Topology_OSPF_Stubs

This may be brief as I am dealing with a mixture of back pain / medicine for it, so I am going to try to focus long enough to apply Authentication in a mixture of ways, across both my NBMA network and my Total Stub / NSSA Areas, this can be done two ways with OSPF:

  • Directly on the interface with two commands, I’ll use this approach on Stubs
  • In router configuration with “area x authentication” command which still requires some leg work on the interfaces in Area x

So to get started, I’m going to use plain-text authentication in Area 15 which is a very simple configuration:

R1(config)#int fa0/1
R1(config-if)#
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication ?
  message-digest  Use message-digest authentication
  null            Use no authentication
  <cr>

R1(config-if)#
*Mar  1 13:23:21.181: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#ip ospf pass
R1(config-if)#ip ospf au
R1(config-if)#ip ospf authentication-k
R1(config-if)#ip ospf authentication-key ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 8 characters)

R1(config-if)#ip ospf authentication-key CCNP
R1(config-if)#

A couple of things to note here:

  • As soon as authentication is configured, whether it is configured in router configuration or on the interface, it has until the dead timer expires until the adjacency drops
  • When issuing the first command to set authentication on the interface, I did a ? to show there is a <cr> indicating clear-text, message-digest for MD5 encryption, and also an odd option for “null” for no authentication to be used
  • For the authentication-key, I also used the ? to show the two options LINE which is clear text key and another oddity the 0-7 encryption type, I will experiment with that in the session
  • For clear text authentication it is limited to 8 characters

Now I jump on R5 and just pump out the commands quick:

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int fa0/1
R5(config-if)#ip ospf auth
R5(config-if)#ip ospf authentication-key CCNP
R5(config-if)#
*Dec 30 01:59:20.539: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R5(config-if)#

And there it is, clear text authentication running on my NSSA, but can R4 still ping 5.5.5.5?

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#

Absolutely it can, authentication was successful and the adjacency reformed, so it is business as usual. However I am going to configure authentication in router config and on the interface for Area 0 using MD5, and we’ll see if that breaks the route from R4 to R5:

R1(config-if)#router ospf 1
R1(config-router)#area 0 authentication message-digest ?
  <cr>

R1(config-router)#area 0 authentication message-digest
R1(config-router)#

  • I could have left off message-digest for plain text key authentication
  • There are no further options after message-digest with this command
  • Now we must specify our MD5 key on the interface in Area 0

This is a mouthful of a command on the interface, so I am going to include the output of ? after every step of the way to view options:

R1(config-router)#int s0/0
R1(config-if)#ip ospf message-digest-key ?
  <1-255>  Key ID

R1(config-if)#ip ospf message-digest-key 1 ?
  md5  Use MD5 algorithm

R1(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#

So there are multiple interesting things going on here:

  • Again we have encryption 0-7, I assume meaning not encrypted (0) or using MD5 (7)
  • Key #, I would bet those have to match, so I will set one incorrectly and see how I can identify my mistake by show commands or debugs
  • Only option for encryption is md5
  • It let me continue to type CCNP without giving an error, so I’m going to try using CCNP CCNP CCNP as my key and see if it works
  • **** MD5 ENCRYPTION ALLOWS 16 CHARACTERS FOR THE KEY WHILE PLAIN TEXT ONLY ALLOWS 8 CHARACTERS **** VERY IMPORTANT DISTINCTION

So now I will hop on R3, and one thing I want to test is if I can put a single CCNP to authenticate and it allowing me to put it three times with spaces is a bug:

R3#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           1   FULL/DR         00:00:39    172.12.34.4     FastEthernet0/1
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest
R3(config-router)#int s0/2
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#
*Mar  1 15:04:29.086: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/2 from LOADING to FULL, Loading Done
R3(config-if)#

As can be seen, those null spaces are as much of the key as the CCNP repeated 3 times, also I found and highlight something interesting. Plain text keys only get 8 characters but MD5 encrypted keys get 16 characters, I went back and highlighted the examples for clarity. So R1 and R3 are authenticated and neighbors again, so a quick ping from R4 to R5 to see if packets are still able to hit 5.5.5.5:

R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#

Sure can. Now I am going to configure R2 for Area 0 authentication, however I am going to change the Key # to 2 to see what happens (or doesn’t happen):

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#int s0/0
R2(config-if)#ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#no ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R2(config-if)#
*Mar  1 12:07:33.149: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/0 from LOADING to FULL, Loading Done
R2(config-if)#

So after waiting the 30 seconds for a Hello, an Adjacency was not happening, so I changed it back to key 1. Now out of curiosity I am going to change this encryption type to see if that will drop the adjacency, and if it does drop, I’d like to see if setting it to 7 will allow the adjacency to re-form:

R2(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP

R2(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R2(config-if)#ip ospf message-digest-key 1 md5 3 ?
  LINE  The OSPF password (key) (maximum 16 characters)

R2(config-if)#ip ospf message-digest-key 1 md5 3 CCNP CCNP CCNP
R2(config-if)#do sh ip ospf nei


Neighbor ID     Pri   State           Dead Time   Address         Interface
172.16.11.1       1   FULL/DR         00:01:41    172.12.123.1    Serial0/0
R2(config-if)#

