OSPF Virtual Link Authentication

This topic is to discuss the following lesson:

For this Topology

Why I can ping 1.1.1.1 source 2.2.2.2 even without virtual link, let alone the authentication? Is it the IOS bug or others?

Hello Rocky

I’ve recreated the topology with the appropriate configuration, but I was unable to reproduce your results. I found that the two routers did indeed become neighbors however, no routes were actually exchanged. The routing tables of both routers were empty.

Check your configuration again and verify that everything is indeed configured as in the topology.

I hope this has been helpful!

Laz

Thanks for your reply.

I will show my config as follows,

As you can see, I didn’t config virtual link. But I could

and its routing table is,

Look forward to your reply, thanks.

Hello Rocky

This is indeed puzzling. This may have to do with the fact that these are Loopback addresses that you are pinging and also because on R1, the router ID is explicitly defined as the same IP as the loopback and as the IP you’re pinging.

Now the fact that the routing table includes the 1.1.1.1 destination in its routing table makes sense, because it sees it in a neighboring area, which is what should happen. What shouldn’t happen however is for there to be L3 connectivity between the loopbacks.

However, notice that the routing table indicates that the route is to 1.1.1.1 and not to 1.1.1.0/24 which is the participating subnet, so it may have to do with how the loopbacks and the router IDs are handled.

Don’t get me wrong, connectivity should not be occurring, however, in order to see if we can get to the bottom of this, try the following:

  1. Change the router IDs of both routers to something completely different from the IP addresses of the loopbacks such as 10.10.10.10 so we can exclude the router IDs from the issue. See if connectivity still exists.
  2. Instead of creating loopbacks, configure some physical ports in area 0 on each router with IP addresses and have them participate in OSPF. See if you can ping between those.
  3. Connect external devices on the physical ports and attempt to ping between them.

Try these out and let us know your results.

I hope this has been helpful!

Laz

I believe there is another way of enabling authentication?

router ospf 1
area 1 virtual-link 2.2.2.2 authentication message-digest
area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 NWL

Hello Chris

Yes you are right this too is a valid way to enable MD5 authentication over a virtual link. The difference here is that this configures message-digest just for the virtual link. Authentication in the area need not be globally configured. The configuration in Rene’s lesson, enables MD5 authentication on the whole of each area. Here is Rene’s configuration for comparison purposes.

R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#area 1 virtual-link 2.2.2.2 authentication-key NWL

I hope this has been helpful!

Laz

Hello,
I have noticed virtual link authentication does not impact the connectivity between the area 0 and area 2… For example I have enabled virtual link authentication only on R1 and still i can see all the LSA on R1 and R3… My routing table in both routers is fine…
Is there any explanation …

Thanks

Hello Nabil

I assume you mean the connectivity between the two disjointed “area 0” regions…

Note that when you enable authentication, even if you do so on only one router, OSPF will continue to function until the OSPF process is reset. If it is not, then nothing will change yet. After resetting the OSPF process, the virtual link should fail, and you will see that the two area 0s will not create a neighbor adjacency.

I hope this has been helpful!

Laz

Hello,
I have noticed virtual link authentication does not impact the connectivity between the area 0 and area 2… For example I have enabled virtual link authentication only on R1 and still i can see all the LSA on R1 and R3… My routing table in both routers is fine…
Is there any explanation …
Thanks

Hello Nabil

This query has been resolved above:

Laz