vlink-peer (OSPF area view)
Use vlink-peer to configure a virtual link.
Use undo vlink-peer to remove a virtual link.
Syntax
vlink-peer router-id [ dead seconds | hello seconds | { { hmac-md5 | md5 } key-id { cipher | plain } string | keychain keychain-name | simple { cipher | plain } string } | retransmit seconds | trans-delay seconds ] *
undo vlink-peer router-id [ dead | hello | { hmac-md5 | md5 } key-id | keychain | retransmit | simple | trans-delay ] *
Default
No virtual links exist.
Views
OSPF area view
Predefined user roles
network-admin
Parameters
router-id: Specifies the router ID of the neighbor on the virtual link.
dead seconds: Specifies the dead interval in the range of 1 to 32768 seconds. The default is 40. The dead interval must be identical with that on the virtual link neighbor, and a minimum of four times the hello interval.
hello seconds: Specifies the hello interval in the range of 1 to 8192 seconds. The default is 10. It must be identical with the hello interval on the virtual link neighbor.
hmac-md5: Specifies the HMAC-MD5 authentication mode.
md5: Specifies the MD5 authentication mode.
simple: Specifies the simple authentication mode.
key-id: Specifies the key ID for MD5 or HMAC-MD5 authentication, in the range of 1 to 255.
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
In simple authentication mode, the plaintext form of the key is a string of 1 to 8 characters. The encrypted form of the key is a string of 33 to 41 characters.
In MD5/HMAC-MD5 authentication mode, the plaintext form of the key is a string of 1 to 16 characters. The encrypted form of the key is a string of 33 to 53 characters.
keychain: Specifies the keychain authentication mode.
keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters.
retransmit seconds: Specifies the retransmission interval in the range of 1 to 3600 seconds. The default is 5.
trans-delay seconds: Specifies the transmission delay interval in the range of 1 to 3600 seconds. The default is 1.
Usage guidelines
As defined in RFC 2328, all non-backbone areas must maintain connectivity to the backbone. You can use the vlink-peer command to configure a virtual link to connect an area to the backbone.
When you configure this command, follow these guidelines:
The smaller the hello interval is, the faster the network converges, and the more network resources are consumed.
A retransmission interval that is too small can cause unnecessary retransmissions. A large value is appropriate for a low speed link.
Specify an appropriate transmission delay with the trans-delay keyword.
You can specify either MD5/HMAC-MD5 authentication or simple authentication for a virtual link. For MD5/HMAC-MD5 authentication, you can configure multiple keys by executing this command multiple times, and each command must have a unique key ID and key string.
To modify the key of a virtual link, perform the following key rollover configurations:
Configure a new MD5/HMAC-MD5 authentication key for the virtual link on the local device. If the new key is not configured on the neighbor device, MD5/HMAC-MD5 authentication key rollover is triggered. During key rollover, OSPF sends multiple packets that contain both the new and old MD5/HMAC-MD5 authentication keys to ensure that the neighbor device can pass the authentication.
Configure the new MD5/HMAC-MD5 authentication key on the neighbor device. When the local device receives packets with the new key from the neighbor device, it exits MD5 key rollover.
Delete the old MD5/HMAC-MD5 authentication key from the local device and the neighbor. This step helps prevent attacks from devices that use the old key for communication and reduces system resources and bandwidth consumption caused by key rollover.
When keychain authentication is configured for an OSPF virtual link, OSPF performs the following operations before sending a packet:
Obtains a valid send key from the keychain.
OSPF does not send the packet if it fails to obtain a valid send key.
Uses the key ID, authentication algorithm, and key string to authenticate the packet.
If the key ID is greater than 255, OSPF does not send the packet.
When keychain authentication is configured for an OSPF virtual link, OSPF performs the following operations after receiving a packet:
Uses the key ID carried in the packet to obtain a valid accept key from the keychain.
OSPF discards the packet if it fails to obtain a valid accept key.
Uses the authentication algorithm and key string for the valid accept key to authenticate the packet.
If the authentication fails, OSPF discards the packet.
OSPF supports the MD5 and HMAC-MD5 authentication algorithms.
The ID of keys used for authentication can only be in the range of 0 to 255.
Examples
# Configure a virtual link to the neighbor with router ID 1.1.1.1.
<Sysname> system-view [Sysname] ospf 100 [Sysname-ospf-100] area 2 [Sysname-ospf-100-area-0.0.0.2] vlink-peer 1.1.1.1
Related commands
authentication-mode
display ospf vlink