From: Bill Wagner (billccie2b@hotmail.com)
Date: Fri Jul 28 2006 - 15:29:00 ART
Right. I believe that since the hub router is only sending one key it
sends the newest keys. If the spokes could originate the session then the
spoke with the old key could notify the hub it has an older key. I think
the work around to this problem is to make the spokes broadcast and
modify the ospf timers. The task only states do not change the OSPF
network type on the hub.
--------------------------------------------------------------------
From: Jim <firstnamejim@gmail.com>
Reply-To: Jim <firstnamejim@gmail.com>
To: "Bill Wagner" <billccie2b@hotmail.com>
CC: ccielab@groupstudy.com
Subject: Re: OSPF Auth with Key Rollover on Hub & Spoke
(non-broadcas
Date: Fri, 28 Jul 2006 13:18:59 -0400
Bill
You are right. I used your config this time, and for interface
non-broadcast, if the ospf priority is 0, it doesn't save the unicast
neighbor in the config.
If I change interface type to point-to-multipoint non-broadcast, then
everything is happy. (the neighbor statement stays in the ospf
configuration.)
Please correct if I am wrong,
I think the root of the issue is: the hub needs to receive a hello
with the
old key to start using old key. That starts the roll-over
feature. Since
on R2, it was non-broadcast, and it is priority 0, with no
neighbor. It
just sits waiting and doesn't sent any hello out. Since R2 doesn't
know
where the neighbor is, it never send anything out, so R3 won't do
know about
R2's old key. So there has to be something make R2 send hello to
R3:
- in NBMA, need to config neighbor on the fly, but it doesn't save;
- in point-multipoint, config the neighbor, it will save in the
config;
On 7/28/06, Bill Wagner <billccie2b@hotmail.com> wrote:
>
> Yeah I tried this, but after you type in the command although it
starts to
> communicate with the hub router it will not install the neighbor
statement
> in the running config. As a result if you reload the routers it
will stop
> working again.
>
> ------------------------------
> From: *Jim <firstnamejim@gmail.com>*
> Reply-To: *Jim <firstnamejim@gmail.com>*
> To: *"Bill Wagner" <billccie2b@hotmail.com>,
ccielab@groupstudy.com*
> Subject: *Re: OSPF Auth with Key Rollover on Hub & Spoke
(non-broadcast*
> Date: *Thu, 27 Jul 2006 22:54:49 -0400*
> Bill,
>
> If you add a line in the below, it will work reliably and right
away:
>
> #R2
> router ospf 1
> neighbor 10.129.1.3
>
> R3 will not automatically use the old key, but if it receive
unicast hello
> with older key id, it will take the hint and start talking with R2
in old
> key 1. Just my experiment.
>
> HTH
> --Jim
>
>
>
> ---------------Configuration After Key Rollover + clear ip os
> > process------------
> >
> > ---R3 Hub---
> >
> > interface Serial1/0.123 multipoint
> > ip address 10.129.1.3 255.255.255.0
> > ip ospf message-digest-key 1 md5 CISCO
> > ip ospf message-digest-key 2 md5 CISCONEW
> > frame-relay map ip 10.129.1.1 301 broadcast
> > frame-relay map ip 10.129.1.2 302 broadcast
> >
> > ---R1 Spoke w new key---
> >
> > interface Serial0/0
> > ip address 10.129.1.1 255.255.255.0
> > encapsulation frame-relay
> > ip ospf message-digest-key 1 md5 CISCO
> > ip ospf message-digest-key 2 md5 CISCONEW
> > ip ospf priority 0
> > frame-relay map ip 10.129.1.2 103
> > frame-relay map ip 10.129.1.3 103 broadcast
> > no frame-relay inverse-arp
> > end
> >
> > ---R2 Spoke with original key---
> >
> > interface Serial1/0
> > ip address 10.129.1.2 255.255.255.0
> > encapsulation frame-relay
> > ip ospf message-digest-key 1 md5 CISCO
> > ip ospf priority 0
> > frame-relay map ip 10.129.1.1 203
> > frame-relay map ip 10.129.1.3 203 broadcast
> > no frame-relay inverse-arp
> > end
> >
> > ----------Neighbor Output + debug-----------
> >
> > ---R3 Hub---
> >
> > Rack1R3#sho ip os nei
> >
> > Neighbor ID Pri State Dead Time Address
> > Interface
> > 150.1.1.1 0 FULL/DROTHER 00:01:55 10.129.1.1
> > Serial1/0.123
> > N/A 0 ATTEMPT/DROTHER 00:00:04 10.129.1.2
> > Serial1/0.123
>
>
_______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ------------------------------
> It's the future of Hotmail: Try Windows Live Mail beta
> <http://g.msn.com/8HMBENUS/2740??PS=47575>
>
--
Jim Li
614-376-2865
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
------------------------------------------------------------------------