RE: OSPF doubt

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Nov 26 2005 - 20:31:54 GMT-3

• Next message: Mesut Abdurrahmani: "RE: #CCIE 15436 with 21"
• Previous message: ticong@comcast.net: "CCIE security workbook"
• Maybe in reply to: andervb@yahoo.dk: "OSPF doubt"
• Next in thread: mani poopal: "Re: OSPF doubt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is an e-mail I sent a couple weeks about this topic:

Below is an example of how you can configure two routers to support "key
rollover" with OSPF and actually perform the rollover:

To start off both routers (R1 and R2) are configured with MD5
authentication and using key 1 with the password of CISCO1.

Rack8R1#sho run int s0/0
Building configuration...

Current configuration : 314 bytes
!
interface Serial0/0
 ip address 129.8.124.1 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 CISCO1
 ip ospf network broadcast
 frame-relay map ip 129.8.124.2 102 broadcast
 no frame-relay inverse-arp
end

Rack8R1#sho ip os ne

Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
  Internet Address 129.8.124.1/24, Area 0
  Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
  Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:08
  Index 4/4, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 150.8.2.2 (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1
Rack8R1#
Rack8R1#sho ip os n

Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#

Rack8R2#sho run int s0/0
Building configuration...

Current configuration : 273 bytes
!
interface Serial0/0
 ip address 129.8.124.2 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 CISCO1
 ip ospf network broadcast
 frame-relay map ip 129.8.124.1 201 broadcast
 no frame-relay inverse-arp
end

Rack8R2#sho ip os n

Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
Serial0/0
Rack8R2#

From the output above we see that the neighbor relationship is up and
everything is working. Now we'll add a second key (key 2 password
CISCO2) to both routers:

Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R1(config-if)#^Z
Rack8R1#
Rack8R1#

Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R2(config-if)#^Z
Rack8R2#
Rack8R2#
Rack8R2#sho ip os n

Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
Serial0/0
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
  Internet Address 129.8.124.2/24, Area 0
  Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
  Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:04
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 2
    Rollover in progress, 1 neighbor(s) using the old key(s):
      key id 1
Rack8R2#

We can see that the routers know that there is a key rollover in
progress since two keys are configured on the interfaces. Now we'll go
back and remove the original key 1.

Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R2(config-if)#^Z
Rack8R2#
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
  Internet Address 129.8.124.2/24, Area 0
  Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
  Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 2
    Rollover in progress, 1 neighbor(s) using the old key(s):
Rack8R2#
Rack8R2#sho ip os n

Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
Serial0/0
Rack8R2#

Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R1(config-if)#^Z
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
  Internet Address 129.8.124.1/24, Area 0
  Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
  Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
  Flush timer for old DR LSA due in 00:01:46
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:06
  Index 4/4, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 150.8.2.2 (Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 2
Rack8R1#
Rack8R1#sho ip os n

Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
Serial0/0
Rack8R1#

Finally both routers are using key 2 and the OSPF neighbor relationship
was never lost.

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
andervb@yahoo.dk
Sent: Saturday, November 26, 2005 1:18 PM
To: ccielab@groupstudy.com
Subject: OSPF doubt

how can I change the ospf auth without afect adjacency?
password transition?

• Next message: Mesut Abdurrahmani: "RE: #CCIE 15436 with 21"
• Previous message: ticong@comcast.net: "CCIE security workbook"
• Maybe in reply to: andervb@yahoo.dk: "OSPF doubt"
• Next in thread: mani poopal: "Re: OSPF doubt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3