There is always something we need to get back to. How the packet flows and which check happens first, so here we go.
A link to Cisco’s TAC engineers document that explain it all..
Archive for the ‘Uncategorized’ Category
Router1(config-router)#do sh ip int br
FastEthernet0/0 136.1.13.1
Loopback0 150.1.1.1
Router1(config)#router bgp 11
Router1(config-router)#neighbor 136.1.23.2 remote-as 22
Router1(config-router)#neighbor 136.1.23.2 ttl-security hops 2
Router1(config-router)#network 150.1.1.1 mask 255.255.255.255
Router1(config-router)#exit
router bgp 11
no synchronization
bgp log-neighbor-changes
network 150.1.1.1 mask 255.255.255.255
neighbor 136.1.23.2 remote-as 22
neighbor 136.1.23.2 ttl-security hops 2
no auto-summary
!
Router2(config)#router bgp 22
Router2(config-router)#neighbor 136.1.13.1 remote-as 11
Router2(config-router)#neighbor 136.1.13.1 ttl-security hops 2
Router2(config-router)#network 150.1.2.2 mask 255.255.255.255
Router2(config-router)#exit
router bgp 22
no synchronization
bgp log-neighbor-changes
network 150.1.2.2 mask 255.255.255.255
neighbor 136.1.13.1 remote-as 11
neighbor 136.1.13.1 ttl-security hops 2
no auto-summary
Router2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 136.1.23.2
Loopback0 150.1.2.2
Router2#sh ip bgp summary
BGP router identifier 150.1.2.2, local AS number 22
BGP table version is 2, main routing table version 2
1 network entries using 120 bytes of memory
1 path entries using 52 bytes of memory
1/1 BGP path/bestpath attribute entries using 124 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 296 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 11 0 0 1 0 0 never Idle
Router1(config)#router bgp 1 !–Autonomous system number
!– Flags a network as local to this autonomous system and enters it to the BGP table. Specify a network to announce via BGP
Router1(config)#network 150.1.1.1 mask 255.255.255.255
Router1(config)#network 150.1.1.1 mask 255.255.255.255
!– Specify a neighbor router
Router1(config)#neighbor 136.1.13.3 remote-as 3
Router1(config)#neighbor 136.1.13.3 remote-as 3
! — Set a password
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router3(config)#router bgp 3
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.3 4 3 7 5 4 0 0 00:00:50 2
!– To check BGP table
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork Next Hop Metric LocPrf Weight Path
*> 150.1.1.1/32 0.0.0.0 0 32768 i
*> 150.1.2.2/32 136.1.13.3 0 3 2 i
*> 150.1.3.3/32 136.1.13.3 0 0 3 i
Router1#
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork Next Hop Metric LocPrf Weight Path
*> 150.1.1.1/32 0.0.0.0 0 32768 i
*> 150.1.2.2/32 136.1.13.3 0 3 2 i
*> 150.1.3.3/32 136.1.13.3 0 0 3 i
Router1#
!– Wrong password entered:
Router1(config)#router bgp 1
Router1(config-router)#neighbor 136.1.13.3 password ee !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router1(config-router)#neighbor 136.1.13.3 password ee !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 5 5 2 0 0 00:00:02 1
136.1.23.2 4 2 0 0 1 0 0 never Active
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 5 5 2 0 0 00:00:02 1
136.1.23.2 4 2 0 0 1 0 0 never Active
%BGP-5-ADJCHANGE: neighbor 136.1.23.2 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
…..
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 7 9 4 0 0 00:02:29 1
136.1.23.2 4 2 7 8 4 0 0 00:02:17 1
!– Verify authentication on per neighbour basis:
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2, remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2, remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.13.1
BGP neighbor is 136.1.13.1, remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
BGP neighbor is 136.1.13.1, remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
!– Failure in authentication
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
!– error message if authentication is not enabled on routers
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
##### Theory #####
BGP uses TCP for transport and specifically for authentication TCP option 19 which is MD5 signature option.
##############################################################################################################
When entering basic config the existing routing is gone (go figure)…
Router3#
OSPFv3: Interface FastEthernet0/1 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/1
OSPFv3: DR/BDR election on FastEthernet0/1
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: Interface Loopback0 going Down
OSPFv3: Interface FastEthernet0/0 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: 150.1.2.2 address FE80::21B:53FF:FEE5:9478 on FastEthernet0/0 is dead, state DOWN
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0
Router3#OSPFv3: Elect DR 0.0.0.0
DR: none BDR: none
!– New EIGRP config being entered.
Router3(config)#key chain MD5CHAIN
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5STRING
Router3(config)#int f0/0
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 MD5CHAIN
Router3(config)#key chain ROLLOVER
Router3(config-keychain)#key 1
Router3(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain)#key 2
Router3(config-keychain-key)#accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
Router3(config-keychain-key)#send-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
Router3(config)#int f0/1
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 ROLLOVER
Router3(config)#router eigrp 1
Router3(config-router)#network 150.1.0.0
Router3(config-router)#network 136.1.0.0
!- Sh run commands related to EIGRP:
key chain MD5CHAIN
key 1
key-string MD5STRING
key chain ROLLOVER
key 1
key-string KEY1
accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
send-lifetime 00:00:00 Jan 1 2013 00:00:00 Jan 1 2014
key 2
accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
send-lifetime 00:00:00 Jan 1 2014 00:00:00 Jan 1 2015
!
interface FastEthernet0/0
ip address 136.1.23.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 ROLLOVER
duplex auto
speed auto
ipv6 address 2001:136:1:23::3/64
!
interface FastEthernet0/1
mac-address 0005.0006.0007
ip address 136.1.13.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MD5CHAIN
duplex auto
speed auto
ipv6 address 2001:136:1:13::3/64
!
router eigrp 1
network 136.1.0.0
network 150.1.0.0
!
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Interface PEER-TERMINATION received
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Auth failure
!– Verification, o verify whether EIGRP-enabled interfaces have authentication configured and which key chain is being used, use below command:
Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 1 0/0 3 0/1 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4 Un/reliable ucasts: 6/8
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 5 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “ROLLOVER”
Router3#
Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/1 1 0/0 1 0/1 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5 Un/reliable ucasts: 5/1
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “”MD5CHAIN”
Router3#sh key chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)
Router3#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 136.1.23.2 Fa0/0 12 00:04:12 3 200 0 7
0 136.1.13.1 Fa0/1 10 00:23:51 1 200 0 6
Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 1 0/0 3 0/1 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4 Un/reliable ucasts: 6/8
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 5 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “ROLLOVER”
Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/1 1 0/0 1 0/1 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5 Un/reliable ucasts: 5/1
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “MD5CHAIN”
Router3#sh key chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)
Router3#
##### Theory #####
EIGRP authentication is a key-chain based. EIGRP only supports MD5, not clear-text. This example shows single authentication key between R1 and R3, and automatic key rotation between R2 and R3.
The potential problem with accept and send configuration is that if the routers’ time is not NTP synchronized, key rollover could happen at different time intervals, which could potentially cause a loss of the EIGRP adjacency. To prevent this, configure multiple authentication keys that accept lifetimes overlap.
###########################################################################################################
R1 – OSPF 0 – R3 – OSPF 1 -R2
R2:
#interface FastEthernet0/0
Router2(config-if)#ip ospf authentication message-digest
Router2(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router2(config-if)#ip ospf 1 area 1
R1:
interface FastEthernet0/0
Router1(config-if)#ip ospf authentication
Router1(config-if)#ip ospf authentication-key CLEARTXT
Router1(config-if)#ip ospf 1 area 0
R3:
#router ospf 1
log-adjacency-changes
#area 0 authentication
#area 1 authentication message-digest
interface Vlan11
Router3(config-if)#ip ospf authentication null !– This will prevent vlan 11 int for ospf authentication
interface FastEthernet0/0
Router3(config-if)#ip ospf message-digest-key 1 md5 MD5MD5
Router3(config-if)#ip ospf 1 area 1
interface FastEthernet0/1
Router3(config-if)#ip ospf authentication-key CLEARTXT
Router3(config-if)#ip ospf 1 area 0
Router1#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.13.1/24, Area 0
Process ID 1, Router ID 150.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#sh ip ospf int f0/1
FastEthernet0/1 is up, line protocol is up
Internet Address 136.1.13.3/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.1.1, Interface address 136.1.13.1
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.13.3
Flush timer for old DR LSA due in 00:00:25
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
Router3#
Router3#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.3/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router3#
Router2#sh ip ospf int f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 136.1.23.2/24, Area 1
Process ID 1, Router ID 150.1.2.2, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 150.1.2.2, Interface address 136.1.23.2
Backup Designated router (ID) 1.1.1.1, Interface address 136.1.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:08
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Router2#
! – Failures in OSPF authentication can be verified as a failure to establish adjacency. The below debug shows a mismatch in authentication type, where R3 has MD5 authentication configured to R1, while R1 has clear-text authentication configured to R3. At the OSPF packet level, type 0 authentication means NULL – or no authentication, type 1 is clear-text, and type 2 is MD5.
