cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4489
Views
0
Helpful
18
Replies

OSPF Authentication

munawar.zeeshan
Level 1
Level 1

To enable OSPF MD5 authentication, is it necessary to run it under all interfaces of a router.

If I don't enable it under a interface (and enable it under router process and rest of the interfaces)will that interface's network will not be advertised to the rest of the network. e.g; if a LAN switch is connected to an interface on which users are connected and I don't enable authn on that typical interface then ??

18 Replies 18

s.arunkumar
Level 3
Level 3

Its not mandatory that all interface should run authentication even if u have configured under the ospf process,but its mandatory that it must be configured on all neighbors reached through that interface,otherwise adjacency will not be formed..

arun

Hi,

Here is an example "Sample Configuration for Authentication in OSPF" http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml

If I understand well your question, the answer is: "The network will be advertised; the method for not advertise the network is by route map...that is a selection of routes that must be advertised".

I hope this helps.

Best regards.

Massimiliano.

shrikar.dange
Level 1
Level 1

hi,

The authentication type must be the same for all routers and access servers in an area. The authentication password for all OSPF routers on a network must be the same if they are to communicate with each other via OSPF. Use the ip ospf authentication-key interface command to specify this password.

If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key interface command.

To remove the authentication specification for an area, use the no form of this command with the authentication keyword.

You typically enable authentication for a area not for specific interface.The authentication affects the communication between the routers of the authenticated area,not between the users and switches.

HTH,

regards,

shri :)

Hi, I'm facing issues between IOS XR and IOS XE for OSPF AUTH. In IOS XE there is only init state, for IOS XR in debug I only see the Hello Packets, Have you any idea?
I verified using the same MD5 key in both nodes.

Regards

Hello,

 

do you have are or interface authentication configured ? In case of the latter, post the output of 'show ospf x interface y'...

Hi please find below the config for both IOS:
IOS XE:
router ospf 10110
router-id 10.1.20.150
auto-cost reference-bandwidth 100000
nsr
area 0 authentication message-digest
timers throttle spf 50 50 5000
timers throttle lsa 0 20 5000
timers lsa arrival 15
timers pacing flood 15
passive-interface default
no passive-interface Port-channel1
no passive-interface Port-channel2
network 10.12.0.150 0.0.0.0 area 0
network 10.1.27.8 0.0.0.3 area 0
network 10.1.27.12 0.0.0.3 area 0
bfd all-interfaces
mpls ldp sync

Port-channel2 is up, line protocol is up
Internet Address 10.1.27.13/30, Area 0, Attached via Network Statement
Process ID 10110, Router ID 10.1.20.150, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT, BFD enabled
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:01
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/3/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1
Port-channel1 is up, line protocol is up
Internet Address 10.1.27.10/30, Area 0, Attached via Network Statement
Process ID 10110, Router ID 10.1.20.150, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT, BFD enabled
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1

For IOS XR:

Bundle-Ether1 is up, line protocol is up
Internet Address 10.1.27.9/30, Area 0
Process ID 10110, Router ID 10.1.20.1, Network Type POINT_TO_POINT, Cost: 10
LDP Sync Enabled, Sync Status: Not Achieved
Transmit Delay is 1 sec, State POINT_TO_POINT, MTU 9202, MaxPktSz 9000
BFD enabled, BFD interval 15 msec, BFD multiplier 3, Mode: Default
TTL security enabled, hop count 2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06:168
Index 1/1, flood queue length 0
Next 0(0)/0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
LS Ack List: current length 0, high water mark 0
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Multi-area interface Count is 0
Fast-reroute type Per-prefix
IPFRR per-prefix tiebreakers:
Name Index
No Tunnel (Implicit) 257
Lowest Metric 20
Primary Path 10
Downstream 0
Line-card Disjoint 0
Node Protection 0
Secondary Path 0
SRLG Disjoint 0
Post Convergence Path 0

Bundle-Ether3 is up, line protocol is up
Internet Address 10.1.27.18/30, Area 0
Process ID 10110, Router ID 10.1.20.1, Network Type POINT_TO_POINT, Cost: 10
LDP Sync Enabled, Sync Status: Not Achieved
Transmit Delay is 1 sec, State POINT_TO_POINT, MTU 9202, MaxPktSz 9000
BFD enabled, BFD interval 15 msec, BFD multiplier 3, Mode: Default
TTL security enabled, hop count 2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07:914
Index 2/2, flood queue length 0
Next 0(0)/0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
LS Ack List: current length 0, high water mark 0
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Multi-area interface Count is 0
Fast-reroute type Per-prefix
IPFRR per-prefix tiebreakers:
Name Index
No Tunnel (Implicit) 257
Lowest Metric 20
Primary Path 10
Downstream 0
Line-card Disjoint 0
Node Protection 0
Secondary Path 0
SRLG Disjoint 0
Post Convergence Path 0

Hello,

 

post the full configs of both sides. You might just have misconfigured some small detail...

Hi attach you can find the config in both sides.

