2 [110/65] via 10.1.1.5, 00:11:11, Serial0  3.0.0.0/24 is subnetted, 1 subnets  C       3.3.3.0 is directly connected, Loopback0  10.0.0.0/30 is subnetted, 2 subnets O       10.1.1.0 [110/128] via 10.1.1.5, 00:11:11, Serial0 C       10.1.1.4 is directly connected, Serial0 

Troubleshooting

Step 1. Verify that there is a neighbor relationship between the OSPF routers using the show ip ospf neighbor command.

Step 2. Verify that the transit area ID used in the area virtual-link command is proper.

Step 3. Verify that the router IDs used in the area virtual-link are correct.

Step 4. Verify that the same password is being used on each side of the virtual link.