OSPF virtual link with message digest authentication

Dis-contiguous area

Non-backbone area has to be converged with backbone area (area 0) in order for OSPF to learn the routes. The following example has area 100 discontiguous with backbone area, the solution is either to use GRE tunnel or virtual link.

ospf1

Virtual link
1. Router-id is used for virtual-link neighbor not the IP address of the neighbor.

2. The area that configures virtual-link must not be a stub area.

3. Area that configures virtual-link must be converged to backbone area.

4. If plain or message digest authentication is used in area 0, the router that has discontiguous area must configure area 0 authentication command.

5. The authentication password must match area 0’s password.

6. Virtual link is like a link to area 0, its OSPF network type is point-to-point.

Warning syslogs
Area ID mismatch
%OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be vi rtual-link but not found from 192.168.0.6, FastEthernet1/0
This means the OSPF neighbor router’s OSPF hello packet contains Area 0, which is mismatched to the area the receiving router is connecting to.

OSPF authentication type mismatch
Rcv pkt from 192.168.0.6, OSPF_VL13 : Mismatch Authentication type. Input packet specified type 0, we use type 2
This means the router has received mismatched authentication type from its neighbor.
Type 0 = no authentication.
Type 1 = plain text authentication.
Type 2 = MD5 authentication.

In this example, area 0 is using MD5 authentication, however the neighbor router’s virtual link is sending OSPF hello with no authentication. To resolve this, the router with discontiguous area must configure area 0 authentication message-digest.

In this example, R3 has a discontiguous area and hence virtual link is configured on R2 and R3. As R3 has no link to area 0, there is no area 0 authentication message-digest command, hence after virtual link was configured correctly there is no adjacency formed.

Although no adjacency is formed, the virtual link is in up status.

!From R2
R2#sh ip ospf virtual-links
Virtual Link OSPF_VL13 to router 3.3.3.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface FastEthernet1/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Message digest authentication enabled
    Youngest key id is 1
R2#
!From R3
R3#sh ip ospf virtual-link
Virtual Link OSPF_VL10 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface FastEthernet1/0, Cost of using 1
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:09

As observed, R2’s virtual link is using key 1, R3’s virtual link however has no indication of key used.

To resolve this area 0 authentication message-digest is inserted into the ospf command.

R3#sh run | sec router
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 0 authentication message-digest
 area 1 authentication message-digest
 area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco
 network 3.3.3.3 0.0.0.0 area 1
 network 192.168.0.4 0.0.0.3 area 1
 network 192.168.0.9 0.0.0.0 area 100
R3#

R2 and R3 virtual link formed adjacency as soon as the command was executed.
%OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on OSPF_VL10 from LOADING to FULL, Loading Done

!From R2
R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -           -        192.168.0.6     OSPF_VL13
!From R3
R3#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -           -        192.168.0.5     OSPF_VL10
Advertisements
This entry was posted in OSPF and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s