IPv6 Training (Cisco) Using the “area virtual-link encryption" Command

 

The “area virtual-link encryption" command

 

By Charles Ross CCNP #CSCO10444244

 

The “area virtual-link encryption" command is a Cisco IOS “Router” configuration command, that is used by network administrators (like you) to enable “encryption” for Virtual Links in an OSPF Area. Below is the proper syntax for the “area virtual-link encryption" command:

 

area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds][transmit-delay seconds] [dead-interval seconds] encryption ipsec spi spi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key 

 

Now, once “encryption” for a virtual link has been configured (enabled) on a Cisco router, the proper way to remove “encryption” is to type the word “no” in front of the command like you see in the example below:

 

Router(config-router)# no area area-id virtual-link router-id encryption ipsec spi spi

 

Remember, if you decide to use any type of “encryption" command on a Cisco router, then you can’t use any type of “authentication” command on the same router. Because, when using an “encryption” command on a Cisco router both Authentication and Encryption are enabled by default.  

 

The “area virtual-link encryption” command Keywords and Arguments Explained: 

 

area-id-- This argument is an identifier of the area assigned to the area for the virtual link. This can be either a decimal value or a valid IPv6 prefix. There is no default.

 

router-id-- This argument is the “router ID” associated with the virtual link neighbor. The router ID appears in the show ipv6 ospf display. There is no default.

 

hello-interval seconds— This optional keyword represents time (in seconds) between the hello packets that the Cisco IOS software sends on an interface. The hello interval is an unsigned integer value to be advertised in the hello packets. The value must be the same for all routers and access servers attached to a common network. The default is 10 seconds.

 

retransmit-interval seconds-- This optional keyword represents time (in seconds) between link-state advertisement (LSA) retransmissions for adjacencies belonging to the interface. The retransmit interval is the expected round-trip delay between any two routers on the attached network. The value must be greater than the expected round-trip delay. The default is 5 seconds.

 

transmit-delay seconds— This optional keyword represents the estimated time (in seconds) required to send a link-state update packet on the interface. The integer value that must be greater than zero. LSAs in the update packet have their age incremented by this amount before transmission. The default value is 1 second.

 

dead-interval seconds-- This optional keyword represents time (in seconds) that hello packets are not seen before a neighbor declares the router down. The dead interval is an unsigned integer value. The default is four times the hello interval, or 40 seconds. As with the hello interval, this value must be the same for all routers and access servers attached to a common network.

 

ipsec – This keyword represents IP Security (IPSec).

 

spi spi – This keyword is the Security Policy Index (SPI) and its value. The spi value must be a number from 256 to 4294967295, which is entered as a decimal.

 

esp – This keyword represents Encapsulating Security Payload (ESP). 

 

encryption-algorithm This argument is used with the ESP keyword; and the values can be any of the following:

 

• aes-cdc—Enables AES-CDC encryption

• 3des—Enables 3DES encryption

• des—Enables DES encryption

• null—ESP with no encryption

 

key-encryption-type – This argument is an optional identifier of values that can be entered:

 

• 0—The key is not encrypted

• 7—The key is encrypted


key -- This argument is an optional number that is used in the calculation of the message digest. The number is 32 hex digits (16 bytes) long; and the size of the key, depends on the encryption algorithm used. Some algorithms, such as AES-CDC, allow the user to choose the size of the key.

 

authentication-algorithm -- This argument is used to indicate the Encryption authentication algorithm to be used, and the values can be one of the following:

 

• md5—Enables Message Digest 5 (MD5).

• sha-1—Enables SHA-1

 

I hope this article was very informative and helped you quickly understand the usage, keywords and arguments of the “area virtual-link encryption” command. If you need to learn more about the command; I suggest you visit my website, were you’ll find the latest information regarding Cisco IPv6 Design and Implementation Techniques.

 

To your success,

Charles Ross

 

CCNP #CSCO10444244

www.ciscoipv6ittechtips.com