PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:ospf:virtual-link-authentication:virtual-link-authentication

Cisco: OSPF Virtual Link Authentication

Topology

Base Configuration

Common Configuration Snippet

R1

R2

R3

R4

R5

Configuring Virtual Link: Plain text authentication 00277294-e25f-423d-8b09-3cf44421b839

  • R2
configure terminal
!
router ospf 1
 area 10 virtual-link 4.4.4.4 authentication-key PG1X
 area 10 virtual-link 4.4.4.4 authentication
exit
!
end
  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 authentication-key PG1X
 area 10 virtual-link 2.2.2.2 authentication
exit
!
end

Verification

ospf
ospf.auth.type in { 0 1 2 }
ospf.auth.type in { 1 }

R1 Console Log

R2 Console Log

R4 Console Log

R5 Console Log

Notable output

R2#sh ip ospf virtual-links 
Virtual Link OSPF_VL0 to router 4.4.4.4 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 10, via interface GigabitEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           2         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 1/1/3, retransmission queue length 0, number of retransmission 2
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 1 msec, maximum is 1 msec
  Simple password authentication enabled
R4#sh ip ospf virtual-links 
Virtual Link OSPF_VL1 to router 2.2.2.2 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 10, via interface GigabitEthernet0/2
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           2         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
    Adjacency State FULL (Hello suppressed)
    Index 1/2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Simple password authentication enabled

include following output.

  Simple password authentication enabled

Wireshark Packet Capture Results

If area <area-id> virtual-link <router-id> authentication statement input first, area <area-id> virtual-link <router-id> authentication-key <password> statement may ignore and result in empty?????

Configuring Virtual Link: MD5 authentication d16d8c22-663f-4bba-9983-f3a4f788beeb

  • R2
configure terminal
!
router ospf 1
 area 10 virtual-link 4.4.4.4 authentication message-digest
 area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 TopSecretX
exit
!
end
  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 authentication message-digest
 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 TopSecretX
exit
!
end

Verification

ospf
ospf.auth.type in { 0 1 2 }
ospf.auth.type in { 2 }
R2#sh ip ospf virtual-links 
Virtual Link OSPF_VL3 to router 4.4.4.4 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 10, via interface GigabitEthernet0/1
 Topology-MTID    Cost    Disabled     Shutdown      Topology Name
        0           2         no          no            Base
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
    Adjacency State FULL (Hello suppressed)
    Index 1/1/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec
  Cryptographic authentication enabled
    Youngest key id is 1

Notable output is

  Cryptographic authentication enabled
    Youngest key id is 1

following command order is not problem may be… I forgot.

 area 10 virtual-link 2.2.2.2 authentication message-digest
 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 TopSecretX

Tasks Brief

  1. Virtual Link Configuration without authentication
  2. enable area 0 authentication and verify virtual link neighbor down
  3. It seems elaready established Virtual Link is not DOWN. Remove virutal-link and reconfiguration cannnot VL is not up. then configure virtual link authentication required????
  4. remove virtual link
  5. configure virtual-link
  6. and configure virtual link configuration
  7. Virtual Link w/ Area 0 Authentication (Plain) by area 0 authentication on R2 842328f7-acb9-4bf9-be6d-405120fd14c0
  8. Virtual Link w/ Area 0 Authentication (MD5) by area 0 authentication message-digest on R2 e93e4851-930d-41f8-8afd-21fc8e6ee0e9
  9. Virtual Link w/ Area 0 Authentication (Plain) by area <transit-area> virtual-link <router-id> authentication 1996fbb8-b499-4702-b04b-5155ddef124c
  10. Virtual Link w/ Area 0 Authentication (MD5) by area <transit-area> virtual-link <router-id> authentication message-digest 015db98c-cf18-456e-b093-ec22f064ba6f

First, configure Virtual Link without authentication.

  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2
exit
!
end
  • R2
configure terminal
!
router ospf 1
 area 10 virtual-link 4.4.4.4
exit
!
end

Next, enable area 0 authentication. Check virtual link neighbor down.

  • R5
configure terminal
!
interface GigabitEthernet 0/2
 ip ospf authentication-key a0pass
!
router ospf 1
 area 0 authentication
exit
!
end
  • R4
configure terminal
!
interface GigabitEthernet 0/1
 ip ospf authentication-key a0pass
!
router ospf 1
 area 0 authentication
exit
!
end
It seems already established Virtual Link is not DOWN. Remove virutal-link and reconfiguration cannnot VL is not up. then configure virtual link authentication required????

Configure virtual link authentication.

  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 authentication-key a10vlps
exit
!
end
  • R2
configure terminal
!
router ospf 1
 area 0 authentication
 area 10 virtual-link 4.4.4.4 authentication-key a10vlps
exit
!
end

enable area 0 authentication.

  • R5
configure terminal
!
interface GigabitEthernet 0/2
 ip ospf message-digest-key 1 md5 SuperSECRET
!
router ospf 1
 area 0 authentication message-digest
exit
!
end
  • R4
configure terminal
!
interface GigabitEthernet 0/1
 ip ospf message-digest-key 1 md5 SuperSECRET
!
router ospf 1
 area 0 authentication message-digest
exit
!
end

Configure virtual link authentication.

  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 SuperSECRET
exit
!
end
  • R2
configure terminal
!
router ospf 1
 area 0 authentication message-digest
 area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 SuperSECRET
exit
!
end

enable area 0 authentication.

  • R5
configure terminal
!
interface GigabitEthernet 0/2
 ip ospf authentication-key a0pass
!
router ospf 1
 area 0 authentication
exit
!
end
  • R4
configure terminal
!
interface GigabitEthernet 0/1
 ip ospf authentication-key a0pass
!
router ospf 1
 area 0 authentication
exit
!
end

Configure virtual link authentication.

  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 authentication-key a10vlps
exit
!
end
  • R2
configure terminal
!
router ospf 1
 area 10 virtual-link 4.4.4.4 authentication
 area 10 virtual-link 4.4.4.4 authentication-key a10vlps
exit
!
end

enable area 0 authentication.

  • R5
configure terminal
!
interface GigabitEthernet 0/2
 ip ospf message-digest-key 1 md5 a0passE
!
router ospf 1
 area 0 authentication message-digest
exit
!
end
  • R4
configure terminal
!
interface GigabitEthernet 0/1
 ip ospf message-digest-key 1 md5 a0passE
!
router ospf 1
 area 0 authentication message-digest
exit
!
end

Configure virtual link authentication.

  • R4
configure terminal
!
router ospf 1
 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 a10vlpsEnc
exit
!
end
  • R2
configure terminal
!
router ospf 1
 area 10 virtual-link 4.4.4.4 authentication message-digest
 area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 a10vlpsEnc
exit
!
end

Summary

Tasks

  1. ✔コンソールログの収集
  2. ✔パケットキャプチャの収集
  3. Area 0 認証なしの Virtual Link パケットキャプチャを Plain, MD5 両方実施する

Key Point

  1. Virtual Link はすでに確立済みならエリア 0 認証を設定しても Virtual Link のネイバーダウンに至らない模様
  2. とはいえエリア 0 ABR では show ip ospf virtual-links 結果は Simple authentication が enabled となっている
  3. エリア 0 認証を設定したうえで Virtual Link を認証無しで設定すると up とはなるが、ネイバーはいつまでも確立されず、経路の交換も行われない
  4. If area <area-id> virtual-link <router-id> authentication statement input first, area <area-id> virtual-link <router-id> authentication-key <password> statement may ignore and result in empty.
  5. 色々やってたら前後関係よくわからなくなってしまったし、全然わからない。。。

Verification Commands Sumamry

show ip ospf virtual-links
show ip ospf neighbor
show ip ospf interface GigabitEthernet 0/1
show running-config | section router ospf 1
show ip route ospf
show ip ospf database
  • Wireshark Display Filter
! Filter OSPF Packet Only
ospf
! Null Auth
ospf.auth.type == 0
! Plain Auth
ospf.auth.type == 1
! MD5 Auth
ospf.auth.type == 2

My Comment

Implementation is easily, but hard to understand this feature detailed behavior… I found Virtual Link configured router exchange LSA packet by unicast. Not multicast.

References

tech/network/cisco/ospf/virtual-link-authentication/virtual-link-authentication.txt · Last modified: 2020/02/29 21:21 by wnoguchi