From: Grabler, Ross \(IT\) (Ross.Grabler@morganstanley.com)
Date: Sun Nov 27 2005 - 01:33:13 GMT-3
Brian,
What happends if you configure second key on only one of the routers,
lets say to support future key change is this going to break the
adjacencies? If not what happends when you reboot the router? To my
understanding the youngest keys will be exchanged.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Saturday, November 26, 2005 6:32 PM
To: andervb@yahoo.dk; ccielab@groupstudy.com
Subject: RE: OSPF doubt
Here is an e-mail I sent a couple weeks about this topic:
Below is an example of how you can configure two routers to support "key
rollover" with OSPF and actually perform the rollover:
To start off both routers (R1 and R2) are configured with MD5
authentication and using key 1 with the password of CISCO1.
Rack8R1#sho run int s0/0
Building configuration...
Current configuration : 314 bytes
!
interface Serial0/0
ip address 129.8.124.1 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1 ip ospf network broadcast
frame-relay map ip 129.8.124.2 102 broadcast no frame-relay inverse-arp
end
Rack8R1#sho ip os ne
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
Serial0/0
Rack8R1#
Rack8R2#sho run int s0/0
Building configuration...
Current configuration : 273 bytes
!
interface Serial0/0
ip address 129.8.124.2 255.255.255.0
encapsulation frame-relay
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CISCO1 ip ospf network broadcast
frame-relay map ip 129.8.124.1 201 broadcast no frame-relay inverse-arp
end
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
Serial0/0
Rack8R2#
From the output above we see that the neighbor relationship is up and
everything is working. Now we'll add a second key (key 2 password
CISCO2) to both routers:
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R1(config-if)#^Z Rack8R1# Rack8R1#
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
Rack8R2(config-if)#^Z Rack8R2# Rack8R2# Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
Serial0/0
Rack8R2#sho ip os int s0/0
Serial0/0 is up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 1
Rack8R2#
We can see that the routers know that there is a key rollover in
progress since two keys are configured on the interfaces. Now we'll go
back and remove the original key 1.
Rack8R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R2(config)#int s0/0
Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R2(config-if)#^Z Rack8R2# Rack8R2#sho ip os int s0/0 Serial0/0 is
up, line protocol is up
Internet Address 129.8.124.2/24, Area 0
Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rollover in progress, 1 neighbor(s) using the old key(s):
Rack8R2#
Rack8R2#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
Serial0/0
Rack8R2#
Rack8R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack8R1(config)#int s0/0
Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
Rack8R1(config-if)#^Z Rack8R1#sho ip os int s0/0 Serial0/0 is up, line
protocol is up
Internet Address 129.8.124.1/24, Area 0
Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
Flush timer for old DR LSA due in 00:01:46
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.8.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2
Rack8R1#
Rack8R1#sho ip os n
Neighbor ID Pri State Dead Time Address
Interface
150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
Serial0/0
Rack8R1#
Finally both routers are using key 2 and the OSPF neighbor relationship
was never lost.
HTH,
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
andervb@yahoo.dk
Sent: Saturday, November 26, 2005 1:18 PM
To: ccielab@groupstudy.com
Subject: OSPF doubt
how can I change the ospf auth without afect adjacency?
password transition?
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3