This may be brief as I am dealing with a mixture of back pain / medicine for it, so I am going to try to focus long enough to apply Authentication in a mixture of ways, across both my NBMA network and my Total Stub / NSSA Areas, this can be done two ways with OSPF:
- Directly on the interface with two commands, I’ll use this approach on Stubs
- In router configuration with “area x authentication” command which still requires some leg work on the interfaces in Area x
So to get started, I’m going to use plain-text authentication in Area 15 which is a very simple configuration:
R1(config)#int fa0/1
R1(config-if)#
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication ?
message-digest Use message-digest authentication
null Use no authentication
<cr>
R1(config-if)#
*Mar 1 13:23:21.181: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#ip ospf pass
R1(config-if)#ip ospf au
R1(config-if)#ip ospf authentication-k
R1(config-if)#ip ospf authentication-key ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 8 characters)
R1(config-if)#ip ospf authentication-key CCNP
R1(config-if)#
A couple of things to note here:
- As soon as authentication is configured, whether it is configured in router configuration or on the interface, it has until the dead timer expires until the adjacency drops
- When issuing the first command to set authentication on the interface, I did a ? to show there is a <cr> indicating clear-text, message-digest for MD5 encryption, and also an odd option for “null” for no authentication to be used
- For the authentication-key, I also used the ? to show the two options LINE which is clear text key and another oddity the 0-7 encryption type, I will experiment with that in the session
- For clear text authentication it is limited to 8 characters
Now I jump on R5 and just pump out the commands quick:
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int fa0/1
R5(config-if)#ip ospf auth
R5(config-if)#ip ospf authentication-key CCNP
R5(config-if)#
*Dec 30 01:59:20.539: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
R5(config-if)#
And there it is, clear text authentication running on my NSSA, but can R4 still ping 5.5.5.5?
R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4#
Absolutely it can, authentication was successful and the adjacency reformed, so it is business as usual. However I am going to configure authentication in router config and on the interface for Area 0 using MD5, and we’ll see if that breaks the route from R4 to R5:
R1(config-if)#router ospf 1
R1(config-router)#area 0 authentication message-digest ?
<cr>
R1(config-router)#area 0 authentication message-digest
R1(config-router)#
- I could have left off message-digest for plain text key authentication
- There are no further options after message-digest with this command
- Now we must specify our MD5 key on the interface in Area 0
This is a mouthful of a command on the interface, so I am going to include the output of ? after every step of the way to view options:
R1(config-router)#int s0/0
R1(config-if)#ip ospf message-digest-key ?
<1-255> Key ID
R1(config-if)#ip ospf message-digest-key 1 ?
md5 Use MD5 algorithm
R1(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 16 characters)
R1(config-if)#ip ospf message-digest-key 1 md5 CCNP ?
LINE <cr>
R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP ?
LINE <cr>
R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP ?
LINE <cr>
R1(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#
So there are multiple interesting things going on here:
- Again we have encryption 0-7, I assume meaning not encrypted (0) or using MD5 (7)
- Key #, I would bet those have to match, so I will set one incorrectly and see how I can identify my mistake by show commands or debugs
- Only option for encryption is md5
- It let me continue to type CCNP without giving an error, so I’m going to try using CCNP CCNP CCNP as my key and see if it works
- **** MD5 ENCRYPTION ALLOWS 16 CHARACTERS FOR THE KEY WHILE PLAIN TEXT ONLY ALLOWS 8 CHARACTERS **** VERY IMPORTANT DISTINCTION
So now I will hop on R3, and one thing I want to test is if I can put a single CCNP to authenticate and it allowing me to put it three times with spaces is a bug:
R3#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 1 FULL/DR 00:00:39 172.12.34.4 FastEthernet0/1
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest
R3(config-router)#int s0/2
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#
*Mar 1 15:04:29.086: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/2 from LOADING to FULL, Loading Done
R3(config-if)#
As can be seen, those null spaces are as much of the key as the CCNP repeated 3 times, also I found and highlight something interesting. Plain text keys only get 8 characters but MD5 encrypted keys get 16 characters, I went back and highlighted the examples for clarity. So R1 and R3 are authenticated and neighbors again, so a quick ping from R4 to R5 to see if packets are still able to hit 5.5.5.5:
R4#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R4#
Sure can. Now I am going to configure R2 for Area 0 authentication, however I am going to change the Key # to 2 to see what happens (or doesn’t happen):
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest
R2(config-router)#int s0/0
R2(config-if)#ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#no ip ospf message-digest-key 2 md5 CCNP CCNP CCNP
R2(config-if)#ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R2(config-if)#
*Mar 1 12:07:33.149: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.11.1 on Serial0/0 from LOADING to FULL, Loading Done
R2(config-if)#
So after waiting the 30 seconds for a Hello, an Adjacency was not happening, so I changed it back to key 1. Now out of curiosity I am going to change this encryption type to see if that will drop the adjacency, and if it does drop, I’d like to see if setting it to 7 will allow the adjacency to re-form:
R2(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R2(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key) (maximum 16 characters)
R2(config-if)#ip ospf message-digest-key 1 md5 3 ?
