a comment or to in line ( like the states ) ""Nigel Taylor"" wrote in message news:[EMAIL PROTECTED] > Chuck, > Let's see if I can make any sense in my reply to your comments. > When I think of a "virtual-link" as it relates to opsf, I think of it in > terms of being a tunnel. Also, short of being able to use a virtual-link, a > tunnel is what's recommended to maintain connectivity for any non-area0 > connected areas.
Nigel, you're making me grind my teeth. A virtual link is NOT a tunnel. Who started the "tunnel" idea? Even Moy backed away from the use of the term "tunnel" in his second book. :-> > > Here's a excerpt from rfc 2328 which describes a virtual link. > > 12.4.1.3. Describing virtual links > > For virtual links, a link description is added to the > router-LSA only when the virtual neighbor is fully > adjacent. In this case, add a Type 4 link (virtual link) > with Link ID set to the Router ID of the virtual > neighbor, Link Data set to the IP interface address > associated with the virtual link and cost set to the > cost calculated for the virtual link during the routing > table calculation (see Section 15). > > > And then this excerpt from section 15.. > > The virtual link is treated as if it were an unnumbered point-to-point > network belonging to the backbone and joining the two area border routers. > An attempt is made to establish an adjacency over the virtual link. When > this adjacency is established, the virtual link will be included in backbone > router-LSAs, and OSPF packets pertaining to the backbone area will flow over > the adjacency. Such an adjacency has been referred to in this document as a > "virtual adjacency". It occurs to me that most of us think / are told that a virtual link is in area 0. I can't remember all the stuff I've read about this over the years. This recent observation tells me that the virtual link is an odd animal that is really part of the transit area. It doesn't quite follow the other OSPF rules. I know what the VL is supposed to do. It links the non adjacent area directly to area 0. It would "seem" reasonable that the link would have to be area 0. Judging from the workings of authentication, it would appear that on Cisco routers that the link is treated as part of the transit area. > > So as you noted it would be safe to say that a virtual-link is governed by > the termination points of it's unnumbered p-2-p links. So where your > transit-area uses MD5 authentication so must your virtual-link. > > Alex Zinin's Cisco IP Routing [pg. 489] clearly states that the virtual-link > always belongs to the backbone. In saying this, the characteristics of the > transit area to identify the peering ABR and then receive > packets(encrypted/decrypted) would be the only things that associates the > virtual-link to the transit area. It wouldn't be the first time that someone was incorrect about the way things really work versus the way it appears they work. Recall my statement above. The virtual link is NOT a tunnel. It operates solely based on the presense of the V-bit in the OSPF header. I imagine that the router code is such that it passes packets based on the presence of the V-bit. The router code has to base it's operation on SOMETHING in the OSPF header. So when it comes to authentication, Cisco router code determines the need for authentication based on the various values of the headers involved. After all, there's nothing in the RFC that requires that authentication work in a certain manner. Someone asked me off line about how the Lab proctors might grade this kind of task. The answer of course is "who knows?" All you're given is a percentage of the general section. The key is understanding how to make it work without spending too much time "trying things" > > HTH > > Nigel :-) > > > > > ----- Original Message ----- > From: "The Long and Winding Road" > To: > Sent: Tuesday, March 18, 2003 12:04 AM > Subject: OSPF Virtual link authentication - observations [7:65628] > > > > Not sure I have this all sorted out correctly. Perhaps those with a bit > more > > experience might add their wisdom, not to mention their corrections. > > > > The ospf virtual link being what it is, it follows rules similar to any > > other interface. > > > > It does appear, though, that in terms of structure, it looks something > like > > this: > > > > ( commands under the ospf process ) > > > > area X authentication > > area X virtual-link y.y.y.y authentication > > area X virtual-link y.y.y.y authentication-key WORD > > > > where X is the non zero area number over which the virtual link transits. > > > > In other words, for purposes of structure, the virtual link is not really > > part of area 0. It is a point-to-point link that is part of the non zero > > transit area. > > > > Am I understanding this correctly? I have a setup working, where the area > 0 > > authentication is simple and the transit area authentication is MD5, and > no > > adjacency is formed across the virtual link with simple authentication, > but > > comes up just fine with MD5. > > > > Any comments are appreciated. > > > > -- > > TANSTAAFL > > "there ain't no such thing as a free lunch" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65668&t=65628 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]