Given that takes 2 minutes for a dead timer on an NBMA network to slowly count down, I went over to R3 and R4 to configure that quickly, then came back to see if there were any drops but there were none. So now I am really curious, and going to assign all 3 NBMA routers with different encryption types and see if we see some drops in adjacencies:

R1(config-if)#
R1(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#ip ospf message-digest-key 1 md5 5 CCNP CCNP CCNP
R1(config-if)#
ASR#3
[Resuming connection 3 to r3 … ]

R3(config-if)#int s0/2
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 6 CCNP CCNP CCNP
R3(config-if)#

And no drops in Adjacency anywhere, just to confirm I’ll do a ping from R4 to R5:

R4(config-if)#do ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4(config-if)#

Whoop there it is! SO THE ENCRYPTION TYPES IN THE MESSAGE-DIGEST COMMAND ON THE INTERFACE CAN BE SET TO DIFFERENT VALUES AND FORM AN ADJACENCY, BUT THE KEY NUMBER AND OF COURSE KEY ITSELF MUST MATCH!

So I know you are thinking to yourself, “This is all fine and good but how can you tell what areas are running Authentication?” I have your answer, hold onto your horses for this output from R3 to demonstrate a lot of useful information from “sh ip ospf” :

R3(config-if)#do sh ip ospf
 Routing Process “ospf 1” with ID 3.3.3.3
 Start time: 00:00:41.792, Time elapsed: 02:27:13.561
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Link-local Signaling (LLS)
 Supports area transit capability
 It is an area border router
 Router is not originating router-LSAs with maximum metric
 Initial SPF schedule delay 5000 msecs
 Minimum hold time between two consecutive SPFs 10000 msecs
 Maximum wait time between two consecutive SPFs 10000 msecs
 Incremental-SPF disabled
 Minimum LSA interval 5 secs
 Minimum LSA arrival 1000 msecs
 LSA group pacing timer 240 secs
 Interface flood pacing timer 33 msecs
 Retransmission pacing timer 66 msecs
 Number of external LSA 3. Checksum Sum 0x010175
 Number of opaque AS LSA 0. Checksum Sum 0x000000
 Number of DCbitless external and opaque AS LSA 0
 Number of DoNotAge external and opaque AS LSA 0
 Number of areas in this router is 3. 2 normal 1 stub 0 nssa
 Number of areas transit capable is 0
 External flood list length 0
 IETF NSF helper support enabled
 Cisco NSF helper support enabled
    Area BACKBONE(0)
        Number of interfaces in this area is 1
        Area has message digest authentication
        SPF algorithm last executed 00:18:36.094 ago
        SPF algorithm executed 12 times
        Area ranges are
        Number of LSA 10. Checksum Sum 0x05C9A4
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 3
        Number of interfaces in this area is 1 (1 loopback)
        Area has no authentication
        SPF algorithm last executed 02:27:11.778 ago
        SPF algorithm executed 3 times
        Area ranges are
        Number of LSA 8. Checksum Sum 0x04E86F
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0
    Area 34
        Number of interfaces in this area is 1
        It is a stub area, no summary LSA in this area
          generates stub default route with cost 1
        Area has message digest authentication
        SPF algorithm last executed 00:12:26.836 ago
        SPF algorithm executed 9 times
        Area ranges are
        Number of LSA 4. Checksum Sum 0x014DB0
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

R3(config-if)#

So much good information about every Area it knows about. Whether the Area is a stub, if it has authentication (and what kind) configured, what type of router it is (above Area info). While we are on the topic, I want to demonstrate useful info from a couple other show commands to troubleshoot with:

R3(config-if)#do sh ip proto
Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 3.3.3.3

  It is an area border router

  Number of areas in this router is 3. 2 normal 1 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    3.3.3.3 0.0.0.0 area 3
    172.12.34.0 0.0.0.255 area 34
    172.12.123.0 0.0.0.255 area 0
 Reference bandwidth unit is 100 mbps
  Routing Information Sources:
    Gateway         Distance      Last Update
    2.2.2.2              110      00:22:40
    172.16.11.1          110      00:22:40
  Distance: (default is 110)

R3(config-if)#

That is a lot of good information as well. The routers RID, its router type, number of areas it knows about, and what types of areas those are. One more here to complete the show commands:

R3(config-if)#do sh ip ospf int s0/2
Serial0/2 is up, line protocol is up
  Internet Address 172.12.123.3/24, Area 0
  Process ID 1, Router ID 3.3.3.3, Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State DROTHER, Priority 0
  Designated Router (ID) 172.16.11.1, Interface address 172.12.123.1
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    oob-resync timeout 120
    Hello due in 00:00:07
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/3, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.16.11.1  (Designated Router)

  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled

    Youngest key id is 1

R3(config-if)#

Got my timers intervals, DR RID and IP address of connected interface, Neighbor count, shows Authentication with a key of 1, just a lot of good troubleshooting information here.

So I am going to “wr mem” on my configs in case I forgot anything, otherwise I am fried and you will just need to believe from the show output above I did do authentication between R3 and R4.

***Also one note for Hello / Dead Timers: Hello / Dead timers for NBMA are 30/120, on FastEthernet 10/40, and OSPF dynamically adjusts Dead timer to be 4x the Hello if changed***

/fin