OSPF Virtual Link Authentication Question

(Mike C) #1

Rene, in networklessons.com you state “Enable authentication for area 0: the virtual link belongs to area 0, so you need authentication for the backbone area, not the area that the virtual link goes through.” But in the OSPF Authentication GNS3vault lab on the Gorilla router you don’t enable authentication on area 0, you use the “area 1 virtual-link authentication message-digest” command. I’m a bit confused by this. Since router gorilla is not attached to area 0 this makes sense, but networklessons.com explicitly states to enable authentication for area 0, not the transit area. Does this rule apply to all cases or just the discontiguous area 0 scenario? Thank you.

(Lazaros Agapides) #2

Hello Mike

When you enable authentication over a virtual link in OSPF, there are two parts to the configuration. The first is the enabling of the authentication and the method of authentication. This is always done for the backbone area. What this means configuration-wise is the following command:

area 0 authentication

This command is necessary for enabling the authentication. In the case of using MD5 authentication, the command would be

area 0 authentication message-digest

Now this enabling is not enough. You are also required to indicate the virtual link, the transit area over which it is connecting, whether or not authentication is used, and the actual authentication key. This is where the following command comes in:

area 1 virtual-link authentication-key NWL

In the case where MD5 is being used, the command would be something like this:

area 1 virtual-link message-digest-key 1 md5 NWL

So the enabling of the authentication is implemented on area 0 with the first command, and the configuration of the additional parameters are configured using the second command where the transit area is referenced.

I hope this has been helpful!


(Mike C) #3

So in the following lab; https://gns3vault.com/ospf/ospf-authentication/; we would only run the area 0 authentication message-digest on router “giraffe” since that’s the only router that has an interface in area 0?

(Lazaros Agapides) #4

Hello Mike

Actually, you would put that command in both the Giraffe and Gorilla routers, even though the Gorilla router doesn’t touch area 0. Take a look at this Cisco documentation that explains the virtual link authentication in an almost identical topology as that in the GNS3Vault example you sent:

I hope this has been helpful!


(Mike C) #5

Yes, it is. Thank you very much!