Hello,

 

at first glance, it appears that the IP address of Bundle-Ether3 is incorrect:

 

Bundle-Ether3 is up, line protocol is up
Internet Address 10.1.27.18/30, Area 0 --> this should be 14

 

to correspond with:

 

interface Port-channel2
mtu 9216
ip address 10.1.27.13 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0142575752545F1E084B0A49362437
ip ospf network point-to-point
ip ospf mtu-ignore
logging event link-status
load-interval 30
mpls ip
bfd interval 200 min_rx 200 multiplier 3
no bfd echo

Hi sorry I forgot mentioned, right now only BE 1 and Port-Channel 1 are involve in OSPF process.

 

Regards

Hello,

 

for XE you posted the output for Port-channel2, we need to see the output for 1, similar to what you posted before:

 

Port-channel2 is up, line protocol is up
Internet Address 10.1.27.13/30, Area 0, Attached via Network Statement
Process ID 10110, Router ID 10.1.20.150, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name

Sorry for mistake, please find below the PO1:

Port-channel1 is up, line protocol is up
Internet Address 10.1.27.10/30, Area 0, Attached via Network Statement
Process ID 10110, Router ID 10.1.20.150, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT, BFD enabled
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:07
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Can be protected by per-prefix Loop-Free FastReroute
Can be used for per-prefix Loop-Free FastReroute repair paths
Not Protected by per-prefix TI-LFA
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1

Hello,

 

thanks for the output. I will do some testing and get back with you...

To be on the safe side, and to check for possible bugs, post the output of 'sh ver' of both devices...

Sorry I forgot mentioned one point, I have OSPF up between two IOS XR also Two IOS XE, by now the OSPF between IOS XE is disable.

 

OSPF between  IOS XR and IOS XE don't coming up, see below the version and OSPF status:

 

sh version
Wed Mar 21 17:08:29.310 UTC

Cisco IOS XR Software, Version 6.1.4[Default]
Copyright (c) 2017 by Cisco Systems, Inc.

ROM: System Bootstrap, Version 10.58(c) 1994-2014 by Cisco Systems,  Inc.

STA2-CA9K10-T1 uptime is 1 week, 5 days, 7 hours, 26 minutes
System image file is "disk0:asr9k-os-mbi-6.1.4/0x100305/mbiasr9k-rsp3.vm"

cisco ASR9K Series (Intel 686 F6M14S4) processor with 16777216K bytes of memory.
Intel 686 F6M14S4 processor at 1904MHz, Revision 2.174
ASR 9010 8 Line Card Slot Chassis with V2 DC PEM

4 Management Ethernet
2 FastEthernet
40 GigabitEthernet
16 TenGigE
16 DWDM controller(s)
16 WANPHY controller(s)
375k bytes of non-volatile configuration memory.
6220M bytes of hard disk.
25012208k bytes of disk0: (Sector size 512 bytes).
25012208k bytes of disk1: (Sector size 512 bytes).

Configuration register on node 0/RSP0/CPU0 is 0x2102
Boot device on node 0/RSP0/CPU0 is disk0:
Package active on node 0/RSP0/CPU0:
iosxr-service, V 6.1.4[Default], Cisco Systems, at disk0:iosxr-service-6.1.4
    Built on Fri Jun 30 00:53:43 UTC 2017
    By iox-lnx-005 in /auto/srcarchive13/production/6.1.4/asr9k-px/workspace for pie

asr9k-service-supp, V 6.1.4[Default], Cisco Systems, at disk0:asr9k-service-supp-6.1.4
    Built on Fri Jun 30 00:53:43 UTC 2017
    By iox-lnx-005 in /auto/srcarchive13/production/6.1.4/asr9k-px/workspace for pie

asr9k-services-px, V 6.1.4[Default], Cisco Systems, at disk0:asr9k-services-px-6.1.4
    Built on Fri Jun 30 00:53:47 UTC 2017
    By iox-lnx-005 in /auto/srcarchive13/production/6.1.4/asr9k-px/workspace for pie

iosxr-mgbl, V 6.1.4[Default], Cisco Systems, at disk0:iosxr-mgbl-6.1.4
    Built on Fri Jun 30 00:38:30 UTC 2017
    By iox-lnx-005 in /auto/srcarchive13/production/6.1.4/asr9k-px/workspace for pie
Wed Mar 21 17:08:40.031 UTC

* Indicates MADJ interface
# Indicates Neighbor awaiting BFD session up

Neighbors for OSPF 30100

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.21.10.1      1     FULL/  -        00:00:33    10.21.7.6       Bundle-Ether4
    Neighbor is up for 1d00h

Total neighbor count: 1

 

**********************************************************

IOS XE:

Cisco IOS XE Software, Version 03.18.03.SP.156-2.SP3-ext
Cisco IOS Software, ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 15.6(2)SP3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Tue 19-Sep-17 22:12 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON

 

sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.21.0.1         0   INIT/  -        00:00:37    10.21.7.9       Port-channel1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco