Cisco Ebook: Chapter 03: Configuring the Open Shortest Path First Protocol (Part06)

Configuring and Verifying OSPF Authentication

As introduced in Chapter 2, you can prevent your router from receiving fraudulent route updates by configuring neighbor router authentication. OSPF neighbor authentication (also called neighbor router authentication or route authentication) can be configured such that routers can participate in routing based on predefined passwords.

Recall that when neighbor authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router.

By default, OSPF uses null authentication, which means that routing exchanges over a network are not authenticated. OSPF supports two other authentication methods: simple password authentication (also called plain-text authentication), and MD5 authentication.

Planning for OSPF Authentication

Before configuring OSPF authentication, the network administrator must examine the existing OSPF configuration and define the authentication requirements. The OSPF authentication requirements include the authentication type—none, simple password, or MD5—and the key (the password).

Configuring, Verifying, and Troubleshooting OSPF Simple Password Authentication

This section describes how to configure, verify, and troubleshoot OSPF simple password authentication. Configuring simple password authentication on virtual links is also examined.

Configuring OSPF Simple Password Authentication

To configure OSPF simple password authentication, complete the following steps:

Step 1

Assign a password (key) to be used when using OSPF simple password authentication with neighboring routers, using the ip ospf authentication-key password interface configuration command. The password parameter is any continuous string of characters that can be entered from the keyboard up to 8 bytes in length

Note

In Cisco IOS Release 12.4, the router will give a warning message if you try to configure a password longer than eight characters; only the first eight characters will be used. Some earlier Cisco IOS releases did not provide this warning.

The password created by this command is used as a “key” that is inserted directly into the OSPF header when the Cisco IOS Software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.

Note

If the service password-encryption command is not used when configuring OSPF authentication, the password will be stored as plain text in the router configuration. If you configure the service password-encryption command, the password will be stored and displayed in an encrypted form, and when it is displayed, there will be an encryption type of 7 specified before the encrypted password.

Step 2

Specify the authentication type using the ip ospf authentication [message-digest | null] interface configuration command. Table 3-27 describes the parameters of the ip ospf authentication command.

Table 3-27: *ip ospf authentication* Command Parameters
Open table as spreadsheet
Parameter	Description
message-digest	(Optional) Specifies that MD5 authentication will be used.
null	(Optional) No authentication is used. Useful for overriding simple password or MD5 authentication if configured for an area.

For simple password authentication, use the ip ospf authentication command without any parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command.

The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication). To enable authentication for an OSPF area, use the area area-id authentication [message-digest] router configuration command. Table 3-28 describes the parameters of the area authentication command.

Table 3-28: *area authentication* Command Parameters
Open table as spreadsheet
Parameter	Description
area-id	Identifier of the area for which authentication is to be enabled. The identifier can be specified as either a decimal value or an IP address.
message-digest	(Optional) Enables MD5 authentication for the area specified by the area-id argument.

For simple password authentication, use the area authentication command with no parameters.

Simple Password Authentication Example

Figure 3-55 shows the network used to illustrate the configuration, verification, and troubleshooting of simple password authentication. The configuration of the R1 and R2 routers are shown in Example 3-43.

Figure 3-55: Simple Password Authentication Example.

Example 3-43: Configuration of Routers R1 and R2 in Figure 3-55


Router R1:

interface Loopback0
ip address 10.1.1.1 255.255.255.0


interface Serial0/0/1
ip address 192.168.1.101 255.255.255.224
ip ospf authentication
ip ospf authentication-key plainpas


router ospf 10
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Router R2:

interface Loopback0
ip address 10.2.2.2 255.255.255.0


interface Serial0/0/1
ip address 192.168.1.102 255.255.255.224
ip ospf authentication
ip ospf authentication-key plainpas


router ospf 10
log-adjacency-changes
network 10.2.2.2 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Notice that the connecting interfaces on both R1 and R2 are configured for the same type of authentication with the same authentication key. Simple password authentication is configured on interface Serial 0/0/1 on both routers, with the ip ospf authentication command. The interfaces are configured with an authentication key of plainpas.

Verifying Simple Password Authentication

Example 3-44 shows the output of the show ip ospf interface, show ip ospf neighbor, and show ip route commands on the R1 router in Figure 3-55. From the show ip ospf interface and show ip ospf neighbor output, you see that R1 has one adjacent neighbor, and simple password authentication is enabled. The results of a ping to the R2 loopback interface address are also displayed to illustrate that the link is working.

Example 3-44: Verifying Simple Password Authentication on R1 in Figure 3-55

R1#show ip ospf interface
Serial0/0/1 is up, line protocol is up
 Internet Address 192.168.1.101/27, Area 0
 Process ID 1, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64
 Transmit Delay is 1 sec, State POINT_TO_POINT

 Neighbor Count is 1, Adjacent neighbor count is 1
   Adjacent with neighbor 10.2.2.2
 Suppress hello for 0 neighbor(s)
 Simple password authentication enabled


R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.2.2.2          0   FULL/  -        00:00:32    192.168.1.102   Serial0/0/1
R1#show ip route

Gateway of last resort is not set
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O        10.2.2.2/32 [110/782] via 192.168.1.102, 00:01:17, Serial0/0/1
C        10.1.1.0/24 is directly connected, Loopback0
     192.168.1.0/27 is subnetted, 1 subnets
C        192.168.1.96 is directly connected, Serial0/0/1

R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms

Notice in the show ip ospf neighbor command output that the neighbor state is FULL, indicating that the two routers have successfully formed an OSPF adjacency. The routing table verifies that the 10.2.2.2 address has been learned via OSPF over the serial connection.

Troubleshooting Simple Password Authentication

If the authentication configuration between routers is correct, an OSPF neighbor relationship is established, routing updates are exchanged, and OSPF routes enter the IP routing table.

OSPF authentication issues between routers may arise from the following problems:

If authentication is not configured on both routers
If different authentication types are configured on the routers
If different passwords are configured on the routers

The debug ip ospf adj command is used to display OSPF adjacency-related events and is useful when troubleshooting authentication.

Successful Simple Password Authentication Example

The output of the debug ip ospf adj command in Example 3-45 illustrates successful communication on the R1 router in Figure 3-55 after the serial 0/0/1 interface, on which simple password authentication has been configured, comes up.

Note

Although this debug ip ospf adj output does not indicate anything about the authentication, it does show that the two routers successfully form a FULL adjacency. As the output in the next section illustrates, this command output does display authentication failures if there are any. During testing we were unable to find any debug command output that displayed information about successful OSPF simple password authentication.

Example 3-45: Successful: Simple Password Authentication on R1 in Figure 3-55

*Apr 20 18:41:51.242: OSPF: Interface Serial0/0/1 going Up
*Apr 20 18:41:51.742: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000013
*Apr 20 18:41:52.242: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1,
changed state to up
*Apr 20 18:42:01.250: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1, state
2WAY
*Apr 20 18:42:01.250: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x9B6 opt
0x52 flag 0x7 len 32
*Apr 20 18:42:01.262: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23ED
opt0x52 flag 0x7 len 32  mtu 1500 state EXSTART
*Apr 20 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE
*Apr 20 18:42:01.262: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23ED opt
0x52 flag 0x2 len 72
*Apr 20 18:42:01.294: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23EE
opt0x52 flag 0x3 len 72  mtu 1500 state EXCHANGE
*Apr 20 18:42:01.294: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23EE opt
0x52 flag 0x0 len 32
*Apr 20 18:42:01.294: OSPF: Database request to 10.2.2.2
*Apr 20 18:42:01.294: OSPF: sent LS REQ packet to 192.168.1.102, length 12
*Apr 20 18:42:01.314: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23EF
opt0x52 flag 0x1 len 32  mtu 1500 state EXCHANGE
*Apr 20 18:42:01.314: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Apr 20 18:42:01.314: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23EF opt
0x52 flag 0x0 len 32
*Apr 20 18:42:01.326: OSPF: Synchronized with 10.2.2.2 on Serial0/0/1, state FULL
*Apr 20 18:42:01.330: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2 on Serial0/0/1 from
LOADING to
FULL, Loading Done
*Apr 20 18:42:01.830: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000014

The output of the show ip ospf neighbor command shown in Example 3-46 illustrates that R1 has successfully formed an adjacency with R2.

Example 3-46: R1 and R2 in Figure 3-55 Have Formed an Adjacency

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address        Interface
10.2.2.2          0   FULL/  -        00:00:34    192.168.1.102   Serial0/0/1

Troubleshooting Simple Password Authentication Problems Example

Using the network in Figure 3-55, if simple password authentication is configured on the R1 serial 0/0/1 interface but no authentication is configured on the R2 serial 0/0/1 interface, the routers will not be able to form an adjacency over that link. The output of the debug ip ospf adj command shown in Example 3-47 illustrates that the routers report a mismatch in authentication type. No OSPF packets will be sent between the neighbors.

Example 3-47: Simple Password Authentication on R1 and no Authentication on R2 in Figure 3-55

R1#
*Apr 17 18:51:31.242: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 : Mismatch
Authentication type. Input packet specified type 0, we use type 1

R2#
*Apr 17 18:50:43.046: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 : Mismatch
Authentication type. Input packet specified type 1, we use type 0

Note

The different types of OSPF authentication have the following type codes:

Null—Type 0
Simple password—Type 1
MD5—Type 2

If simple password authentication is configured on the R1 Serial 0/0/1 interface and on the R2 Serial 0/0/1 interface, but with different passwords, the routers will not be able to form an adjacency over that link. The outputs of the debug ip ospf adj command shown in Example 3-48 illustrate that the routers report a mismatch in authentication key. No OSPF packets will be sent between the neighbors.

Example 3-48: Simple Password Authentication on R1 and R2 in Figure 3-55, but with Different Passwords

R1#
*Apr 17 18:54:01.238: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 : Mismatch
Authentication Key - Clear Text

R2#
*Apr 17 18:53:13.050: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 : Mismatch
Authentication Key - Clear Text

Configuring OSPF Simple Password Authentication for Virtual Links

Figure 3-56 illustrates a network with a virtual link. The configuration of simple password authentication for the virtual link, on routers R1 and R3, is also shown in the figure.

Figure 3-56: OSPF Simple Password Authentication over a Virtual Link.

On router R1, simple password authentication is configured for the whole area 0, with the area 0 authentication command. The virtual link, connecting area 2 to area 0, is created via transit area 1 with plain text authentication and the authentication key cisco, with the area 1 virtual-link 3.3.3.3 authentication-key cisco command.

The configuration of router R3 is similar to router R1.

Configuring, Verifying, and Troubleshooting MD5 Authentication

This section describes how to configure, verify, and troubleshoot OSPF MD5 authentication.

Note

OSPF MD5 authentication includes a nondecreasing sequence number in each OSPF packet to protect against replay attacks.

Configuring OSPF MD5 Authentication

With OSPF MD5 authentication, a key and key ID are configured on each router. To configure OSPF MD5 authentication, complete the following steps:

Step 1

Assign a key ID and key to be used with neighboring routers that are using the OSPF MD5 authentication, using the ip ospf message-digest-key key-id md5 key interface configuration command. Table 3-29 describes the parameters in the ip ospf message-digest-key command.

Table 3-29: *ip ospf message-digest-key* Command Parameters
Open table as spreadsheet
Parameter	Description
key-id	An identifier in the range from 1 to 255
Key	Alphanumeric password of up to 16 bytes

The key and the key ID specified in this command are used to generate a message digest (also called a hash) of each OSPF packet. The message digest is appended to the packet. A separate password can be assigned to each network on a per-interface basis.

Note

In Cisco IOS Release 12.4, the router will give a warning message if you try to configure a password longer than 16 characters, and only the first 16 characters will be used. Some earlier Cisco IOS releases did not provide this warning.

Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. All neighboring routers on the same network must have the same password to be able to exchange OSPF information. In other words, the same key-id on the neighbor router must have the same key value.

The key-id allows for uninterrupted transitions between keys, which is helpful for administrators who want to change the OSPF password without disrupting communication. If an interface is configured with a new key, the router will send multiple copies of the same packet, each authenticated by different keys. The router will stop sending duplicate packets when it detects that all of its neighbors have adopted the new key.

The process of changing keys is as follows. Suppose the current configuration is as follows:

interface FastEthernet 0/0
ip ospf message-digest-key 100 md5 OLD

The following configuration is then added:

interface FastEthernet 0/0
ip ospf message-digest-key 101 md5 NEW

The router assumes its neighbors do not have the new key yet, so it begins a rollover process. It sends multiple copies of the same packet, each authenticated by different keys. In this example, the router sends out two copies of the same packet: the first one authenticated by key 100 and the second one authenticated by key 101.

Rollover allows neighboring routers to continue communication while the network administrator is updating them with the new key. Rollover stops once the local system finds that all its neighbors know the new key. The system detects that a neighbor has the new key when it receives packets from the neighbor authenticated by the new key.

After all neighbors have been updated with the new key, the old key should be removed. In this example, you would enter the following:

interface FastEthernet 0/0
no ip ospf message-digest-key 100

From then on, only key 101 is used for authentication on interface Fast Ethernet 0/0.

Cisco recommends that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local router from continuing to communicate with a hostile system that knows the old key.

Note

If the service password-encryption command is not used when implementing OSPF authentication, the key will be stored as plain text in the router configuration. If you configure the service password-encryption command, the key will be stored and displayed in an encrypted form; when it is displayed, there will be an encryption-type of 7 specified before the encrypted key.

Step 2

Specify the authentication type using the ip ospf authentication [message-digest | null] interface configuration command. The parameters for this command are as described in the “Configuring OSPF Simple Password Authentication” section, earlier in this chapter. For MD5 authentication, use the ip ospf authentication command with the message-digest parameter. Before using this command, configure the message digest key for the interface with the ip ospf message-digest-key command.

Recall that the ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. As for simple password authentication, the MD5 authentication type for an area is still supported using the area area-id authentication message-digest router configuration command, for backward compatibility.

MD5 Authentication Example

Figure 3-57 shows the network used to illustrate the configuration, verification, and troubleshooting of MD5 authentication. The configuration of the R1 and R2 routers are shown in Example 3-49.

Figure 3-57: MD5 Authentication Example.

Example 3-49: Configuration of Routers R1 and R2 in Figure 3-57

Router R1:

interface Loopback0
ip address 10.1.1.1 255.255.255.0


interface Serial0/0/1
ip address 192.168.1.101 255.255.255.224
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 secretpass


router ospf 10
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
network 192.168.1.0 0.0.0.255 area 0

Router R2:

interface Loopback0
ip address 10.2.2.2 255.255.255.0


interface Serial0/0/1
ip address 192.168.1.102 255.255.255.224
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 secretpass

router ospf 10
log-adjacency-changes
network 10.2.2.2 0.0.0.0 area 0

Notice that the connecting interfaces on both R1 and R2 are configured for the same type of authentication with the same authentication key and key ID. MD5 authentication is configured on interface Serial 0/0/1 on both routers with the ip ospf authentication message-digest command. The interfaces on both routers are configured with an authentication key number 1 set to secretpass.

Verifying MD5 Authentication

Example 3-50 shows the output of the show ip ospf interface, show ip ospf neighbor and show ip route commands on the R1 router in Figure 3-57. The results of a ping to the R2 loopback interface address is also displayed to illustrate that the link is working.

Example 3-50: Verifying MD5 Authentication on R1 in Figure 3-57

R1#show ip ospf interface
Serial0/0/1 is up, line protocol is up
 Internet Address 192.168.1.101/27, Area 0
 Process ID 10, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64
 Transmit Delay is 1 sec, State POINT_TO_POINT

 Neighbor Count is 1, Adjacent neighbor count is 1
   Adjacent with neighbor 10.2.2.2
 Suppress hello for 0 neighbor(s)
 Message digest authentication enabled
   Youngest key id is 1


R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.2.2.2          0   FULL/  -        00:00:31    192.168.1.102   Serial0/0/1

R1#show ip route

Gateway of last resort is not set
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       10.2.2.2/32 [110/782] via 192.168.1.102, 00:00:37, Serial0/0/1
C       10.1.1.0/24 is directly connected, Loopback0
    192.168.1.0/27 is subnetted, 1 subnets
C       192.168.1.96 is directly connected, Serial0/0/1

R1#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

Notice that the show ip ospf interface output shows that router R1 has on adjacent neighbor and that message digest authentication is enabled. The show ip ospf neighbor command output shows that that the neighbor state is FULL, indicating that the two routers have successfully formed an OSPF adjacency. The routing table verifies that the 10.2.2.2 address has been learned via OSPF over the serial connection.

Troubleshooting MD5 Authentication

As for simple password authentication, the debug ip ospf adj command is used to display OSPF adjacency-related events and is very useful when troubleshooting MD5 authentication.

Successful MD5 Authentication Example

The output of the debug ip ospf adj command in Example 3-51 illustrates successful MD5 authentication on the R1 router in Figure 3-57 after the Serial 0/0/1 interface, on which authentication has been configured, comes up.

Example 3-51: Successful MD5 Authentication on R1 in Figure 3-57

R1#debug ip ospf adj
OSPF adjacency events debugging is on
*Apr 20 17:13:56.530: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 20 17:13:56.530: OSPF: Interface Serial0/0/1 going Up
*Apr 20 17:13:56.530: OSPF: Send with youngest Key 1
*Apr 20 17:13:57.030: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000009
*Apr 20 17:13:57.530: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1,
changed state to up
*Apr 20 17:14:06.530: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.546: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1, state
2WAY
*Apr 20 17:14:06.546: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0xB37 opt
0x52 flag 0x7 len 32
*Apr 20 17:14:06.546: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.562: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x32F opt 0
x52 flag 0x7 len 32  mtu 1500 state EXSTART
*Apr 20 17:14:06.562: OSPF: NBR Negotiation Done. We are the SLAVE
*Apr 20 17:14:06.562: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x32F opt
0x52 flag 0x2 len 72
*Apr 20 17:14:06.562: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x330 opt
0x52 flag 0x3 len 72  mtu 1500 state EXCHANGE
*Apr 20 17:14:06.602: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x330 opt
0x52 flag 0x0 len 32
*Apr 20 17:14:06.602: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: Database request to 10.2.2.2
*Apr 20 17:14:06.602: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: sent LS REQ packet to 192.168.1.102, length 12
*Apr 20 17:14:06.614: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.634: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x331 opt
0x52 flag 0x1 len 32  mtu 1500 state EXCHANGE
*Apr 20 17:14:06.634: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Apr 20 17:14:06.634: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x331 opt
0x52 flag 0x0 len 32
*Apr 20 17:14:06.634: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.650: OSPF: Synchronized with 10.2.2.2 on Serial0/0/1, state FULL
*Apr 20 17:14:06.650: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2 on Serial0/0/1 from
LOADING to FULL, Loading Done
*Apr 20 17:14:07.150: OSPF: Send with youngest Key 1
*Apr 20 17:14:07.150: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x8000000A
*Apr 20 17:14:09.150: OSPF: Send with youngest Key 1

The output of the show ip ospf neighbor command shown Example 3-52 illustrates that R1 has successfully formed an adjacency with R2.

Example 3-52: R1 and R2 in Figure 3-57 Have Formed an Adjacency

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.2.2.2          0   FULL/  -        00:00:34    192.168.1.102   Serial0/0/1

Troubleshooting MD5 Authentication Problems Example

Using the network in Figure 3-57 if MD5 authentication is configured on the R1 Serial 0/0/1 interface and on the R2 Serial 0/0/1 interface, but R1 has key 1 and R2 has key 2, the routers will not be able to form an adjacency over that link, even though both have the same passwords configured. The outputs of the debug ip ospf adj command shown in Example 3-53 illustrate that the routers report a mismatch in authentication key. No OSPF packets will be sent between the neighbors.

