From: Herbert Maosa (asawilunda@googlemail.com)
Date: Sat Sep 22 2007 - 01:23:12 ART
---------- Forwarded message ----------
From: Herbert Maosa <asawilunda@googlemail.com>
Date: Sep 22, 2007 5:22 AM
Subject: Re: Issue with OSPF authentication using different MD5 keys over
Frame Relay
To: "Toh Soon, Lim" <tohsoon28@gmail.com>
I believe OSPF will look at the configured keys in sequence until it finds
the first valid key, and then will use that key only for authentication.
If you have to use different keys for different neighbors out the same
multipoint interface, it appears you may have a requirement for PPPoFR in
your WAN Setup. Then the different keys can be attached to the respective
Virtual-Templates.
Herbert.
On 9/22/07, Toh Soon, Lim <tohsoon28@gmail.com> wrote:
>
> Hi Group,
>
> I'm having a little problem getting OSPF authentication to work using
> different md5 keys for different neighbors over frame relay.
>
> R2 is the hub. Spokes are R5 and R6. OSPF P2MP non-broadcast mode is
> configured. R5's shared key is r5key and R6's shared key is r6key.
>
> R2 Config
> ---------
> !
> interface Serial0/0/0.56 multipoint
> description *** FR Connection to R5,R6 ***
> ip address 136.10.100.2 255.255.255.224
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.5 105 broadcast
> frame-relay map ip 136.10.100.6 106 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.2 0.0.0.0 area 0
> neighbor 136.10.100.6
> neighbor 136.10.100.5
> !
>
> R5 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.5 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 501 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.5 0.0.0.0 area 0
> !
>
> R6 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.6 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 601 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.6 0.0.0.0 area 0
> !
>
>
> R2 and R5 have full adjacency. Full adjacency between R2 and R6 cannot be
> established.
>
> Outputs of "deb ip os adj" on R2 show:
>
> OSPF: Send with youngest Key 5
>
> Outputs of "deb ip os adj" on R6 show:
>
> OSPF: Rcv pkt from 136.10.100.2, Serial0/0/0 : Mismatch Authentication Key
> -
> No message digest key 5 on interface
> OSPF: Send with youngest Key 6
>
>
> I'm expecting R2 to send multiple copies of OSPF packets, each
> authenticated
> by the two keys, to R5 and R6. At least that's what I understood on DocCD
> OSPF Command Ref. From the debug outputs, it seems that R2 only uses key
> 5.
>
> Can anyone suggest how to work around this issue so that the task can be
> achieved?
>
>
> Many thanks.
>
> B.Rgds,
> Lim TS
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Kindest regards, hm-- Kindest regards, hm
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART