OSPF Virtual Link Authentication


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(Rocky X) #2

For this Topology

Why I can ping 1.1.1.1 source 2.2.2.2 even without virtual link, let alone the authentication? Is it the IOS bug or others?


(Lazaros Agapides) #3

Hello Rocky

I’ve recreated the topology with the appropriate configuration, but I was unable to reproduce your results. I found that the two routers did indeed become neighbors however, no routes were actually exchanged. The routing tables of both routers were empty.

Check your configuration again and verify that everything is indeed configured as in the topology.

I hope this has been helpful!

Laz


(Rocky X) #4

Thanks for your reply.

I will show my config as follows,

As you can see, I didn’t config virtual link. But I could

and its routing table is,

Look forward to your reply, thanks.


(Lazaros Agapides) #5

Hello Rocky

This is indeed puzzling. This may have to do with the fact that these are Loopback addresses that you are pinging and also because on R1, the router ID is explicitly defined as the same IP as the loopback and as the IP you’re pinging.

Now the fact that the routing table includes the 1.1.1.1 destination in its routing table makes sense, because it sees it in a neighboring area, which is what should happen. What shouldn’t happen however is for there to be L3 connectivity between the loopbacks.

However, notice that the routing table indicates that the route is to 1.1.1.1 and not to 1.1.1.0/24 which is the participating subnet, so it may have to do with how the loopbacks and the router IDs are handled.

Don’t get me wrong, connectivity should not be occurring, however, in order to see if we can get to the bottom of this, try the following:

  1. Change the router IDs of both routers to something completely different from the IP addresses of the loopbacks such as 10.10.10.10 so we can exclude the router IDs from the issue. See if connectivity still exists.
  2. Instead of creating loopbacks, configure some physical ports in area 0 on each router with IP addresses and have them participate in OSPF. See if you can ping between those.
  3. Connect external devices on the physical ports and attempt to ping between them.

Try these out and let us know your results.

I hope this has been helpful!

Laz


(Chris N) #6

I believe there is another way of enabling authentication?

router ospf 1
area 1 virtual-link 2.2.2.2 authentication message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 NWL


(Lazaros Agapides) #7

Hello Chris

Yes you are right this too is a valid way to enable MD5 authentication over a virtual link. The difference here is that this configures message-digest just for the virtual link. Authentication in the area need not be globally configured. The configuration in Rene’s lesson, enables MD5 authentication on the whole of each area. Here is Rene’s configuration for comparison purposes.

R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#area 1 virtual-link 2.2.2.2 authentication-key NWL

I hope this has been helpful!

Laz