Example 3-53: MD5 Authentication on R1 and R2 in Figure 3-57 but with Different Key IDs

R1#
*Apr 20 17:56:16.530: OSPF: Send with youngest Key 1
*Apr 20 17:56:26.502: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 : Mismatch
Authentication Key - No message digest key 2 on interface
*Apr 20 17:56:26.530: OSPF: Send with youngest Key 1

R2#
*Apr 20 17:55:28.226: OSPF: Send with youngest Key 2
*Apr 20 17:55:28.286: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 : Mismatch
Authentication Key - No message digest key 1 on interface
*Apr 20 17:55:38.226: OSPF: Send with youngest Key 2

Summary

In this chapter you learned about the OSPF link-state routing protocol. The chapter focused on the following topics:

Characteristics of link-state routing protocols such as OSPF, including the OSPF tables—the neighbor table (also called the adjacency database), the topology table (also called the topology database or the LSDB), and the routing table (also called the forwarding database).
OSPF’s two-tier hierarchical area structure, with a backbone area 0 and regular areas.
The different types of OSPF routers: internal routers, backbone routers, ABRs, and ASBRs.
How OSPF routers use the Hello protocol to build adjacencies. After two routers establish neighbor adjacency using hello packets, they synchronize their LSDBs by exchanging LSAs and confirming the receipt of LSAs from the adjacent router. Routers on point-to-point links form a full adjacency with each other, whereas routers on LAN links only form a full adjacency with the DR and BDR.
The OSPF metric calculation on Cisco routers, which is based on the link bandwidth by default. If interfaces that are faster than 100 Mbps are being used, you should use the auto-cost reference-bandwidth ref-bw router configuration command on all routers. To override the default cost, manually define the cost using the ip ospf cost interface-cost interface configuration command.
The five types of OSPF packets—hello, DBD, LSR, LSU, and LSAck. Hello packets are used to discover neighbor and build adjacencies. DBDs are used to synchronize the LSDBs. LSRs are used to request specific link-state records, and LSUs are used to send the requested records. LSAck is used to acknowledge the other packet types. OSPF packets are sent in IP packets with protocol 89.
The neighbor states that OSPF may pass through: down, (possibly attempt), init, two-way, exstart, exchange, loading, and full.
The five fields in the hello packet must match on neighboring routers: Hello Interval, Dead Interval, Area ID, Authentication Password, And Stub Area Flag.
Planning OSPF implementations, including the IP addressing, network topology, and OSPF areas. The list of tasks for each router in the network include enabling the OSPF routing protocol (with a process number) directly on an interface or by configuring the proper network commands, assigning the correct area ID to the interface, and optionally configuring the metric to appropriate interfaces.
Basic OSPF configuration commands:
- router ospf process-id global configuration command
- network ip-address wildcard-mask area area-id interface configuration command, or the ip ospf process-id area area-id [secondaries none] interface configuration command
- bandwidth kilobits interface configuration command
- router-id ip-address router configuration command
Commands for verifying OSPF operation:
- show ip ospf
- show ip route
- show ip ospf interface
- show ip ospf neighbor
- show ip route ospf
- show ip protocols
- debug ip ospf events
- debug ip ospf adj
- debug ip ospf packet
How the OSPF router ID is selected: with the router-id ip-address router configuration command, the highest IP address on any active loopback interface, or the highest IP address of any active physical interface when OSPF starts.
The three types of networks defined by OSPF: point-to-point, broadcast, and NBMA.
How a DR and BDR are selected: The router with the highest priority is the DR, the router with the second highest priority is the BDR. The router ID breaks a tie. A router with priority 0 does not become either the DR or the BDR. The priority is set with the ip ospf priority number interface configuration command
The five modes of OSPF operation available for NBMA networks: nonbroadcast and point-to-multipoint RFC modes, and broadcast, point-to-multipoint nonbroadcast, and point-to-point Cisco modes. (Refer to Table 3-11 for a summary of these modes).
The 11 different OSPF LSA types. The first five are the most commonly used: type 1 (router, generated by every router), type 2 (network, generated by DR), type 3 (summary, describes area routes, generated by ABR), type 4 (summary, describes route to ASBR, generated by ABR), and type 5 (external, describes routes to external destinations, generated by ASBR).
The three kinds of OSPF routes: intra-area (O), interarea (O IA), and external (either O E1 or O E2).
Configuring OSPF LSDB overload protection using the max-lsa maximum-number [threshold-percentage] [warning-only] [ignore-time minutes] [ignore-count count-number] [reset-time minutes] router configuration command.
Using the passive-interface type number [default] router configuration command to prevent a routing protocol’s routing updates from being sent through the specified router interface. With OSPF, the specified interface appears as a stub network, and OSPF routing information is neither sent nor received through the specified interface.
How default routes can be used in OSPF to prevent the need for a specific route to all destination networks. The benefit is a much smaller routing table and LSDB, with complete reachability. Propagate an OSPF default route using the default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name] router configuration command.
Configuring route summarization to improve CPU utilization, reduce LSA flooding, and reduce LSDB and routing table sizes. OSPF does not automatically summarize. OSPF summarization can be configured on an ABR using the area area-id range address mask [advertise | not-advertise] [cost cost] router configuration command, and on an ASBR using the summary-address ip-address mask [not-advertise] [tag tag] router configuration command.
The OSPF virtual link feature, used to temporarily mend backbone failures or connect a disconnected area to the backbone. Virtual links are configured with the area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [[authentication-key key] | [message-digest-key key-id md5 key]] router configuration command, and verified with the show ip ospf virtual-links command.
The several area types defined in OSPF: standard areas, backbone areas, stub areas, totally stubby areas, NSSAs, and totally stubby NSSAs. (Refer to Table 3-23 for a summary of the area types.) The area area-id stub router configuration command is used to configure stub areas. The no-summary keyword is added to this command on the ABR to make the area totally stubby. The area area-id nssa [no-redistribution] [default-information-originate] [metric metric-value] [metric-type type-value] [no-summary] router configuration command is used to configure an NSSA, instead of the area area-id stub command. The no-summary keyword is only used on the ABR to make the area a totally stubby NSSA area.
The types of OSPF authentication: null, simple password authentication (also called plain-text authentication), and MD5 authentication. Authentication troubleshooting is done with the debug ip ospf adj command.
The commands to configure OSPF simple password authentication:
- ip ospf authentication-key password interface configuration command
- ip ospf authentication interface configuration command or the area area-id authentication router configuration command
The commands to configure OSPF MD5 authentication:
- ip ospf message-digest-key key-id md5 key interface configuration command
- ip ospf authentication message-digest interface configuration command or the area area-id authentication message-digest router configuration command

Configuring and Verifying OSPF Authentication

Planning for OSPF Authentication

Configuring, Verifying, and Troubleshooting OSPF Simple Password Authentication

Configuring OSPF Simple Password Authentication

Simple Password Authentication Example

Verifying Simple Password Authentication

Troubleshooting Simple Password Authentication

Successful Simple Password Authentication Example

Troubleshooting Simple Password Authentication Problems Example

Configuring OSPF Simple Password Authentication for Virtual Links

Configuring, Verifying, and Troubleshooting MD5 Authentication

Configuring OSPF MD5 Authentication

MD5 Authentication Example

Verifying MD5 Authentication

Troubleshooting MD5 Authentication

Successful MD5 Authentication Example

Troubleshooting MD5 Authentication Problems Example

Summary

0 comments

Post a Comment

About Me

Chat Box

Google Maps

Visitor Locations

Lunar Calendar

Link URL

Followers

Lưu Trữ - Archive

Others

Posted