OSPF Virtual Link Authentication

In the OSPF virtual link lesson, I explained how to configure a virtual link, but I didn’t show how to enable virtual link authentication. That’s what we are going to cover in this lesson.

There are two authentication methods:

  • Plain text
  • MD5

I’ll show you both options.

Configuration

Here is the topology we will use:

R1 R2 Ospf Virtual Link Broken Area 0

We have two routers running OSPF. Area 0 is discontinuous, so we need a virtual link through area 1 to fix this.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 area 1 virtual-link 2.2.2.2
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

R2

hostname R2
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 area 1 virtual-link 1.1.1.1
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

Let’s see if we can authenticate this virtual link.

Plain Text Authentication

There are two things we need to do to enable authentication:

  • Enable authentication for area 0: the virtual link belongs to area 0, so you need authentication for the backbone area, not the area that the virtual link goes through.
  • Set the authentication password for the virtual link.

Only two commands are required to achieve this:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication
R1(config-router)#area 1 virtual-link 2.2.2.2 authentication-key NWL
R2(config)#router ospf 1
R2(config-router)#area 0 authentication 
R2(config-router)#area 1 virtual-link 1.1.1.1 authentication-key NWL

Let’s see if it works. Let’s reset the OSPF process:

R1#clear ip ospf process 
Reset ALL OSPF processes? [no]: yes

After a few seconds, our virtual link is back:

R1#
%OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on OSPF_VL0 from LOADING to FULL, Loading Done

Let’s verify that authentication is enabled:

R1#show ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface GigabitEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
    Adjacency State FULL (Hello suppressed)
    Index 1/1/2, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Simple password authentication enabled

There we go, above you can see that simple password authentication is enabled.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 area 0 authentication
 area 1 virtual-link 2.2.2.2 authentication-key NWL
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

R2

hostname R2
!
ip cef
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 area 0 authentication
 area 1 virtual-link 1.1.1.1 authentication-key NWL
 network 2.2.2.2 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 1
!
end

MD5 Authentication

Let’s try MD5 authentication. The configuration is similar:

R1(config)#router ospf 1
R1(config-router)#area 0 authentication message-digest 
R1(config-router)#area 1 virtual-link 2.2.2.2 message-digest-key 1 md5 NWL
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest 
R2(config-router)#area 1 virtual-link 1.1.1.1 message-digest-key 1 md5 NWL

First, we need to configure area 0 to use MD5 authentication and then set the MD5 key for the virtual link.

Let’s see if it works:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi M,

    That’s right, I don’t think you can still see it in the LSDB somewhere.

    Rene

  2. Hello Stuart.

    Here is the diagram that Rene has in his lesson:

    //cdn-forum.networklessons.com/uploads/default/original/1X/7c5c0badd9511411a37f8e6335b9a3aeed8e925b.png

    A virtual link has been created between the L0 interface of R1 and the Fa1/0 interface of R2.

    The OSPF packets between the two ends of the virtual link are not multicast packets. (Note the two ends of the virtual link are the L0 interface of R1 and the Fa1/0 interface of R2). LSAs that are sent over the virtual link are actually tunnelled packets between 192.168.23.2 and 1.1.1.1, based on the ne

    ... Continue reading in our forum

  3. Hi Laz,
    I think you can’t catch my question…
    Visualize a topology like …

    area0>> Area-1 stub/nssa >> Area-2
    so upon on above scenario the Area-2 have to connect to Area-0 using Virtual link to make the area functioning. Technically Virtual link not possible over the Stub/nssa area why ?? Thx

    br//zaman

  4. Hi Zeko,

    If you enable authentication for virtual links, you have to enable it globally for area 0 and set the password on the virtual link command. Here’s an example:

    R1#show run | begin ospf
    router ospf 1
     area 0 authentication
     area 1 virtual-link 2.2.2.2 authentication-key NWL
    

    Authentication is enabled for area 0, the virtual link goes through area 1 and has the password. You can see it works with this command:

    R1#show ip ospf virtual-links 
    Virtual Link OSPF_VL0 to router 192.168.23.2 is up
      Run as demand circuit
      DoNotAge LSA allowed.
      Transit area 1,
    ... Continue reading in our forum

  5. Hello Sovandara,

    You can create more than one virtual link if needed. For example, let’s say you have a topology like this:

    (area 0) R1 (area 1) R2 (area 2) R3 (area 3)

    You can configure a virtual link between R1-R2 to get area 2 connected to area 0. The virtual link is like a tunnel that gives R2 access to area 0.

    You can then configure a virtual link between R2 and R3 to connect area 3 to area 0.

    Hope this helps!

    Rene

61 more replies! Ask a question or join the discussion by visiting our Community Forum