From: Ming Ki Au (aurmkstr@gmail.com)
Date: Mon Nov 13 2006 - 00:10:00 ART
Hi Dave,
Would you mind send me your sample configuration for my reference?
On 11/11/06, Schulz, Dave <DSchulz@dpsciences.com> wrote:
>
> Ricky -
>
> OSPF will try to use the youngest keys (if found). So, if you have
> authentication set up and add a new key, it will try to use the youngest
> key that is common to the specific area doing authentication. It will
> drop back to the common key, until the new one is configured on the
> other side (the switchover in keys will not cause any outage due to
> renewed adjacency, etc.
>
> Here is a debug where I have two keys set up and then added a third, the
> debug shows that it now changes to using the 3rd key. HTH......
>
>
> *No
> *Nov 11 07:20:50.152: OSPF: Send with key 1
> *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> Serial1/0.1245 from 136.1.0.4
> *Nov 11 07:20:50.152: OSPF: Send with key 2
> *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> Serial1/0.1245 from 136.1.0.4
> *Nov 11 07:20:50.152: OSPF: Send with key 3
> *Nov 11 07:20:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> Serial1/0.1245 from 136.1.0.4
> !
> !
> !
> *Nov 11 07:21:34.224: OSPF: Rcv hello from 150.1.5.5 area 0 from
> Serial1/0.1245 136.1.0.5
> *Nov 11 07:21:34.224: OSPF: End of hello processing
> *Nov 11 07:21:34.324: OSPF: Rcv hello from 150.1.5.5 area 0 from
> Serial1/0.1245 136.1.0.5
> *Nov 11 07:21:34.324: OSPF: End of hello processing
> *Nov 11 07:21:34.424: OSPF: Rcv hello from 150.1.5.5 area 0 from
> Serial1/0.1245 136.1.0.5
> *Nov 11 07:21:34.424: OSPF: End of hello processing
> Rack1R4(config-subif)#
> *Nov 11 07:21:50.152: OSPF: Send with youngest Key 3
> *Nov 11 07:21:50.152: OSPF: Send hello to 224.0.0.5 area 0 on
> Serial1/0.1245 from 136.1.0.4
>
> Then, the output of the show ip ospf 1 interface.....
>
> Serial1/0.1245 is up, line protocol is up
> Internet Address 136.1.0.4/24, Area 0
> Process ID 1, Router ID 150.1.4.4, Network Type POINT_TO_MULTIPOINT,
> Cost: 64
> Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT,
> Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
> oob-resync timeout 120
> Hello due in 00:00:02
> Index 1/1, flood queue length 0
> Next 0x0(0)/0x0(0)
> Last flood scan length is 1, maximum is 1
> Last flood scan time is 0 msec, maximum is 0 msec
> Neighbor Count is 1, Adjacent neighbor count is 1
> Adjacent with neighbor 150.1.5.5
> Suppress hello for 0 neighbor(s)
> Message digest authentication enabled
> Youngest key id is 3
>
> Hope this helps,
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ricky MK Au
> Sent: Saturday, November 11, 2006 1:36 AM
> To: ccielab@groupstudy.com
> Subject: Key rotation on OSPF area authentication
>
> Dear all,
> Can anyone tell me what is the best practice to do a key rotation with
> minimum impact when I configure area authentication within OSPF?
>
> Ricky M.K. Au,
> Information Technology Service, Networking Services,
> IBM China/Hong Kong Limited
> Mobile: +852 91351676
> Email: aurmk@hk1.ibm.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART