tech:network:cisco:ospf:virtual-link-authentication:virtual-link-authentication
Table of Contents
Cisco: OSPF Virtual Link Authentication
Lab 1: 6b3344b7-3d9a-4f50-822f-d466606ee4a4 Virtual Link
- This lab base is identical to
lab-6b3344b7-3d9a-4f50-822f-d466606ee4a4.
Topology
Base Configuration
Configuring Virtual Link: Plain text authentication 00277294-e25f-423d-8b09-3cf44421b839
- R2
configure terminal ! router ospf 1 area 10 virtual-link 4.4.4.4 authentication-key PG1X area 10 virtual-link 4.4.4.4 authentication exit ! end
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 authentication-key PG1X area 10 virtual-link 2.2.2.2 authentication exit ! end
Verification
ospf
ospf.auth.type in { 0 1 2 }
ospf.auth.type in { 1 }
Notable output
R2#sh ip ospf virtual-links
Virtual Link OSPF_VL0 to router 4.4.4.4 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface GigabitEthernet0/1
Topology-MTID Cost Disabled Shutdown Topology Name
0 2 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
Index 1/1/3, retransmission queue length 0, number of retransmission 2
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 1 msec, maximum is 1 msec
Simple password authentication enabled
R4#sh ip ospf virtual-links
Virtual Link OSPF_VL1 to router 2.2.2.2 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface GigabitEthernet0/2
Topology-MTID Cost Disabled Shutdown Topology Name
0 2 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Adjacency State FULL (Hello suppressed)
Index 1/2/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Simple password authentication enabled
include following output.
Simple password authentication enabled
Wireshark Packet Capture Results
If
area <area-id> virtual-link <router-id> authentication statement input first, area <area-id> virtual-link <router-id> authentication-key <password> statement may ignore and result in empty?????
Configuring Virtual Link: MD5 authentication d16d8c22-663f-4bba-9983-f3a4f788beeb
- R2
configure terminal ! router ospf 1 area 10 virtual-link 4.4.4.4 authentication message-digest area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 TopSecretX exit ! end
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 authentication message-digest area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 TopSecretX exit ! end
Verification
ospf
ospf.auth.type in { 0 1 2 }
ospf.auth.type in { 2 }
R2#sh ip ospf virtual-links
Virtual Link OSPF_VL3 to router 4.4.4.4 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface GigabitEthernet0/1
Topology-MTID Cost Disabled Shutdown Topology Name
0 2 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 1/1/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Cryptographic authentication enabled
Youngest key id is 1
Notable output is
Cryptographic authentication enabled
Youngest key id is 1
following command order is not problem may be… I forgot.
area 10 virtual-link 2.2.2.2 authentication message-digest area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 TopSecretX
Be careful Virtual Link w/ Area 0 authentication 462956ef-3f87-4798-be66-b77387935109
Tasks Brief
Virtual Link Configuration without authenticationenable area 0 authentication and verify virtual link neighbor down- It seems elaready established Virtual Link is not DOWN. Remove virutal-link and reconfiguration cannnot VL is not up. then configure virtual link authentication required????
- remove virtual link
- configure virtual-link
- and configure virtual link configuration
Virtual Link w/ Area 0 Authentication (Plain) by area 0 authentication on R2 842328f7-acb9-4bf9-be6d-405120fd14c0Virtual Link w/ Area 0 Authentication (MD5) by area 0 authentication message-digest on R2 e93e4851-930d-41f8-8afd-21fc8e6ee0e9Virtual Link w/ Area 0 Authentication (Plain) by area <transit-area> virtual-link <router-id> authentication 1996fbb8-b499-4702-b04b-5155ddef124cVirtual Link w/ Area 0 Authentication (MD5) by area <transit-area> virtual-link <router-id> authentication message-digest 015db98c-cf18-456e-b093-ec22f064ba6f
Virtual Link without authentication 60803924-3623-4745-aa39-703ee6431d91
First, configure Virtual Link without authentication.
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 exit ! end
- R2
configure terminal ! router ospf 1 area 10 virtual-link 4.4.4.4 exit ! end
Virtual Link w/ Area 0 Authentication (Plain) by area 0 authentication on R2 842328f7-acb9-4bf9-be6d-405120fd14c0
Next, enable area 0 authentication. Check virtual link neighbor down.
- R5
configure terminal ! interface GigabitEthernet 0/2 ip ospf authentication-key a0pass ! router ospf 1 area 0 authentication exit ! end
- R4
configure terminal ! interface GigabitEthernet 0/1 ip ospf authentication-key a0pass ! router ospf 1 area 0 authentication exit ! end
It seems already established Virtual Link is not DOWN. Remove virutal-link and reconfiguration cannnot VL is not up.
then configure virtual link authentication required????
Configure virtual link authentication.
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 authentication-key a10vlps exit ! end
- R2
configure terminal ! router ospf 1 area 0 authentication area 10 virtual-link 4.4.4.4 authentication-key a10vlps exit ! end
Virtual Link w/ Area 0 Authentication (MD5) by area 0 authentication message-digest on R2 e93e4851-930d-41f8-8afd-21fc8e6ee0e9
enable area 0 authentication.
- R5
configure terminal ! interface GigabitEthernet 0/2 ip ospf message-digest-key 1 md5 SuperSECRET ! router ospf 1 area 0 authentication message-digest exit ! end
- R4
configure terminal ! interface GigabitEthernet 0/1 ip ospf message-digest-key 1 md5 SuperSECRET ! router ospf 1 area 0 authentication message-digest exit ! end
Configure virtual link authentication.
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 SuperSECRET exit ! end
- R2
configure terminal ! router ospf 1 area 0 authentication message-digest area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 SuperSECRET exit ! end
Virtual Link w/ Area 0 Authentication (Plain) by area <transit-area> virtual-link <router-id> authentication 1996fbb8-b499-4702-b04b-5155ddef124c
enable area 0 authentication.
- R5
configure terminal ! interface GigabitEthernet 0/2 ip ospf authentication-key a0pass ! router ospf 1 area 0 authentication exit ! end
- R4
configure terminal ! interface GigabitEthernet 0/1 ip ospf authentication-key a0pass ! router ospf 1 area 0 authentication exit ! end
Configure virtual link authentication.
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 authentication-key a10vlps exit ! end
- R2
configure terminal ! router ospf 1 area 10 virtual-link 4.4.4.4 authentication area 10 virtual-link 4.4.4.4 authentication-key a10vlps exit ! end
Virtual Link w/ Area 0 Authentication (MD5) by area <transit-area> virtual-link <router-id> authentication message-digest 015db98c-cf18-456e-b093-ec22f064ba6f
enable area 0 authentication.
- R5
configure terminal ! interface GigabitEthernet 0/2 ip ospf message-digest-key 1 md5 a0passE ! router ospf 1 area 0 authentication message-digest exit ! end
- R4
configure terminal ! interface GigabitEthernet 0/1 ip ospf message-digest-key 1 md5 a0passE ! router ospf 1 area 0 authentication message-digest exit ! end
Configure virtual link authentication.
- R4
configure terminal ! router ospf 1 area 10 virtual-link 2.2.2.2 message-digest-key 1 md5 a10vlpsEnc exit ! end
- R2
configure terminal ! router ospf 1 area 10 virtual-link 4.4.4.4 authentication message-digest area 10 virtual-link 4.4.4.4 message-digest-key 1 md5 a10vlpsEnc exit ! end
Summary
Tasks
- ✔コンソールログの収集
- ✔パケットキャプチャの収集
- Area 0 認証なしの Virtual Link パケットキャプチャを Plain, MD5 両方実施する
Key Point
- Virtual Link はすでに確立済みならエリア 0 認証を設定しても Virtual Link のネイバーダウンに至らない模様
- とはいえエリア 0 ABR では show ip ospf virtual-links 結果は Simple authentication が enabled となっている
- エリア 0 認証を設定したうえで Virtual Link を認証無しで設定すると up とはなるが、ネイバーはいつまでも確立されず、経路の交換も行われない
- If
area <area-id> virtual-link <router-id> authenticationstatement input first,area <area-id> virtual-link <router-id> authentication-key <password>statement may ignore and result in empty. - 色々やってたら前後関係よくわからなくなってしまったし、全然わからない。。。
Verification Commands Sumamry
show ip ospf virtual-links show ip ospf neighbor show ip ospf interface GigabitEthernet 0/1 show running-config | section router ospf 1 show ip route ospf show ip ospf database
- Wireshark Display Filter
! Filter OSPF Packet Only ospf ! Null Auth ospf.auth.type == 0 ! Plain Auth ospf.auth.type == 1 ! MD5 Auth ospf.auth.type == 2
My Comment
Implementation is easily, but hard to understand this feature detailed behavior… I found Virtual Link configured router exchange LSA packet by unicast. Not multicast.
References
tech/network/cisco/ospf/virtual-link-authentication/virtual-link-authentication.txt · Last modified: 2020/02/29 21:21 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