LINE The OSPF password (key) (maximum 16 characters)
R2(config-if)#ip ospf message-digest-key 1 md5 3 CCNP CCNP CCNP
R2(config-if)#do sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
172.16.11.1 1 FULL/DR 00:01:41 172.12.123.1 Serial0/0
R2(config-if)#
Given that takes 2 minutes for a dead timer on an NBMA network to slowly count down, I went over to R3 and R4 to configure that quickly, then came back to see if there were any drops but there were none. So now I am really curious, and going to assign all 3 NBMA routers with different encryption types and see if we see some drops in adjacencies:
R1(config-if)#
R1(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R1(config-if)#ip ospf message-digest-key 1 md5 5 CCNP CCNP CCNP
R1(config-if)#
ASR#3
[Resuming connection 3 to r3 … ]
R3(config-if)#int s0/2
R3(config-if)#no ip ospf message-digest-key 1 md5 CCNP CCNP CCNP
R3(config-if)#ip ospf message-digest-key 1 md5 6 CCNP CCNP CCNP
R3(config-if)#
And no drops in Adjacency anywhere, just to confirm I’ll do a ping from R4 to R5:
R4(config-if)#do ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
R4(config-if)#
Whoop there it is! SO THE ENCRYPTION TYPES IN THE MESSAGE-DIGEST COMMAND ON THE INTERFACE CAN BE SET TO DIFFERENT VALUES AND FORM AN ADJACENCY, BUT THE KEY NUMBER AND OF COURSE KEY ITSELF MUST MATCH!
So I know you are thinking to yourself, “This is all fine and good but how can you tell what areas are running Authentication?” I have your answer, hold onto your horses for this output from R3 to demonstrate a lot of useful information from “sh ip ospf” :
R3(config-if)#do sh ip ospf
Routing Process “ospf 1” with ID 3.3.3.3
Start time: 00:00:41.792, Time elapsed: 02:27:13.561
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
It is an area border router
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 3. Checksum Sum 0x010175
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 2 normal 1 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm last executed 00:18:36.094 ago
SPF algorithm executed 12 times
Area ranges are
Number of LSA 10. Checksum Sum 0x05C9A4
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 3
Number of interfaces in this area is 1 (1 loopback)
Area has no authentication
SPF algorithm last executed 02:27:11.778 ago
SPF algorithm executed 3 times
Area ranges are
Number of LSA 8. Checksum Sum 0x04E86F
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 34
Number of interfaces in this area is 1
It is a stub area, no summary LSA in this area
generates stub default route with cost 1
Area has message digest authentication
SPF algorithm last executed 00:12:26.836 ago
SPF algorithm executed 9 times
Area ranges are
Number of LSA 4. Checksum Sum 0x014DB0
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R3(config-if)#
So much good information about every Area it knows about. Whether the Area is a stub, if it has authentication (and what kind) configured, what type of router it is (above Area info). While we are on the topic, I want to demonstrate useful info from a couple other show commands to troubleshoot with:
R3(config-if)#do sh ip proto
Routing Protocol is “ospf 1”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 3.3.3.3
It is an area border router
Number of areas in this router is 3. 2 normal 1 stub 0 nssa
Maximum path: 4
Routing for Networks:
3.3.3.3 0.0.0.0 area 3
172.12.34.0 0.0.0.255 area 34
172.12.123.0 0.0.0.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
2.2.2.2 110 00:22:40
172.16.11.1 110 00:22:40
Distance: (default is 110)
R3(config-if)#
That is a lot of good information as well. The routers RID, its router type, number of areas it knows about, and what types of areas those are. One more here to complete the show commands:
R3(config-if)#do sh ip ospf int s0/2
Serial0/2 is up, line protocol is up
Internet Address 172.12.123.3/24, Area 0
Process ID 1, Router ID 3.3.3.3, Network Type NON_BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DROTHER, Priority 0
Designated Router (ID) 172.16.11.1, Interface address 172.12.123.1
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 172.16.11.1 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
R3(config-if)#
Got my timers intervals, DR RID and IP address of connected interface, Neighbor count, shows Authentication with a key of 1, just a lot of good troubleshooting information here.
So I am going to “wr mem” on my configs in case I forgot anything, otherwise I am fried and you will just need to believe from the show output above I did do authentication between R3 and R4.
***Also one note for Hello / Dead Timers: Hello / Dead timers for NBMA are 30/120, on FastEthernet 10/40, and OSPF dynamically adjusts Dead timer to be 4x the Hello if changed***
/fin
The DEVNET GRIND! 