From: Cisco Nuts (cisconuts@hotmail.com)
Date: Sun Nov 27 2005 - 16:08:47 GMT-3
This was EXCELLENT !!
Thank you very much, Brian!!
>From: "Brian Dennis" <bdennis@internetworkexpert.com>
>Reply-To: "Brian Dennis" <bdennis@internetworkexpert.com>
>To: <andervb@yahoo.dk>, <ccielab@groupstudy.com>
>Subject: RE: OSPF doubt
>Date: Sat, 26 Nov 2005 18:31:54 -0500
>
>Here is an e-mail I sent a couple weeks about this topic:
>
>Below is an example of how you can configure two routers to support "key
>rollover" with OSPF and actually perform the rollover:
>
>To start off both routers (R1 and R2) are configured with MD5
>authentication and using key 1 with the password of CISCO1.
>
>Rack8R1#sho run int s0/0
>Building configuration...
>
>Current configuration : 314 bytes
>!
>interface Serial0/0
> ip address 129.8.124.1 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 CISCO1
> ip ospf network broadcast
> frame-relay map ip 129.8.124.2 102 broadcast
> no frame-relay inverse-arp
>end
>
>Rack8R1#sho ip os ne
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
>Serial0/0
>Rack8R1#sho ip os int s0/0
>Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.1/24, Area 0
> Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:08
> Index 4/4, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.2.2 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 1
>Rack8R1#
>Rack8R1#sho ip os n
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.2.2 1 FULL/DR 00:00:38 129.8.124.2
>Serial0/0
>Rack8R1#
>
>Rack8R2#sho run int s0/0
>Building configuration...
>
>Current configuration : 273 bytes
>!
>interface Serial0/0
> ip address 129.8.124.2 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 CISCO1
> ip ospf network broadcast
> frame-relay map ip 129.8.124.1 201 broadcast
> no frame-relay inverse-arp
>end
>
>Rack8R2#sho ip os n
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.1.1 1 FULL/BDR 00:00:31 129.8.124.1
>Serial0/0
>Rack8R2#
>
>
>From the output above we see that the neighbor relationship is up and
>everything is working. Now we'll add a second key (key 2 password
>CISCO2) to both routers:
>
>
>Rack8R1#conf t
>Enter configuration commands, one per line. End with CNTL/Z.
>Rack8R1(config)#int s0/0
>Rack8R1(config-if)# ip os message-digest-key 2 md CISCO2
>Rack8R1(config-if)#^Z
>Rack8R1#
>Rack8R1#
>
>Rack8R2#conf t
>Enter configuration commands, one per line. End with CNTL/Z.
>Rack8R2(config)#int s0/0
>Rack8R2(config-if)# ip os message-digest-key 2 md CISCO2
>Rack8R2(config-if)#^Z
>Rack8R2#
>Rack8R2#
>Rack8R2#sho ip os n
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.1.1 1 FULL/BDR 00:00:34 129.8.124.1
>Serial0/0
>Rack8R2#sho ip os int s0/0
>Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.2/24, Area 0
> Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:04
> Index 1/3, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rollover in progress, 1 neighbor(s) using the old key(s):
> key id 1
>Rack8R2#
>
>
>We can see that the routers know that there is a key rollover in
>progress since two keys are configured on the interfaces. Now we'll go
>back and remove the original key 1.
>
>
>Rack8R2#conf t
>Enter configuration commands, one per line. End with CNTL/Z.
>Rack8R2(config)#int s0/0
>Rack8R2(config-if)#no ip os message-digest-key 1 md CISCO1
>Rack8R2(config-if)#^Z
>Rack8R2#
>Rack8R2#sho ip os int s0/0
>Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.2/24, Area 0
> Process ID 1, Router ID 150.8.2.2, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State DR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:06
> Index 1/3, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.1.1 (Backup Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
> Rollover in progress, 1 neighbor(s) using the old key(s):
>Rack8R2#
>Rack8R2#sho ip os n
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.1.1 1 FULL/BDR 00:00:37 129.8.124.1
>Serial0/0
>Rack8R2#
>
>Rack8R1#conf t
>Enter configuration commands, one per line. End with CNTL/Z.
>Rack8R1(config)#int s0/0
>Rack8R1(config-if)#no ip os message-digest-key 1 md CISCO1
>Rack8R1(config-if)#^Z
>Rack8R1#sho ip os int s0/0
>Serial0/0 is up, line protocol is up
> Internet Address 129.8.124.1/24, Area 0
> Process ID 1, Router ID 150.8.1.1, Network Type BROADCAST, Cost: 64
> Transmit Delay is 1 sec, State BDR, Priority 1
> Designated Router (ID) 150.8.2.2, Interface address 129.8.124.2
> Backup Designated router (ID) 150.8.1.1, Interface address 129.8.124.1
> Flush timer for old DR LSA due in 00:01:46
> Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
> oob-resync timeout 40
> Hello due in 00:00:06
> Index 4/4, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.8.2.2 (Designated Router)
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 2
>Rack8R1#
>Rack8R1#sho ip os n
>
>Neighbor ID Pri State Dead Time Address
>Interface
>150.8.2.2 1 FULL/DR 00:00:36 129.8.124.2
>Serial0/0
>Rack8R1#
>
>
>Finally both routers are using key 2 and the OSPF neighbor relationship
>was never lost.
>
>
>HTH,
>
>Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>bdennis@internetworkexpert.com
>
>Internetwork Expert, Inc.
>http://www.InternetworkExpert.com
>Toll Free: 877-224-8987
>Direct: 775-745-6404 (Outside the US and Canada)
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>andervb@yahoo.dk
>Sent: Saturday, November 26, 2005 1:18 PM
>To: ccielab@groupstudy.com
>Subject: OSPF doubt
>
>how can I change the ospf auth without afect adjacency?
>password transition?
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3