RE: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)

From: Bill Wagner (billccie2b@hotmail.com)
Date: Thu Jul 27 2006 - 00:41:43 ART

• Next message: Victor Cappuccio: "RE: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Previous message: Jeffrey Fry: "RE: To Stack or Not to Stack"
• Maybe in reply to: Bill Wagner: "OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Next in thread: Victor Cappuccio: "RE: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Victor,

Sorry if the original message came through a few times. I kept on getting
an error and thought it didn't make it.

Thanks for the help BTW. Below is the output.

To clarify the topology is
Rack1R1--------------Rack1R3-------------Rack1R2

Task is to authenticate area 0 and begin a key rollover on RackXR1 only
without affecting other neighbors. Task said to use a password of Cisco,
but I don't know how to do a key rollover using that level of
authentication so I figured it meant to use MD5 authentication. Once the
key rollover is implemented on the hub and spoke the hub uses the new key
in its updates and won't establish a neighbor relationship with the
router which has the old key. The spoke with the new key comes up fine.
Also before clearing the neighbors both routers are up and the hub
reports one neighbor using the old key. However when you reload the
routers or reset the ospf process then it doesn't come back.

Please let me know if you need any additional information. Thanks again
for your assistance.

-----------------Configuration prior to key rollover-----------

---R3 Hub---

Rack1R3#sho run | b router os
router ospf 1
 router-id 150.1.3.3
 log-adjacency-changes
 area 0 authentication message-digest
 network 10.129.1.3 0.0.0.0 area 0
 neighbor 10.129.1.2
 neighbor 10.129.1.1

interface Serial1/0.123 multipoint
 ip address 10.129.1.3 255.255.255.0
 ip ospf message-digest-key 1 md5 CISCO
 frame-relay map ip 10.129.1.1 301 broadcast
 frame-relay map ip 10.129.1.2 302 broadcast
end

Rack1R3#sho ip os nei

Neighbor ID Pri State Dead Time Address
Interface
150.1.2.2 0 FULL/DROTHER 00:01:41 10.129.1.2
Serial1/0.123
150.1.1.1 0 FULL/DROTHER 00:01:49 10.129.1.1
Serial1/0.123

---R2 spoke---

router ospf 1
 router-id 150.1.2.2
 log-adjacency-changes
 area 0 authentication message-digest
 network 10.129.1.2 0.0.0.0 area 0

interface Serial1/0
 ip address 10.129.1.2 255.255.255.0
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf priority 0
 frame-relay map ip 10.129.1.1 203
 frame-relay map ip 10.129.1.3 203 broadcast
 no frame-relay inverse-arp
end

---R1 Spoke---

Rack1R1#sho run | b router os
router ospf 1
 router-id 150.1.1.1
 log-adjacency-changes
 area 0 authentication message-digest
 network 10.129.1.1 0.0.0.0 area 0

interface Serial0/0
 ip address 10.129.1.1 255.255.255.0
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf priority 0
 frame-relay map ip 10.129.1.2 103
 frame-relay map ip 10.129.1.3 103 broadcast
 no frame-relay inverse-arp
end

---------------Configuration After Key Rollover + clear ip os
process------------

---R3 Hub---

interface Serial1/0.123 multipoint
 ip address 10.129.1.3 255.255.255.0
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf message-digest-key 2 md5 CISCONEW
 frame-relay map ip 10.129.1.1 301 broadcast
 frame-relay map ip 10.129.1.2 302 broadcast

---R1 Spoke w new key---

interface Serial0/0
 ip address 10.129.1.1 255.255.255.0
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf message-digest-key 2 md5 CISCONEW
 ip ospf priority 0
 frame-relay map ip 10.129.1.2 103
 frame-relay map ip 10.129.1.3 103 broadcast
 no frame-relay inverse-arp
end

---R2 Spoke with original key---

interface Serial1/0
 ip address 10.129.1.2 255.255.255.0
 encapsulation frame-relay
 ip ospf message-digest-key 1 md5 CISCO
 ip ospf priority 0
 frame-relay map ip 10.129.1.1 203
 frame-relay map ip 10.129.1.3 203 broadcast
 no frame-relay inverse-arp
end

----------Neighbor Output + debug-----------

---R3 Hub---

Rack1R3#sho ip os nei

Neighbor ID Pri State Dead Time Address
Interface
150.1.1.1 0 FULL/DROTHER 00:01:55 10.129.1.1
Serial1/0.123
N/A 0 ATTEMPT/DROTHER 00:00:04 10.129.1.2
Serial1/0.123

Rack1R3#sho ip os int
Serial1/0.123 is up, line protocol is up
Internet Address 10.129.1.3/24, Area 0
Process ID 1, Router ID 150.1.3.3, Network Type NON_BROADCAST, Cost: 781
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.3.3, Interface address 10.129.1.3
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2

---R2---

Rack1R2#sho ip os int
Serial1/0 is up, line protocol is up
Internet Address 10.129.1.2/24, Area 0
Process ID 1, Router ID 150.1.2.2, Network Type NON_BROADCAST, Cost: 781
Transmit Delay is 1 sec, State DROTHER, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:17
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

---R1---

Rack1R1#sho ip os int
Serial0/0 is up, line protocol is up
Internet Address 10.129.1.1/24, Area 0
Process ID 1, Router ID 150.1.1.1, Network Type NON_BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DROTHER, Priority 0
Designated Router (ID) 150.1.3.3, Interface address 10.129.1.3
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
oob-resync timeout 120
Hello due in 00:00:24
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 2

------Debug output------

Rack1R2#
*Mar 1 00:07:45.726: OSPF: Send hello to 0.0.0.6 area 0 on Serial1/0
from 10.129.1.2
*Mar 1 00:07:45.726: OSPF: Send with youngest Key 1

Rack1R3#
*Jul 23 23:31:33.259: OSPF: Send with youngest Key 2

----------------------------------------------

If I attempt to add a neighbor statement on R2 so it originates traffic
to R3 with the old key it won't be accepted in the running config since
it has a priority of 0. If I bump the priority then I run the risk of it
becoming a DR should it boot before R3. This is what I meant by premption
since R3 wont resume the roll of DR should R1 boot first. This could
cause more problems.

Rack1R2(config-router)#neighbor 10.129.1.3
Rack1R2(config-router)#do sho run | b router os
router ospf 1
 router-id 150.1.2.2
 log-adjacency-changes
 area 0 authentication message-digest
 network 10.129.1.2 0.0.0.0 area 0

  --------------------------------------------------------------------

  From: "Victor Cappuccio" <cvictor@protokolgroup.com>
  Reply-To: "Victor Cappuccio" <cvictor@protokolgroup.com>
  To: "'Bill Wagner'" <billccie2b@hotmail.com>,
  <ccielab@groupstudy.com>
  Subject: RE: OSPF Auth with Key Rollover on Hub & Spoke
  (non-broadcast)
  Date: Wed, 26 Jul 2006 21:02:31 -0400
  Hi Bill, comments in line

  -----Mensaje original-----
  De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
  Bill
  Wagner
  Enviado el: Miircoles, 26 de Julio de 2006 06:49 p.m.
  Para: ccielab@groupstudy.com
  Asunto: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)

>Can anyone please help me solve this problem regarding OSPF
  authentication?

  Sure,

>The topology is a hub and spoke frame-relay network where the spokes
  can
>talk to each other through the hub. OSPF is running in a
  non-broadcast
>mode.
>Due to the topology I set the spokes to have an OSPF priority of 0
  and
>create neighbor statements on the hub.

  Do you see the neighbors In show Ip ospf neigh?
  Can you send us the show ip ospf neigh, After and Before configuring
  the IP
  ospf authentication md5?

>I build key 1 for all three devices.

  Are you using area X authentication mess ?? or at interface level are
  you
  using ip ospf authen me? Can you send us the show ip ospf output?

>From there I create a new key for the rollover on the hub and only
  one
>spoke as per the requirements.

  Where is this requirement written, I mean what WB are you using?

  In the hub, are you using the same Key Number and same MD5 Password
  than the
  Spokes? Can you send us the show run int sX/X and show ip ospf inter?

>If I reset the peers the spoke with the old key will not come back
  online.

  Mmm strange I have to see some outputs

>Debug shows that only the new key is being sent to the spoke which
  it does
>not accept because it does not know about it.

  Same key used in H&Spokes?

>Since the spokes have a priority of 0 I am unable to install a
  neighbor
>statement in the ospf routing process on the spoke using the old
  key.

  R4(config-router)#neigh 131.120.11.1 ?
  cost OSPF cost for point-to-multipoint neighbor
  database-filter Filter OSPF LSA during synchronization and flooding
  for
                      point-to-multipoint neighbor
  poll-interval OSPF dead-router polling interval
  priority OSPF priority of non-broadcast neighbor
  <cr>

  I do not see any option for the use of a Key here; also you can use
  the
  neigh command at the spoke, having or not the OSPF MD5 Authentication
  configured

>The only solution I could find was to bump the priority up on the
  spoke >
>with the old key, but this presents a problem if the spoke router
  boots
>before the hub since OSPF does not support premption.

  ?? is you configured the spokes to be DROTHERS; why are you worried
  about
  preemption?

  Do you mind to send us the show run | b router ospf of the routers in
  question, also the show frame-relay map of every router?

>Can anyone tell me what I am missing or if this is not possible?

  Everything is possible.

>Oh one more thing is that I cannot change the OSPF network type or
  the
  frame relay topology.

  Ok.

>Thanks in advance,

>Bill

  Regards
  Victor.-

  ________________________________________________________________
  Express yourself instantly with MSN Messenger! Download today - it's
  FREE!
  http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

------------------------------------------------------------------------

Check the weather anywhere, anytime - just type "weather" from MSN Search

• Next message: Victor Cappuccio: "RE: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Previous message: Jeffrey Fry: "RE: To Stack or Not to Stack"
• Maybe in reply to: Bill Wagner: "OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Next in thread: Victor Cappuccio: "RE: OSPF Auth with Key Rollover on Hub & Spoke (non-broadcast)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART