Configuring, Verifying, and Troubleshooting OSPF Simple Password Authentication
This section describes how to configure, verify, and troubleshoot OSPF simple password authentication. Configuring simple password authentication on virtual links is also examined.
Configuring OSPF Simple Password Authentication
To configure OSPF simple password authentication, complete the following steps:
Table 3-27: ip ospf authentication Command Parameters
Open table as spreadsheet | Parameter | Description |
| message-digest | (Optional) Specifies that MD5 authentication will be used. |
| null | (Optional) No authentication is used. Useful for overriding simple password or MD5 authentication if configured for an area. |
For simple password authentication, use the ip ospf authentication command without any parameters. Before using this command, configure a password for the interface using the ip ospf authentication-key command.
The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication). To enable authentication for an OSPF area, use the area area-id authentication [message-digest] router configuration command. Table 3-28 describes the parameters of the area authentication command.
Table 3-28: area authentication Command Parameters
Open table as spreadsheet | Parameter | Description |
| area-id | Identifier of the area for which authentication is to be enabled. The identifier can be specified as either a decimal value or an IP address. |
| message-digest | (Optional) Enables MD5 authentication for the area specified by the area-id argument. |
For simple password authentication, use the area authentication command with no parameters.
Simple Password Authentication Example
Figure 3-55 shows the network used to illustrate the configuration, verification, and troubleshooting of simple password authentication. The configuration of the R1 and R2 routers are shown in Example 3-43.
Example 3-43: Configuration of Routers R1 and R2 in Figure 3-55
Router R1:
Notice that the connecting interfaces on both R1 and R2 are configured for the same type of authentication with the same authentication key. Simple password authentication is configured on interface Serial 0/0/1 on both routers, with the ip ospf authentication command. The interfaces are configured with an authentication key of plainpas.
Verifying Simple Password Authentication
Example 3-44 shows the output of the show ip ospf interface, show ip ospf neighbor, and show ip route commands on the R1 router in Figure 3-55. From the show ip ospf interface and show ip ospf neighbor output, you see that R1 has one adjacent neighbor, and simple password authentication is enabled. The results of a ping to the R2 loopback interface address are also displayed to illustrate that the link is working.
Example 3-44: Verifying Simple Password Authentication on R1 in Figure 3-55
R1#show ip ospf interface
Serial0/0/1 is up, line protocol is up
Internet Address 192.168.1.101/27, Area 0
Process ID 1, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT
Notice in the show ip ospf neighbor command output that the neighbor state is FULL, indicating that the two routers have successfully formed an OSPF adjacency. The routing table verifies that the 10.2.2.2 address has been learned via OSPF over the serial connection.
Troubleshooting Simple Password Authentication
If the authentication configuration between routers is correct, an OSPF neighbor relationship is established, routing updates are exchanged, and OSPF routes enter the IP routing table.
OSPF authentication issues between routers may arise from the following problems:
-
If authentication is not configured on both routers
-
If different authentication types are configured on the routers
-
If different passwords are configured on the routers
The debug ip ospf adj command is used to display OSPF adjacency-related events and is useful when troubleshooting authentication.
Successful Simple Password Authentication Example
The output of the debug ip ospf adj command in Example 3-45 illustrates successful communication on the R1 router in Figure 3-55 after the serial 0/0/1 interface, on which simple password authentication has been configured, comes up.
| Note | Although this debug ip ospf adj output does not indicate anything about the authentication, it does show that the two routers successfully form a FULL adjacency. As the output in the next section illustrates, this command output does display authentication failures if there are any. During testing we were unable to find any debug command output that displayed information about successful OSPF simple password authentication. |
Example 3-45: Successful: Simple Password Authentication on R1 in Figure 3-55
*Apr 20 18:41:51.242: OSPF: Interface Serial0/0/1 going Up
*Apr 20 18:41:51.742: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000013
*Apr 20 18:41:52.242: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1,
changed state to up
*Apr 20 18:42:01.250: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1, state
2WAY
*Apr 20 18:42:01.250: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x9B6 opt
0x52 flag 0x7 len 32
*Apr 20 18:42:01.262: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23ED
opt0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Apr 20 18:42:01.262: OSPF: NBR Negotiation Done. We are the SLAVE
*Apr 20 18:42:01.262: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23ED opt
0x52 flag 0x2 len 72
*Apr 20 18:42:01.294: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23EE
opt0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Apr 20 18:42:01.294: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23EE opt
0x52 flag 0x0 len 32
*Apr 20 18:42:01.294: OSPF: Database request to 10.2.2.2
*Apr 20 18:42:01.294: OSPF: sent LS REQ packet to 192.168.1.102, length 12
*Apr 20 18:42:01.314: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x23EF
opt0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Apr 20 18:42:01.314: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Apr 20 18:42:01.314: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x23EF opt
0x52 flag 0x0 len 32
*Apr 20 18:42:01.326: OSPF: Synchronized with 10.2.2.2 on Serial0/0/1, state FULL
*Apr 20 18:42:01.330: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2 on Serial0/0/1 from
LOADING to
FULL, Loading Done
*Apr 20 18:42:01.830: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000014
The output of the show ip ospf neighbor command shown in Example 3-46 illustrates that R1 has successfully formed an adjacency with R2.
Example 3-46: R1 and R2 in Figure 3-55 Have Formed an Adjacency
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.2.2.2 0 FULL/ - 00:00:34 192.168.1.102 Serial0/0/1
Troubleshooting Simple Password Authentication Problems Example
Using the network in Figure 3-55, if simple password authentication is configured on the R1 serial 0/0/1 interface but no authentication is configured on the R2 serial 0/0/1 interface, the routers will not be able to form an adjacency over that link. The output of the debug ip ospf adj command shown in Example 3-47 illustrates that the routers report a mismatch in authentication type. No OSPF packets will be sent between the neighbors.
Example 3-47: Simple Password Authentication on R1 and no Authentication on R2 in Figure 3-55
R1#
*Apr 17 18:51:31.242: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 : Mismatch
Authentication type. Input packet specified type 0, we use type 1
R2#
*Apr 17 18:50:43.046: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 : Mismatch
Authentication type. Input packet specified type 1, we use type 0
| Note | The different types of OSPF authentication have the following type codes: -
Null—Type 0 -
Simple password—Type 1 -
MD5—Type 2
|
If simple password authentication is configured on the R1 Serial 0/0/1 interface and on the R2 Serial 0/0/1 interface, but with different passwords, the routers will not be able to form an adjacency over that link. The outputs of the debug ip ospf adj command shown in Example 3-48 illustrate that the routers report a mismatch in authentication key. No OSPF packets will be sent between the neighbors.
Example 3-48: Simple Password Authentication on R1 and R2 in Figure 3-55, but with Different Passwords
R1#
*Apr 17 18:54:01.238: OSPF: Rcv pkt from 192.168.1.102, Serial0/0/1 : Mismatch
Authentication Key - Clear Text
R2#
*Apr 17 18:53:13.050: OSPF: Rcv pkt from 192.168.1.101, Serial0/0/1 : Mismatch
Authentication Key - Clear Text
Configuring OSPF Simple Password Authentication for Virtual Links
Figure 3-56 illustrates a network with a virtual link. The configuration of simple password authentication for the virtual link, on routers R1 and R3, is also shown in the figure.
On router R1, simple password authentication is configured for the whole area 0, with the area 0 authentication command. The virtual link, connecting area 2 to area 0, is created via transit area 1 with plain text authentication and the authentication key cisco, with the area 1 virtual-link 3.3.3.3 authentication-key cisco command.
The configuration of router R3 is similar to router R1.
Configuring, Verifying, and Troubleshooting MD5 Authentication
This section describes how to configure, verify, and troubleshoot OSPF MD5 authentication.
| Note | OSPF MD5 authentication includes a nondecreasing sequence number in each OSPF packet to protect against replay attacks. |
Configuring OSPF MD5 Authentication
With OSPF MD5 authentication, a key and key ID are configured on each router. To configure OSPF MD5 authentication, complete the following steps:
Table 3-29: ip ospf message-digest-key Command Parameters
Open table as spreadsheet | Parameter | Description |
| key-id | An identifier in the range from 1 to 255 |
| Key | Alphanumeric password of up to 16 bytes |
MD5 Authentication Example
Figure 3-57 shows the network used to illustrate the configuration, verification, and troubleshooting of MD5 authentication. The configuration of the R1 and R2 routers are shown in Example 3-49.
Example 3-49: Configuration of Routers R1 and R2 in Figure 3-57
Router R1:
Notice that the connecting interfaces on both R1 and R2 are configured for the same type of authentication with the same authentication key and key ID. MD5 authentication is configured on interface Serial 0/0/1 on both routers with the ip ospf authentication message-digest command. The interfaces on both routers are configured with an authentication key number 1 set to secretpass.
Verifying MD5 Authentication
Example 3-50 shows the output of the show ip ospf interface, show ip ospf neighbor and show ip route commands on the R1 router in Figure 3-57. The results of a ping to the R2 loopback interface address is also displayed to illustrate that the link is working.
Example 3-50: Verifying MD5 Authentication on R1 in Figure 3-57
R1#show ip ospf interface
Serial0/0/1 is up, line protocol is up
Internet Address 192.168.1.101/27, Area 0
Process ID 10, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT
Notice that the show ip ospf interface output shows that router R1 has on adjacent neighbor and that message digest authentication is enabled. The show ip ospf neighbor command output shows that that the neighbor state is FULL, indicating that the two routers have successfully formed an OSPF adjacency. The routing table verifies that the 10.2.2.2 address has been learned via OSPF over the serial connection.
Troubleshooting MD5 Authentication
As for simple password authentication, the debug ip ospf adj command is used to display OSPF adjacency-related events and is very useful when troubleshooting MD5 authentication.
Successful MD5 Authentication Example
The output of the debug ip ospf adj command in Example 3-51 illustrates successful MD5 authentication on the R1 router in Figure 3-57 after the Serial 0/0/1 interface, on which authentication has been configured, comes up.
Example 3-51: Successful MD5 Authentication on R1 in Figure 3-57
R1#debug ip ospf adj
OSPF adjacency events debugging is on
*Apr 20 17:13:56.530: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 20 17:13:56.530: OSPF: Interface Serial0/0/1 going Up
*Apr 20 17:13:56.530: OSPF: Send with youngest Key 1
*Apr 20 17:13:57.030: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x80000009
*Apr 20 17:13:57.530: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1,
changed state to up
*Apr 20 17:14:06.530: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.546: OSPF: 2 Way Communication to 10.2.2.2 on Serial0/0/1, state
2WAY
*Apr 20 17:14:06.546: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0xB37 opt
0x52 flag 0x7 len 32
*Apr 20 17:14:06.546: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.562: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x32F opt 0
x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Apr 20 17:14:06.562: OSPF: NBR Negotiation Done. We are the SLAVE
*Apr 20 17:14:06.562: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x32F opt
0x52 flag 0x2 len 72
*Apr 20 17:14:06.562: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x330 opt
0x52 flag 0x3 len 72 mtu 1500 state EXCHANGE
*Apr 20 17:14:06.602: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x330 opt
0x52 flag 0x0 len 32
*Apr 20 17:14:06.602: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: Database request to 10.2.2.2
*Apr 20 17:14:06.602: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.602: OSPF: sent LS REQ packet to 192.168.1.102, length 12
*Apr 20 17:14:06.614: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.634: OSPF: Rcv DBD from 10.2.2.2 on Serial0/0/1 seq 0x331 opt
0x52 flag 0x1 len 32 mtu 1500 state EXCHANGE
*Apr 20 17:14:06.634: OSPF: Exchange Done with 10.2.2.2 on Serial0/0/1
*Apr 20 17:14:06.634: OSPF: Send DBD to 10.2.2.2 on Serial0/0/1 seq 0x331 opt
0x52 flag 0x0 len 32
*Apr 20 17:14:06.634: OSPF: Send with youngest Key 1
*Apr 20 17:14:06.650: OSPF: Synchronized with 10.2.2.2 on Serial0/0/1, state FULL
*Apr 20 17:14:06.650: %OSPF-5-ADJCHG: Process 10, Nbr 10.2.2.2 on Serial0/0/1 from
LOADING to FULL, Loading Done
*Apr 20 17:14:07.150: OSPF: Send with youngest Key 1
*Apr 20 17:14:07.150: OSPF: Build router LSA for area 0, router ID 10.1.1.1, seq
0x8000000A
*Apr 20 17:14:09.150: OSPF: Send with youngest Key 1
The output of the show ip ospf neighbor command shown Example 3-52 illustrates that R1 has successfully formed an adjacency with R2.
Example 3-52: R1 and R2 in Figure 3-57 Have Formed an Adjacency
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.2.2.2 0 FULL/ - 00:00:34 192.168.1.102 Serial0/0/1
-
Characteristics of link-state routing protocols such as OSPF, including the OSPF tables—the neighbor table (also called the adjacency database), the topology table (also called the topology database or the LSDB), and the routing table (also called the forwarding database).
-
OSPF’s two-tier hierarchical area structure, with a backbone area 0 and regular areas.
-
The different types of OSPF routers: internal routers, backbone routers, ABRs, and ASBRs.
-
How OSPF routers use the Hello protocol to build adjacencies. After two routers establish neighbor adjacency using hello packets, they synchronize their LSDBs by exchanging LSAs and confirming the receipt of LSAs from the adjacent router. Routers on point-to-point links form a full adjacency with each other, whereas routers on LAN links only form a full adjacency with the DR and BDR.
-
The OSPF metric calculation on Cisco routers, which is based on the link bandwidth by default. If interfaces that are faster than 100 Mbps are being used, you should use the auto-cost reference-bandwidth ref-bw router configuration command on all routers. To override the default cost, manually define the cost using the ip ospf cost interface-cost interface configuration command.
-
The five types of OSPF packets—hello, DBD, LSR, LSU, and LSAck. Hello packets are used to discover neighbor and build adjacencies. DBDs are used to synchronize the LSDBs. LSRs are used to request specific link-state records, and LSUs are used to send the requested records. LSAck is used to acknowledge the other packet types. OSPF packets are sent in IP packets with protocol 89.
-
The neighbor states that OSPF may pass through: down, (possibly attempt), init, two-way, exstart, exchange, loading, and full.
-
The five fields in the hello packet must match on neighboring routers: Hello Interval, Dead Interval, Area ID, Authentication Password, And Stub Area Flag.
-
Planning OSPF implementations, including the IP addressing, network topology, and OSPF areas. The list of tasks for each router in the network include enabling the OSPF routing protocol (with a process number) directly on an interface or by configuring the proper network commands, assigning the correct area ID to the interface, and optionally configuring the metric to appropriate interfaces.
-
Basic OSPF configuration commands:
-
router ospf process-id global configuration command
-
network ip-address wildcard-mask area area-id interface configuration command, or the ip ospf process-id area area-id [secondaries none] interface configuration command
-
bandwidth kilobits interface configuration command
-
router-id ip-address router configuration command
-
Commands for verifying OSPF operation:
-
show ip ospf
-
show ip route
-
show ip ospf interface
-
show ip ospf neighbor
-
show ip route ospf
-
show ip protocols
-
debug ip ospf events
-
debug ip ospf adj
-
debug ip ospf packet
-
How the OSPF router ID is selected: with the router-id ip-address router configuration command, the highest IP address on any active loopback interface, or the highest IP address of any active physical interface when OSPF starts.
-
The three types of networks defined by OSPF: point-to-point, broadcast, and NBMA.
-
How a DR and BDR are selected: The router with the highest priority is the DR, the router with the second highest priority is the BDR. The router ID breaks a tie. A router with priority 0 does not become either the DR or the BDR. The priority is set with the ip ospf priority number interface configuration command
-
The five modes of OSPF operation available for NBMA networks: nonbroadcast and point-to-multipoint RFC modes, and broadcast, point-to-multipoint nonbroadcast, and point-to-point Cisco modes. (Refer to Table 3-11 for a summary of these modes).
-
The 11 different OSPF LSA types. The first five are the most commonly used: type 1 (router, generated by every router), type 2 (network, generated by DR), type 3 (summary, describes area routes, generated by ABR), type 4 (summary, describes route to ASBR, generated by ABR), and type 5 (external, describes routes to external destinations, generated by ASBR).
-
The three kinds of OSPF routes: intra-area (O), interarea (O IA), and external (either O E1 or O E2).
-
Configuring OSPF LSDB overload protection using the max-lsa maximum-number [threshold-percentage] [warning-only] [ignore-time minutes] [ignore-count count-number] [reset-time minutes] router configuration command.
-
Using the passive-interface type number [default] router configuration command to prevent a routing protocol’s routing updates from being sent through the specified router interface. With OSPF, the specified interface appears as a stub network, and OSPF routing information is neither sent nor received through the specified interface.
-
How default routes can be used in OSPF to prevent the need for a specific route to all destination networks. The benefit is a much smaller routing table and LSDB, with complete reachability. Propagate an OSPF default route using the default-information originate [always] [metric metric-value] [metric-type type-value] [route-map map-name] router configuration command.
-
Configuring route summarization to improve CPU utilization, reduce LSA flooding, and reduce LSDB and routing table sizes. OSPF does not automatically summarize. OSPF summarization can be configured on an ABR using the area area-id range address mask [advertise | not-advertise] [cost cost] router configuration command, and on an ASBR using the summary-address ip-address mask [not-advertise] [tag tag] router configuration command.
-
The OSPF virtual link feature, used to temporarily mend backbone failures or connect a disconnected area to the backbone. Virtual links are configured with the area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [[authentication-key key] | [message-digest-key key-id md5 key]] router configuration command, and verified with the show ip ospf virtual-links command.
-
The several area types defined in OSPF: standard areas, backbone areas, stub areas, totally stubby areas, NSSAs, and totally stubby NSSAs. (Refer to Table 3-23 for a summary of the area types.) The area area-id stub router configuration command is used to configure stub areas. The no-summary keyword is added to this command on the ABR to make the area totally stubby. The area area-id nssa [no-redistribution] [default-information-originate] [metric metric-value] [metric-type type-value] [no-summary] router configuration command is used to configure an NSSA, instead of the area area-id stub command. The no-summary keyword is only used on the ABR to make the area a totally stubby NSSA area.
-
The types of OSPF authentication: null, simple password authentication (also called plain-text authentication), and MD5 authentication. Authentication troubleshooting is done with the debug ip ospf adj command.
-
The commands to configure OSPF simple password authentication:
-
The commands to configure OSPF MD5 authentication:
-
ip ospf message-digest-key key-id md5 key interface configuration command
-
ip ospf authentication message-digest interface configuration command or the area area-id authentication message-digest router configuration command
No comments:
Post a Comment