Search This Blog

Saturday, November 22, 2014

OSPF virtual-link authentication



Here is an interesting case which I encounter during my labs, this is the network topology:


All routers configured with their relevant IP addresses and running OSPF process ID 1 using loopback 0 as the router-ID.

Task 1:

Configure simple authentication using “cisco” as password on area 0

Solution:

On both R1 and R2:
router ospf 1
 area 0 authentication
interface FastEthernet0/0
 ip ospf authentication
 ip ospf authentication-key cisco

Verification:

R1#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
  Internet Address 10.1.12.1/24, Area 0, Attached via Network Statement
  Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 2.2.2.2, Interface address 10.1.12.2
  Backup Designated router (ID) 1.1.1.1, Interface address 10.1.12.1
  Flush timer for old DR LSA due in 00:01:01
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:07
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Designated Router)
  Suppress hello for 0 neighbor(s)
  Simple password authentication enabled

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:37    10.1.12.2       FastEthernet0/0

Task 2:

Configure MD5 authentication on area 23 using “cisco” as password

Solution:

On both R2 and R3:
router ospf 1
 area 0 authentication message-digest
interface FastEthernet0/1
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 cisco

Verification:

R3#show ip ospf interface fastEthernet 0/1
FastEthernet0/1 is up, line protocol is up
  Internet Address 10.1.23.3/24, Area 23, Attached via Network Statement
  Process ID 1, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 1
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 3.3.3.3, Interface address 10.1.23.3
  Backup Designated router (ID) 2.2.2.2, Interface address 10.1.23.2
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/1, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 1
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 2.2.2.2  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
  Message digest authentication enabled
    Youngest key id is 1

R3#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:36    10.1.23.2       FastEthernet0/1
4.4.4.4           1   FULL/BDR        00:00:39    10.1.34.4       FastEthernet0/0

Task 3:

- Do not elect DR/BDR between R3 and R4
- Make sure that OSPF packets are exchanged between R3 and R4 without the use of a multicast address for security reasons.

Solution:

Only 2 area type’s supports unicast: NBMA and point-to-multipoint non-broadcast but only PTMP non-broadcast is not using DR/BDR.

R3 configuration:
router ospf 1
 neighbor 10.1.34.4
interface FastEthernet0/0
 ip ospf network point-to-multipoint non-broadcast

R4 configuration:
router ospf 1
 neighbor 10.1.34.3
interface FastEthernet0/0
 ip ospf network point-to-multipoint non-broadcast

Note this:
The neighbor statement is using the direct interface IP and not the router-ID
Don’t forget to add non-broadcast option else PTMP will be configured which uses multicast to establish neighbor adjacency.

Verification:

R3#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:36    10.1.23.2       FastEthernet0/1
4.4.4.4           0   FULL/  -        00:01:53    10.1.34.4       FastEthernet0/0

R3#show ip ospf neighbor fastEthernet 0/0 detail
 Neighbor 4.4.4.4, interface address 10.1.34.4
    In the area 34 via interface FastEthernet0/0
    Neighbor priority is 0 (configured 0), State is FULL, 6 state changes
    DR is 0.0.0.0 BDR is 0.0.0.0
    Options is 0x12 in Hello (E-bit, L-bit)
    Options is 0x52 in DBD (E-bit, L-bit, O-bit)
    LLS Options is 0x1 (LR)
    Dead timer due in 00:01:31
    Neighbor is up for 00:05:30
    Index 1/1, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

Task 4:

Make sure all networks are advertise and known by all routers

Solution:

Now it very clear from the topology that area 34 should be connected to area 0 in order to advertise R4 networks to the rest of the network. This can be done using virtual-link or GRE tunnel.

Let’s configure virtual-link between R2 and R3 to establish connection to area 0,
R2 configuration:
router ospf 1
 area 34 virtual-link 3.3.3.3

R3 configuration:
router ospf 1
 area 34 virtual-link 2.2.2.2

Note that virtual-link is using router-ID and not interface IP address.

