Cisco OSPF Command and Configuration Handbook (paperback)

2-17 area transit-area-id virtual-link router-id authentication-key password

Syntax Description:

• transit-area-id ” The OSPF area ID of the area connecting the two ABRs that the virtual link will cross. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address form in the range 0.0.0.0 to 255.255.255.255. The transit area cannot be a stub area.

• router-id ” OSPF router ID of the router at the remote end of the virtual link.

• password ” Password to be used for authentication in the selected area on the selected interface or virtual link. The password is an alphanumeric string from 1 to 8 characters .

Purpose: If simple password authentication is enabled in Area 0, then all virtual links need to be configured with the same authentication type. This command is used to configure simple password authentication over a virtual link. In Cisco IOS Software Release 12.0 and later, virtual link authentication can be configured independently of Area 0 (see Section 2-14).

Initial Cisco IOS Software Release: 10.0

Configuration Example 1: Simple Password Authentication Over a Virtual Link

In Figure 2-17, simple password authentication has been enabled for Area 0. Initially, authentication is not enabled over the virtual link so you can see the effect of enabling authentication in Area 0 but not over the virtual link.

Router A interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/1 ip address 10.1.1.1 255.255.255.252 ip ospf authentication-key cisco clockrate 64000 ! router ospf 1 area 0 authentication network 10.1.1.0 0.0.0.3 area 0 network 1.1.1.1 0.0.0.0 area 0 _______________________________________________________________________ Router B interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0 ip address 10.1.1.2 255.255.255.252 ip ospf authentication-key cisco ! interface Serial1 ip address 10.1.1.5 255.255.255.252 clockrate 64000 ! router ospf 1 area 0 authentication area 1 virtual-link 3.3.3.3 network 10.1.1.0 0.0.0.3 area 0 network 2.2.2.2 0.0.0.0 area 0 network 10.1.1.4 0.0.0.3 area 1 _______________________________________________________________________ Router C interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Serial0 ip address 10.1.1.6 255.255.255.252 ! router ospf 1 area 1 virtual-link 2.2.2.2 network 3.3.3.3 0.0.0.0 area 2 network 10.1.1.4 0.0.0.3 area 1

Verify that authentication has been enabled for Area 0.

rtrA# show ip ospf Routing Process "ospf 1" with ID 1.1.1.1 Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Area BACKBONE(0) Number of interfaces in this area is 2 Area has simple password authentication SPF algorithm executed 2 times Area ranges are Number of LSA 6. Checksum Sum 0x3B837 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 3 _______________________________________________________________________ rtrB# show ip ospf Routing Process "ospf 1" with ID 2.2.2.2 Supports only single TOS(TOS0) routes It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 2. 2 normal 0 stub 0 nssa Area BACKBONE(0) Number of interfaces in this area is 3 Area has simple password authentication SPF algorithm executed 8 times Area ranges are Number of LSA 6. Checksum Sum 0x3B837 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 3 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 4 times Area ranges are Number of LSA 6. Checksum Sum 0x364E1 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0

When authentication is enabled in Area 0, then this authentication type will be applied to all interfaces in Area 0, including virtual links. Any routing updates from neighbors in Area 0 will be rejected if the authentication type and password do not match. Because a virtual link is considered to be in Area 0, routing updates passing over the virtual link will be rejected. This can be verified by examining the IP routing table on Router B.

rtrB# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/65] via 10.1.1.1, 00:06:34, Serial0 2.0.0.0/32 is subnetted, 1 subnets C 2.2.2.2 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0 C 10.1.1.4 is directly connected, Serial1

Router B has learned the routes being advertised by Router A but not the routes advertised by Router C. Simple password authentication needs to be enabled on the virtual link so that routing updates can be exchanged between routers B and C. You can also use a different authentication type on the virtual link using command 2-14, 2-15, or 2-16. In this case, configure the same authentication type that is being used in Area 0. Change the password over the virtual link to demonstrate that the passwords for different interfaces do not need to be the same. Remember that the password for a common link must be the same at both ends of the link. Modify the configurations on Routers B and C to enable simple password authentication over the virtual link using the password bosco.

Router B router ospf 1 area 0 authentication area 1 virtual-link 3.3.3.3 authentication-key bosco network 2.2.2.2 0.0.0.0 area 0 network 10.1.1.0 0.0.0.3 area 0 network 10.1.1.4 0.0.0.3 area 1 _______________________________________________________________________ Router C router ospf 1 area 0 authentication area 1 virtual-link 2.2.2.2 authentication-key bosco network 3.3.3.3 0.0.0.0 area 2 network 10.1.1.4 0.0.0.3 area 1

Notice that the command area 0 authentication was used on Router C because the virtual link is in Area 0.

Verification

Verify that authentication has been enabled over the virtual link.

rtrC# show ip ospf Routing Process "ospf 1" with ID 3.3.3.3 Supports only single TOS(TOS0) routes It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of DCbitless external LSA 0 Number of DoNotAge external LSA 0 Number of areas in this router is 3. 3 normal 0 stub 0 nssa Area BACKBONE(0) Number of interfaces in this area is 1 Area has simple password authentication SPF algorithm executed 4 times Area ranges are Number of LSA 6. Checksum Sum 0x3CFAD Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 3 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 22 times Area ranges are Number of LSA 10. Checksum Sum 0x4ACBB Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Area 2 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 18 times Area ranges are Number of LSA 5. Checksum Sum 0x238E3 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0

Verify that all OSPF routes are now being exchanged.

rtrA# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/65] via 10.1.1.2, 00:09:04, Serial0/1 3.0.0.0/32 is subnetted, 1 subnets O IA 3.3.3.3 [110/129] via 10.1.1.2, 00:09:04, Serial0/1 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/1 O IA 10.1.1.4 [110/128] via 10.1.1.2, 00:09:04, Serial0/1 _______________________________________________________________________ rtrB# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/65] via 10.1.1.1, 00:10:19, Serial0 2.0.0.0/32 is subnetted, 1 subnets C 2.2.2.2 is directly connected, Loopback0 3.0.0.0/32 is subnetted, 1 subnets O IA 3.3.3.3 [110/65] via 10.1.1.6, 00:10:20, Serial1 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0 C 10.1.1.4 is directly connected, Serial1 _______________________________________________________________________ rtrC# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/129] via 10.1.1.5, 00:11:10, Serial0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/65] via 10.1.1.5, 00:11:11, Serial0 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 2 subnets O 10.1.1.0 [110/128] via 10.1.1.5, 00:11:11, Serial0 C 10.1.1.4 is directly connected, Serial0

Troubleshooting

Step 1. Verify that there is a neighbor relationship between the OSPF routers using the show ip ospf neighbor command.

Step 2. Verify that the transit area ID used in the area virtual-link command is proper.

Step 3. Verify that the router IDs used in the area virtual-link are correct.

Step 4. Verify that the same password is being used on each side of the virtual link.