This topic is to discuss the following lesson:
Gr8 tutorial…Never read about this virtual-template before… will practice today… thnx Rene .
nice work indeed… but doesn’t this break the ccie lab requirements of not creating new interfaces unless explicitly requested? or am i missing something here?
thanks Mr.René Molenaar 
but what if we use sub-interface in R1 ? do we still need virtual-template commands ??
thanks a lot for ur effort
Hi Mohammed,
If you use sub-interface then this doesn’t apply because you can activate EIGRP authentication per (sub)interface. This “trick” is only a fun method to use when you are not allowed to use sub-interfaces…something you could see in a CCIE lab exam.
Rene
2 Likes
Hi Rene,
I have tow question :-
1 - You configure the same IP address on both virtual-template interfaces and you do not have any overlaps with the tow virtual-template interfaces, so how did this happen ?
2 - Does OSPF support the authentication per Neighbor ?
Thanks,
Another question come up to my mind :-
If we have several routers connected to an ether switch ( multi-access network ) so all the routers will become neighbors with each other so we have more than one neighbor on the same physical interface, right ? my question is :-
Can we use per neighbor authentication in ethernet network ?
Hi Hussein,
That’s right, the virtual template is like a template, it’s not a (virtual) interface so it’s possible.
I haven’t tried this with OSPF, it might work since the OSPF key is configured on the interface. Keep in mind this is just a crazy trick to get around a possible requirement that you could face on a CCIE lab
Rene
1 Like
Hi Hussein,
That’s right, if your routers are on the same multi access segment then they will become neighbors if you use the same key. Routing protocols like RIP, OSPF or EIGRP don’t support any per-neighbor authentication (except for this crazy trick). BGP is one of the routing protocols that does support authentication per neighbor.
Rene
1 Like
Do you mean we can use this trick in ethernet network ? if yes, so how we can use "frame-relay interface-dlci DLCINUMBER ppp Virtual-Template NUMBER " command in fast ethernet or gigabit ethernet interfaces since frame-relay commands used only on serial interfaces ?
Hi Hussein,
Maybe if you would use sub-interfaces on an Ethernet interface and try to apply the virtual templates there but I think it won’t accept it.
Rene
1 Like
Hi Rene,
Thanks …Perfect explanation.
Adil
Hi Rene,
So virtual-template only applies to PPP links?
Rgds,
Shannon
Shannon,
I believe you are correct. The applications of Virtual Templates that I can think of are PPP related
1 Like
Hi Andrew,
Thank you for confirming!
Rgds,
Shannon
Maybe this whole lesson needs to be taken down.
No more frame relay on exam and I can’t see why they would ask this for DMVPN.
Besides I can’t think of how to do this on DMVPN
Hello Rene
Hello NetworkLessions Team
i try today also the same topic with Ethernet Interfaces, but i didn’t understod why R3 will not make any Eigrp Neighborship.
-R1
key chain key1
key 1
key-string R1-R2key chain key2
key 1
key-string R1-R3interface Ethernet0/2
ip address 192.168.123.1 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key1router eigrp 1
network 192.168.123.0
-R2
key chain key1
key 1
key-string R1-R2interface Ethernet0/0
ip address 192.168.123.2 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key1router eigrp 1
network 192.168.123.0
-R3
key chain key2
key 1
key-string R1-R3interface Ethernet0/1
ip address 192.168.123.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key2router eigrp 1
network 192.168.123.0
Thanks also to this Fantastic learning Platform!
Mauri
Hello Maurizio
In this lesson, we have a hub and spoke frame relay topology. Both R2 and R3 must become EIGRP neighbors with R1. These neighbor adjacencies will both be made via the S0/0 interface of R1. If there is no authentication, then we’re OK. But if there is authentication, then we have a problem, the problem you are facing.
Because the authentication key is assigned to the interface, you can only have one authentication key. So you have assigned key1 to the interface on R1. This means that only R2 will be able to authenticate. R3 is using key2 while you have only configured key1 on R1.
In order to get around this, and to be able to assign both key chains to the single interface, you must use what are known as virtual templates. A virtual template is an entity you can create that contains a set of predefined configurations for interfaces. You can then assign one or more virtual templates to an interface.
In this case, you can create two virtual interfaces, assign each one a particular keychain, bind the virtual template to a particular DLCI, and assign them to the Serial 0/0 interface (in your case the Ethernet 0/2 interface)
For more information, take a look at the specific configuration in the lesson.
I hope this has been helpful!
Laz
1 Like
Hello,
As mentioned in a previous reply about DMVPN…(I know years ago). But can Virtual-Templates be implemented to work with DMVPN? I’ve tried to do a little bit of googling but I’ve not found any real example out there. I don’t need an entire lesson but just is this worth trying with DMVPN? Thanks!
Cordially,
Ronnie
Hello Ronald
I went in and tried labbing this one up to see if I could create virtual templates to be used in this manner, but there’s no way to apply them on the tunnel interface for each spoke. Although EIGRP authentication can be and is implemented over DMVPN topologies, it is not applied on a per spoke basis but using the same key for all EIGRP neighbors. I tried labbing up the latter and it worked fine.
I hope this has been helpful!
Laz
1 Like