Verification:

R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 23, via interface FastEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Simple password authentication enabled

But when we look on R2 routing table:
R2#show ip route ospf
<OUTPUT_OMMITED>
      192.168.11.0/32 is subnetted, 1 subnets
O        192.168.11.1 [110/2] via 10.1.12.1, 00:46:03, FastEthernet0/0
      192.168.12.0/32 is subnetted, 1 subnets
O        192.168.12.1 [110/2] via 10.1.12.1, 00:46:03, FastEthernet0/0
      192.168.13.0/32 is subnetted, 1 subnets
O        192.168.13.1 [110/2] via 10.1.12.1, 00:46:04, FastEthernet0/0

R2 still doesn’t learn R4 networks…

Show R2 OSPF database:
R2# show ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         584         0x80000004 0x00510F 4
2.2.2.2         2.2.2.2         714         0x80000007 0x004C9D 1

                Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.12.2       2.2.2.2         714         0x80000004 0x00AC5D

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.23.0       2.2.2.2         959         0x80000002 0x00C848

                Router Link States (Area 23)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         1042        0x80000005 0x004392 1
3.3.3.3         3.3.3.3         221         0x80000006 0x0003C8 1

                Net Link States (Area 23)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.23.2       2.2.2.2         1042        0x80000001 0x009D5C

                Summary Net Link States (Area 23)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.12.0       2.2.2.2         959         0x80000002 0x0042D9
10.1.34.3       3.3.3.3         222         0x80000001 0x000BF5
10.1.34.4       3.3.3.3         222         0x80000001 0x000BF3
192.168.11.1    2.2.2.2         959         0x80000002 0x002A92
192.168.12.1    2.2.2.2         959         0x80000002 0x001F9C
192.168.13.1    2.2.2.2         959         0x80000002 0x0014A6

                Summary ASB Link States (Area 23)

Link ID         ADV Router      Age         Seq#       Checksum
4.4.4.4         3.3.3.3         222         0x80000001 0x0072AC

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
4.4.4.4         4.4.4.4         1089        0x80000001 0x00B6C9 0
192.168.41.0    4.4.4.4         1089        0x80000001 0x00F805 0
192.168.42.0    4.4.4.4         1089        0x80000001 0x00ED0F 0
192.168.43.0    4.4.4.4         1089        0x80000001 0x00E219 0

We can see the R4 networks appear on R2 database but he doesn’t install them in the routing table.

So what’s the problem?!

Remember that on task 2 we used MD5 authentication on area 23 between R2 and R3.
The virtual-link, which we configured between R2 and R3, is using area 23 and if we look again on the show ip ospf virtual-link output:
R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 23, via interface FastEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Simple password authentication enabled

We can see that the virtual-link is using simple password authentication and not MD5 as area 23 requires.

In order to fix this we will have to configure MD5 authentication on the virtual-link:
R2 configuration:
Router ospf 1
 area 23 virtual-link 3.3.3.3 authentication message-digest
 area 23 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco

R3 configuration:
router ospf 1
 area 23 virtual-link 2.2.2.2 authentication message-digest
 area 23 virtual-link 2.2.2.2 message-digest-key 1 md5 cisco

Now let’s check:
R2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 3.3.3.3 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 23, via interface FastEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           1         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Message digest authentication enabled
    Youngest key id is 1

R2#show ip route ospf
<OUPUT_OMMITED>
      4.0.0.0/32 is subnetted, 1 subnets
O E2     4.4.4.4 [110/20] via 10.1.23.3, 00:00:35, FastEthernet0/1
      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O IA     10.1.34.3/32 [110/1] via 10.1.23.3, 00:00:35, FastEthernet0/1
O IA     10.1.34.4/32 [110/2] via 10.1.23.3, 00:00:35, FastEthernet0/1
      192.168.11.0/32 is subnetted, 1 subnets
O        192.168.11.1 [110/2] via 10.1.12.1, 00:01:29, FastEthernet0/0
      192.168.12.0/32 is subnetted, 1 subnets
O        192.168.12.1 [110/2] via 10.1.12.1, 00:01:29, FastEthernet0/0
      192.168.13.0/32 is subnetted, 1 subnets
O        192.168.13.1 [110/2] via 10.1.12.1, 00:01:29, FastEthernet0/0
O E2  192.168.41.0/24 [110/20] via 10.1.23.3, 00:00:35, FastEthernet0/1
O E2  192.168.42.0/24 [110/20] via 10.1.23.3, 00:00:35, FastEthernet0/1
O E2  192.168.43.0/24 [110/20] via 10.1.23.3, 00:00:35, FastEthernet0/1

Now everything works!
Keep in mind not to fall in these pitfalls and pay attention to every aspect in the topology.



Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)