Router1#
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead
OSPF: 1.1.1.1 address 136.1.13.3 on FastEthernet0/0 is dead, state DOWN
%OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
OSPF: Neighbor change Event on interface FastEthernet0/0
OSPF: DR/BDR election on FastEthernet0/0
OSPF: Elect BDR 0.0.0.0
OSPF: Elect DR 150.1.1.1
DR: 150.1.1.1 (Id) BDR: none
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication Key – Clear Text
OSPF: Build router LSA for area 0, router ID 150.1.1.1, seq 0x80000005, process 1
OSPF: No full nbrs to build NetLSA for interface FastEthernet0/0
OSPF: Build network LSA for FastEthernet0/0, router ID 150.1.1.1
!- A mismatch in the password between two neighbours:
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
OSPF: Rcv pkt from 136.1.13.3, FastEthernet0/0 : Mismatch Authentication type. Input packet specified type 2, we use type 1
! – To verify ospf, use:
Router1#sh ip osp neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:36 136.1.13.3 FastEthernet0/0
Router1#
Router3#sh ip osp neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.1.1 1 FULL/DR 00:00:32 136.1.13.1 FastEthernet0/1
150.1.2.2 1 FULL/DR 00:00:39 136.1.23.2 FastEthernet0/0
Router2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/BDR 00:00:38 136.1.23.3 FastEthernet0/0
Router2#
!- If authentication has been enabled at the global level can be determined by using command show ip ospf:
Router3#sh ip ospf | se area
Supports area transit capability
It is an area border router
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Number of areas transit capable is 0
Number of interfaces in this area is 1
Number of interfaces in this area is 3 (1 loopback)
Router3#
##### Theory #####
On R1 and R2 ospf authentication is configured at interface level; in R3 ospf authentication is configured globally and interfaces are added into corresponding ospf areas. When OSPF authentication is enabled under the global process, it applies to all interfaces in that area. This means that all interfaces in area 0 run clear-text authentication, and all interfaces in area 1 run MD5 authentication. When OSPF authentication is enabled at the interface level, it overrides the configuration of the global process, but only for that particular interface. The authentication key, however, is always configured at the interface level.
########################################################################################
!- I suggest capturing only with an access list applied to limit the size of the capture buffer as well as to limit the amount of stuff you will have to wade through when reviewing the capture. You define an access list on the Cisco ASA and then you assign it to an interface so that it will capture the offending traffic for review
#access-list p extended permit ip any host 172.16.1.1
#access-list p extended permit ip host 172.16.1.1 any
#cap p-cap access-list p interface inside
!-show the running capture and its output to the CLI of the device:
#sh capture p-cap
#http://<ASAIPaddress>/admin/capture/<capturename>
This works well for quick viewing but what about a more detailed analysis with something like Wireshark? Browse to:
#http://<ASA IP Address>/admin/capture/<capturename>/PCAP
This will prompt you to save or open a file. Save with the “.pcap” extension and open with Wireshark. When you are done capturing you can (and should!) stop the capture with the negated “no” command:
#no capture <capturename>
Be sure to check out the help with this command with the “?” command. There are plenty of fine tuning options to accommodate your capturing needs.
# capture TEST ?
access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP
headers-only Capture only L2, L3 and L4 headers of packet without data in them
interface Capture packets on a specific interface
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default
is 1518 bytes
real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace Trace the captured packets
type Capture packets based on a particular type
########################################################################
CCIE Security Blog 