From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sat Sep 22 2007 - 02:05:56 ART
On R6 add the neighbor command pointing to the hub under the OSPF
process. Below is the rule of thumb that you want to remember with
this configuration (multiple keys over an OSPF non-broadcast network):
When using multiple keys over a non-broadcast network (OSPF) you
should also configure the neighbor command on the spokes along with
the neighbors on the hub (see note below). This is technically only
needed on the spoke that is configured without the "youngest" key.
The hub will by default send hellos using the "youngest" key (key 5
in your case) and the spoke that is using the "non-youngest" (key 6
in your case) key will ignore the hellos from the hub due to the key
mismatch. You need to ensure that R6 can send hellos using it's
configured key so that R5 can detect it and start using key 6 with
R6. By default of course R6 is non-broadcast which means it can't
initiate it's own hellos.
As a side note you can possibly get this to work without the neighbor
command but it will not survive a reload.
* Note - Technically you could just configure the neighbor command on
the spokes and leave them off the hub.
HTH,
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
On Sep 21, 2007, at 9:01 PM, Toh Soon, Lim wrote:
> Hi Group,
>
> I'm having a little problem getting OSPF authentication to work using
> different md5 keys for different neighbors over frame relay.
>
> R2 is the hub. Spokes are R5 and R6. OSPF P2MP non-broadcast mode is
> configured. R5's shared key is r5key and R6's shared key is r6key.
>
> R2 Config
> ---------
> !
> interface Serial0/0/0.56 multipoint
> description *** FR Connection to R5,R6 ***
> ip address 136.10.100.2 255.255.255.224
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.5 105 broadcast
> frame-relay map ip 136.10.100.6 106 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.2 0.0.0.0 area 0
> neighbor 136.10.100.6
> neighbor 136.10.100.5
> !
>
> R5 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.5 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 5 md5 r5key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 501 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.5 0.0.0.0 area 0
> !
>
> R6 Config
> ---------
> !
> interface Serial0/0/0
> description *** FR Connection to R2 ***
> ip address 136.10.100.6 255.255.255.224
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 6 md5 r6key
> ip ospf network point-to-multipoint non-broadcast
> frame-relay map ip 136.10.100.2 601 broadcast
> no frame-relay inverse-arp
> !
> router ospf 1
> network 136.10.100.6 0.0.0.0 area 0
> !
>
>
> R2 and R5 have full adjacency. Full adjacency between R2 and R6
> cannot be
> established.
>
> Outputs of "deb ip os adj" on R2 show:
>
> OSPF: Send with youngest Key 5
>
> Outputs of "deb ip os adj" on R6 show:
>
> OSPF: Rcv pkt from 136.10.100.2, Serial0/0/0 : Mismatch
> Authentication Key -
> No message digest key 5 on interface
> OSPF: Send with youngest Key 6
>
>
> I'm expecting R2 to send multiple copies of OSPF packets, each
> authenticated
> by the two keys, to R5 and R6. At least that's what I understood on
> DocCD
> OSPF Command Ref. From the debug outputs, it seems that R2 only
> uses key 5.
>
> Can anyone suggest how to work around this issue so that the task
> can be
> achieved?
>
>
> Many thanks.
>
> B.Rgds,
> Lim TS
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> htt
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART