2-20 area transit-area-id virtual-link router-id message-digest-key key-id md5 password

Previous page
Table of content
Next page
 <  Free Open Study  >  

2-20 area transit-area-id virtual-link router-id message-digest-key key-id md5 password

Syntax Description:

  • transit-area-id ” The OSPF area ID of the area connecting the two ABRs that the virtual link will cross. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address form in the range 0.0.0.0 to 255.255.255.255. The transit area cannot be a stub area.

  • router-id ” OSPF router ID of the router at the remote end of the virtual link.

  • key-id ” Key to use to encrypt a password. The range of values is 1 to 255. Both ends of a virtual link must use the same key and password.

  • password ” Password to be used for authentication in the selected area on the selected interface or virtual link. The password is an alphanumeric string from 1 to 8 characters .

Purpose: If message digest authentication is enabled in Area 0, then all virtual links need to be configured with the same authentication type. This command is used to configure message digest authentication over a virtual link. In Cisco IOS Software Release 12.0 and later, virtual link authentication can be configured independent of Area 0 (see Section 2-15).

Initial Cisco IOS Software Release: 11.0

Configuration Example 1: Message Digest Authentication Over a Virtual Link

In Figure 2-20, message authentication has been enabled for Area 0. Initially, authentication is not enabled over the virtual link so you can see the effect of enabling authentication in Area 0 but not over the virtual link.

Figure 2-20. Prior to Cisco IOS Software Release 12.0, if Message Digest Authentication Is Enabled in Area 0 Then Message Digest Authentication Must Be Enabled Over the Virtual Link

graphics/02fig20.gif 

 Router A  interface Loopback0   ip address 1.1.1.1 255.255.255.255   !   interface Serial0/1   ip address 10.1.1.1 255.255.255.252    ip ospf message-digest-key 1 md5 cisco    clockrate 64000   !   router ospf 1    area 0 authentication-message digest    network 10.1.1.0 0.0.0.3 area 0   network 1.1.1.1 0.0.0.0 area 0  _______________________________________________________________________ Router B  interface Loopback0   ip address 2.2.2.2 255.255.255.255   !   interface Serial0   ip address 10.1.1.2 255.255.255.252    ip ospf message-digest-key 1 md5 cisco    !   interface Serial1   ip address 10.1.1.5 255.255.255.252   clockrate 64000   !   router ospf 1    area 0 authentication message-digest     area 1 virtual-link 3.3.3.3    network 10.1.1.0 0.0.0.3 area 0   network 2.2.2.2 0.0.0.0 area 0   network 10.1.1.4 0.0.0.3 area 1  _______________________________________________________________________ Router C  interface Loopback0   ip address 3.3.3.3 255.255.255.255   !   interface Serial0   ip address 10.1.1.6 255.255.255.252   !   router ospf 1    area 1 virtual-link 2.2.2.2    network 3.3.3.3 0.0.0.0 area 2   network 10.1.1.4 0.0.0.3 area 1

Verify that authentication has been enabled for Area 0. 

 rtrA#  show ip ospf  Routing Process "ospf 1" with ID 1.1.1.1  Supports only single TOS(TOS0) routes  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 1. 1 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 2  Area has message digest authentication  SPF algorithm executed 8 times         Area ranges are         Number of LSA 6. Checksum Sum 0x4AC3C         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 3 _______________________________________________________________________ rtrB#  show ip ospf  Routing Process "ospf 1" with ID 2.2.2.2  Supports only single TOS(TOS0) routes  It is an area border router  SPF schedule delay 5 secs, Hold time between two SPFs 10 secs  Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs  Number of external LSA 0. Checksum Sum 0x0  Number of DCbitless external LSA 0  Number of DoNotAge external LSA 0  Number of areas in this router is 2. 2 normal 0 stub 0 nssa     Area BACKBONE(0)         Number of interfaces in this area is 3  Area has message digest authentication  SPF algorithm executed 14 times         Area ranges are         Number of LSA 6. Checksum Sum 0x4AC3C         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 3     Area 1         Number of interfaces in this area is 1         Area has no authentication         SPF algorithm executed 4 times         Area ranges are         Number of LSA 8. Checksum Sum 0x4AED7         Number of DCbitless LSA 0         Number of indication LSA 0         Number of DoNotAge LSA 0

When authentication is enabled in Area 0, then this authentication type will be applied to all interfaces in Area 0, including virtual links. Any routing updates from neighbors in Area 0 will be rejected if the authentication type and password do not match. Because a virtual link is considered to be in Area 0, routing updates passing over the virtual link will be rejected. This can be verified by examining the IP routing table on Router B. 

 rtrB#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets O       1.1.1.1 [110/65] via 10.1.1.1, 00:06:34, Serial0      2.0.0.0/32 is subnetted, 1 subnets C       2.2.2.2 is directly connected, Loopback0      10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0 C       10.1.1.4 is directly connected, Serial1

Router B has learned the routes being advertised by Router A, but not the routes advertised by Router C. You must enable message digest authentication on the virtual link so that routing updates can be exchanged between Routers B and C. You can also use a different authentication type on the virtual link using command 2-14, 2-15, or 2-16. In this case, you will configure the same authentication type that is being used in Area 0. Change the key and password used over the virtual link to demonstrate that the keys and passwords for different interfaces do not need to be the same. Remember that the key and password for a common link must be the same at both ends of the link. Modify the configurations on Routers B and C to enable message digest authentication over the virtual link using a key of 2 and the password bosco. 

 Router B  router ospf 1   area 0 authentication    area 1 virtual-link 3.3.3.3 message-digest-key 2 md5 bosco    network 2.2.2.2 0.0.0.0 area 0   network 10.1.1.0 0.0.0.3 area 0   network 10.1.1.4 0.0.0.3 area 1  _______________________________________________________________________ Router C  router ospf 1    area 0 authentication     area 1 virtual-link 2.2.2.2 message-digest-key 2 md5 bosco    network 3.3.3.3 0.0.0.0 area 2   network 10.1.1.4 0.0.0.3 area 1

Notice that the command area 0 authentication message-digest was used on Router C because the virtual link is in Area 0.

Verification

Verify that message digest authentication has been enabled over the virtual link. 

 rtrC#  show ip ospf virtual-links  Virtual Link OSPF_VL7 to router 2.2.2.2 is up   Run as demand circuit   DoNotAge LSA allowed.   Transit area 1, via interface Serial0, Cost of using 64   Transmit Delay is 1 sec, State POINT_TO_POINT,   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:06     Adjacency State FULL (Hello suppressed)  Message digest authentication enabled   Youngest key id is 2

Verify that all OSPF routes are now being exchanged. 

 rtrA#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  C       1.1.1.1 is directly connected, Loopback0  2.0.0.0/32 is subnetted, 1 subnets  O       2.2.2.2 [110/65] via 10.1.1.2, 00:09:04, Serial0/1  3.0.0.0/32 is subnetted, 1 subnets  O IA    3.3.3.3 [110/129] via 10.1.1.2, 00:09:04, Serial0/1  10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0/1 O IA    10.1.1.4 [110/128] via 10.1.1.2, 00:09:04, Serial0/1 _______________________________________________________________________ rtrB#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  O       1.1.1.1 [110/65] via 10.1.1.1, 00:10:19, Serial0  2.0.0.0/32 is subnetted, 1 subnets  C       2.2.2.2 is directly connected, Loopback0  3.0.0.0/32 is subnetted, 1 subnets  O IA    3.3.3.3 [110/65] via 10.1.1.6, 00:10:20, Serial1  10.0.0.0/30 is subnetted, 2 subnets C       10.1.1.0 is directly connected, Serial0 C       10.1.1.4 is directly connected, Serial1 _______________________________________________________________________ rtrC#  show ip route  Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default        U - per-user static route, o - ODR Gateway of last resort is not set      1.0.0.0/32 is subnetted, 1 subnets  O       1.1.1.1 [110/129] via 10.1.1.5, 00:11:10, Serial0  2.0.0.0/32 is subnetted, 1 subnets  O       2.2.2.2 [110/65] via 10.1.1.5, 00:11:11, Serial0  3.0.0.0/24 is subnetted, 1 subnets  C       3.3.3.0 is directly connected, Loopback0  10.0.0.0/30 is subnetted, 2 subnets O       10.1.1.0 [110/128] via 10.1.1.5, 00:11:11, Serial0 C       10.1.1.4 is directly connected, Serial0

Configuration Example 2: Changing Keys and Passwords

For additional security you may choose to periodically change the key and password. With clear-text authentication, when you change passwords there will be a loss of OSPF connectivity from the time you change the password on one end of the virtual link until you change the password at the other end of the virtual link. With MD5 authentication you can configure a new key and password on a virtual link while leaving the old key and password in place. The old key and password will continue to be used until the new key and password are configured on the other end of the virtual link. Modify the key and password on the virtual link between Routers B and C. First, add a new key and password to Router B in order to observe the behavior when the new key and password have only been configured on one end of the virtual link. 

 Router B  router ospf 1   area 0 authentication message-digest   area 1 virtual-link 3.3.3.3 message-digest-key 2 md5 bosco    area 1 virtual-link 3.3.3.3 message-digest-key 3 md5 newton    network 2.2.2.2 0.0.0.0 area 0   network 10.1.1.0 0.0.0.3 area 0   network 10.1.1.4 0.0.0.3 area 1

Examine the effect of adding a new key and password on only one end of the virtual link. 

 rtrB#  show ip ospf virtual-links  Virtual Link OSPF_VL1 to router 3.3.3.3 is up   Run as demand circuit   DoNotAge LSA allowed.   Transit area 1, via interface Serial1, Cost of using 64   Transmit Delay is 1 sec, State POINT_TO_POINT,   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:03     Adjacency State FULL (Hello suppressed)  Message digest authentication enabled   Youngest key id is 3   Rollover in progress, 1 neighbor(s) using the old key(s):   key id 2

Notice that both keys are being used for authentication. Configure the new key and password on Router C while leaving the old key and password in place. 

 Router C  router ospf 1   area 0 authentication message-digest   area 1 virtual-link 2.2.2.2 message-digest-key 2 md5 bosco    area 1 virtual-link 2.2.2.2 message-digest-key 3 md5 newton    network 3.3.3.3 0.0.0.0 area 2   network 10.1.1.4 0.0.0.3 area 1

Verify that Router C is now using the new key and password. 

 rtrC#  show ip ospf virtual-links  Virtual Link OSPF_VL7 to router 2.2.2.2 is up   Run as demand circuit   DoNotAge LSA allowed.   Transit area 1, via interface Serial0, Cost of using 64   Transmit Delay is 1 sec, State POINT_TO_POINT,   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:04     Adjacency State FULL (Hello suppressed)  Message digest authentication enabled   Youngest key id is 3   Rollover in progress, 1 neighbor(s) using the old key(s):   key id 2

You can now remove the old key and password from Routers B and C. 

 Router B  router ospf 1    no area 1 virtual-link 3.3.3.3 message-digest-key 2   _______________________________________________________________________ Router C  router ospf 1    no area 1 virtual-link 2.2.2.2 message-digest-key 2
Verification

Verify that only the new key and password are being used over the virtual link. 

 rtrB#  show ip ospf virtual-links  Virtual Link OSPF_VL0 to router 3.3.3.3 is up   Run as demand circuit   DoNotAge LSA allowed.   Transit area 1, via interface Serial1, Cost of using 64   Transmit Delay is 1 sec, State POINT_TO_POINT,   Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5     Hello due in 00:00:01     Adjacency State INIT (Hello suppressed)  Message digest authentication enabled   Youngest key id is 3
Troubleshooting
Step 1. Verify that there is a neighbor relationship between the OSPF routers using the show ip ospf neighbor command.

Step 2. Verify that the transit area ID used in the area virtual-link command is the proper area.

Step 3. Verify that the router IDs used in the area virtual-link are correct.

Step 4. Verify that the same key and password are being used on each side of the virtual link.

 <  Free Open Study  >  

Previous page
Table of content
Next page
Cisco[r] OSPF Command and Configuration Handbook
Cisco OSPF Command and Configuration Handbook (paperback)
ISBN: 1587055406
EAN: 2147483647
Year: 2002
Pages: 236
Authors: William R. Parkhurst
BUY ON AMAZON
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
A Practitioners Guide to Software Test Design
The Java Tutorial: A Short Course on the Basics, 4th Edition
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
GO! with Microsoft Office 2003 Brief (2nd Edition)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy