This document summarizes the Cisco OSPF Command and Configuration Handbook, which provides documentation and examples for every OSPF command that can be implemented on Cisco routers. The book is intended to help networking professionals learn each OSPF command without requiring an extensive lab configuration. It covers topics such as OSPF process configuration, area commands, default route generation, route redistribution, interface configuration, and show and debug commands. The book is part of the CCIE Professional Development series to help prepare for CCIE exams.
1. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
• Table of Contents
• Index
Cisco® OSPF Command and Configuration Handbook (CCIE Professional Development)
By William R. Parkhurst Ph.D.
Publisher: Cisco Press
Pub Date: April 19, 2002
ISBN: 1-58705-071-4
Pages: 528
Slots: 2
As one of the most predominantly deployed Interior Gateway Protocols, Open Shortest Path First (OSPF) demands a wealth of knowledge on
the part of internetworking professionals working with it on a daily basis. Unfortunately, publicly available documentation on the OSPF
command set varies from being too thin on coverage to being too demanding on the required equipment needed to test what the
documentation covers.
Cisco OSPF Command and Configuration Handbook is a clear, concise, and complete source of documentation for all Cisco IOS(r) Software
OSPF commands. The way you use this book will depend on your objectives. If you are preparing for the CCIE written and lab exams, then
this book can be used as a laboratory guide to learn the purpose and proper use of every OSPF command. If you are a network designer,
then this book can be used as a ready reference for any OSPF command.
Cisco OSPF Command and Configuration Handbook provides example scenarios that demonstrate the proper use of every OSPF command
that can be implemented on a minimum number of routers. This will enable you to learn each command without requiring an extensive and
expensive lab configuration. The scenarios clearly present the purpose and use of each command. Some of the examples lead you into
common non-working situations in order to reinforce the understanding of the operation of the particular OSPF command.
This book is part of the Cisco CCIE Professional Development Series, which offers expert-level instruction on network design, deployment,
and support methodologies to help networking professionals manage complex networks and prepare for CCIE exams.
< Free Open Study >
2. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
• Table of Contents
• Index
Cisco® OSPF Command and Configuration Handbook (CCIE Professional Development)
By William R. Parkhurst Ph.D.
Publisher: Cisco Press
Pub Date: April 19, 2002
ISBN: 1-58705-071-4
Pages: 528
Slots: 2
Copyright
About the Author
About the Technical Reviewers
Acknowledgments
Introduction
Recommended Reading
Icons Used in This Book
Command Syntax Conventions
Chapter 1. OSPF Process Configuration Commands
Section 1-1. router ospf process-id
Section 1-2. router ospf process-id vrf name
Chapter 2. OSPF Area Commands
Section 2-1. area area-id authentication
Section 2-2. area area-id authentication message-digest
Section 2-3. area area-id default-cost cost
Section 2-4. area area-id nssa
Section 2-5. area area-id nssa default-information-originate
Section 2-6. area area-id nssa no-redistribution
Section 2-7. area area-id nssa no-summary
Section 2-8. area area-id range ip-address mask
Section 2-9. area area-id range ip-address mask advertise
Section 2-10. area area-id range ip-address mask not-advertise
Section 2-11. area area-id stub
Section 2-12. area area-id stub no-summary
3. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Section 2-13. area transit-area-id virtual-link router-id
Section 2-14. area transit-area-id virtual-link router-id authentication authentication-key password
Section 2-15. area transit-area-id virtual-link router-id authentication message-digest
Section 2-16. area transit-area-id virtual-link router-id authentication null
Section 2-17. area transit-area-id virtual-link router-id authentication-key password
Section 2-18. area transit-area-id virtual-link router-id dead-interval seconds
Section 2-19. area transit-area-id virtual-link router-id hello-interval seconds
Section 2-20. area transit-area-id virtual-link router-id message-digest-key key-id md5 password
Section 2-21. area transit-area-id virtual-link router-id retransmit-interval seconds
Section 2-22. area transit-area-id virtual-link router-id transmit-delay seconds
Chapter 3. Auto Cost
Section 3-1. auto-cost reference-bandwidth bandwidth
Troubleshooting
Chapter 4. Default Route Generation
Section 4-1. default-information originate
Section 4-2. default-information originate always
Section 4-3. default-information originate metric cost
Section 4-4. default-information originate always metric cost
Section 4-5. default-information originate metric-type type
Section 4-6. default-information originate always metric-type type
Section 4-7. default-information originate route-map route-map-name
Chapter 5. Setting the Default Metric for Redistributed Protocols
Section 5-1. default-metric cost
Chapter 6. Administrative Distance
Section 6-1. distance administrative-distance
Section 6-2. distance administrative-distance source-ip-address source-ip-mask
Section 6-3. distance administrative-distance source-ip-address source-ip-mask access-list-number
Section 6-4. distance ospf external administrative-distance
Section 6-5. distance ospf inter-area administrative-distance
Section 6-6. distance ospf intra-area administrative-distance
Chapter 7. Filtering Routes with Distribute Lists
Section 7-1. distribute-list access-list-number in
Section 7-2. distribute-list access-list-number in interface-type interface-number
Section 7-3. distribute-list access-list-number out
Section 7-4. distribute-list access-list-number out interface-type interface-number
Section 7-5. distribute-list access-list-number out routing-process
Section 7-6. distribute-list access-list-name in
Section 7-7. distribute-list access-list-name in interface-type interface-number
Section 7-8. distribute-list access-list-name out
Section 7-9. distribute-list access-list-name out interface-type interface-number
Section 7-10. distribute-list access-list-name out routing-process
Section 7-11. distribute-list prefix prefix-list-name in
Section 7-12. distribute-list prefix prefix-list-name in interface-type interface-number
Section 7-13. distribute-list prefix prefix-list-name out
Section 7-14. distribute-list prefix prefix-list-name out interface-type interface-number
4. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Section 7-15. distribute-list prefix prefix-list-name out routing-process
Chapter 8. Handling of MOSPF LSAs
Section 8-1. ignore lsa mospf
Chapter 9. Logging OSPF Neighbor Changes
Section 9-1. log-adjacency-changes
Section 9-2. log adjacency-changes detail
Chapter 10. Multiple Path Configuration
Section 10-1. maximum-paths number-of-paths
Chapter 11. OSPF neighbor Commands
Section 11-1. neighbor ip-address
Section 11-2. neighbor ip-address cost cost
Section 11-3. neighbor ip-address database-filter all out
Section 11-4. neighbor ip-address poll-interval interval
Section 11-5. neighbor ip-address priority priority
Chapter 12. OSPF network Command
Section 12-1. network ip-address wild-card-mask area area-id
Chapter 13. Passive OSPF Interfaces
Section 13-1. passive-interface interface-name interface-number
Section 13-2. passive-interface default
Chapter 14. Route Redistribution
Section 14-1. redistribute routing-process process-id
Section 14-2. redistribute routing-process process-id metric ospf-metric
Section 14-3. redistribute routing-process process-id metric-type metric-type
Section 14-4. redistribute routing-process process-id subnets
Section 14-5. redistribute routing-process process-id tag tag-value
Section 14-6. redistribute routing-process process-id route-map route-map-name
Chapter 15. Controlling the OSPF Router ID
Section 15-1. router-id ip-address
Chapter 16. Summarizing External Routes
Section 16-1. summary-address ip-address mask
Section 16-2. summary-address ip-address mask not-advertise
Section 16-3. summary-address ip-address mask tag value
Chapter 17. OSPF Timers
Section 17-1. timers lsa-group-pacing seconds
Section 17-2. timers spf delay interval
Chapter 18. Traffic Sharing
Section 18-1. traffic-share min across-interfaces
Chapter 19. Interface Configuration Commands
Section 19-1. ip ospf authentication
Section 19-2. ip ospf authentication authentication-key password
Section 19-3. ip ospf authentication message-digest
Section 19-4. ip ospf authentication null
Section 19-5. ip ospf cost cost
Section 19-6. ip ospf database-filter all out
Section 19-7. ip ospf dead-interval seconds
5. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Section 19-8. ip ospf demand-circuit
Section 19-9. ip ospf flood-reduction
Section 19-10. ip ospf hello-interval seconds
Section 19-11. ip ospf message-digest-key key-id md5 password
Section 19-12. ip ospf mtu-ignore
Section 19-13. ip ospf network broadcast
Section 19-14. ip ospf network non-broadcast
Section 19-15. ip ospf network point-to-multipoint
Section 19-16. ip ospf network point-to-multipoint non-broadcast
Section 19-17. ip ospf network point-to-point
Section 19-18. ip ospf priority priority
Section 19-19. ip ospf retransmit-interval seconds
Section 19-20. ip ospf transmit-delay seconds
Chapter 20. show Commands
Section 20-1. show ip ospf
Section 20-2. show ip ospf process-id
Section 20-3. show ip ospf border-routers
Section 20-4. show ip ospf process-id border-routers
Section 20-5. show ip ospf database
Section 20-6. show ip ospf process-id database
Section 20-7. show ip ospf database adv-routerrouter-id
Section 20-8. show ip ospf process-id database adv-router router-id
Section 20-9. show ip ospf database asbr-summary
Section 20-10. show ip ospf process-id database asbr-summary
Section 20-11. show ip ospf database asbr-summary asbr-id
Section 20-12. show ip ospf process-id database asbr-summary asbr-id
Section 20-13. show ip ospf database database-summary
Section 20-14. show ip ospf process-id database database-summary
Section 20-15. show ip ospf database external
Section 20-16. show ip ospf process-id database external
Section 20-17. show ip ospf database network
Section 20-18. show ip ospf process-id database network
Section 20-19. show ip ospf database nssa-external
Section 20-20. show ip ospf process-id database nssa-external
Section 20-21. show ip ospf database router
Section 20-22. show ip ospf process-id database router
Section 20-23. show ip ospf database self-originate
Section 20-24. show ip ospf process-id database self-originate
Section 20-25. show ip ospf database summary
Section 20-26. show ip ospf process-id database summary
Section 20-27. show ip ospf flood-list
Section 20-28. show ip ospf process-id flood-list
Section 20-29. show ip ospf flood-list int-name int-number
Section 20-30. show ip ospf process-id flood-list int-name int-number
Section 20-31. show ip ospf interface
6. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Section 20-32. show ip ospf process-id interface
Section 20-33. show ip ospf interface int-name int-number
Section 20-34. show ip ospf process-id interface int-name int-number
Section 20-35. show ip ospf neighbor
Section 20-36. show ip ospf process-id neighbor
Section 20-37. show ip ospf neighbor neighbor-id
Section 20-38. show ip ospf process-id neighbor neighbor-id
Section 20-39. show ip ospf neighbor int-name int-number
Section 20-40. show ip ospf process-id neighbor int-name int-number
Section 20-41. show ip ospf neighbor detail
Section 20-42. show ip ospf process-id neighbor detail
Section 20-43. show ip ospf neighbor detail neighbor-id
Section 20-44. show ip ospf process-id neighbor detail neighbor-id
Section 20-45. show ip ospf neighbor int-name int-number
Section 20-46. show ip ospf process-id neighbor int-name int-number
Section 20-47. show ip ospf request-list
Section 20-48. show ip ospf process-id request-list
Section 20-49. show ip ospf request-list neighbor-id
Section 20-50. show ip ospf process-id request-list neighbor-id
Section 20-51. show ip ospf request-list int-name int-number
Section 20-52. show ip ospf process-id request-list int-name int-number
Section 20-53. show ip ospf retransmission-list
Section 20-54. show ip ospf process-id retransmission-list
Section 20-55. show ip ospf retransmission neighbor-id
Section 20-56. show ip ospf process-id retransmission neighbor-id
Section 20-57. show ip ospf retransmission int-name int-number
Section 20-58. show ip ospf process-id retransmission int-name int-number
Section 20-59. show ip ospf summary-address
Section 20-60. show ip ospf process-id summary-address
Section 20-61. show ip ospf virtual-links
Section 20-62. show ip ospf process-id virtual-links
Chapter 21. debug Commands
Section 21-1. debug ip ospf adj
Section 21-2. debug ip ospf events
Section 21-3. debug ip ospf flood
Section 21-4. debug ip ospf floodip-access-list-number
Section 21-5. debug ip ospf lsa-generation
Section 21-6. debug ip ospf lsa-generation ip-access-list-number
Section 21-7. debug ip ospf packet
Section 21-8. debug ip ospf retransmission
Section 21-9. debug ip ospf spf
Section 21-10. debug ip ospf spf external
Section 21-11. debug ip ospf spf external access-list-number
Section 21-12. debug ip ospf spf inter
Section 21-13. debug ip ospf spf inter access-list-number
7. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Section 21-14. debug ip ospf spf intra
Section 21-15. debug ip ospf spf intra access-list-number
Chapter 22. clear Commands
Section 22-1. clear ip ospf counters
Section 22-2. clear ip ospf process-id counters
Section 22-3. clear ip ospf process-id counters neighbor
Section 22-4. clear ip ospf process-id counters neighbor int-name int-number
Section 22-5. clear ip ospf process
Section 22-6. clear ip ospf process-id process
Section 22-7. clear ip ospf redistribution
Section 22-8. clear ip ospf process-id redistribition
Index
< Free Open Study >
9. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to
include the book title and ISBN in your message.
We greatly appreciate your assistance.
Credits
Publisher
John Wait
Editor-In-Chief
John Kane
Cisco Systems Program Manager
Michael Hackert
Managing Editor
Patrick Kanouse
Development Editor
Christopher Cleveland
Project Editor
Marc Fowler
Copy Editor
Doug Lloyd
Technical Editors
Mike Bass
Brian Morgan
Bill Wagner
Robert White
Team Coordinator
Tammi Ross
Book Designer
Gina Rexrode
Cover Designer
10. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Louisa Klucznik
Production Team
Argosy
Indexer
Tim Wright
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
European Headquarters
Cisco Systems Europe
11 Rue Camille Desmoulins
92782 Issy-les-Moulineaux Cedex 9
France
http://www-europe.cisco.com
Tel: 33 1 58 04 60 00
Fax: 33 1 58 04 61 00
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883
Asia Pacific Headquarters
12. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
About the Author
William R. Parkhurst, Ph.D., CCIE #2969, is a program manager with the CCIE group at Cisco Systems. Bill is responsible for the CCIE
Communications and Services exams. Prior to joining the CCIE team, Bill was a Consulting Systems Engineer supporting Sprint. Bill first
became associated with Cisco Systems while he was a Professor of Electrical and Computer Engineering at Wichita State University (WSU).
In conjunction with Cisco Systems, WSU established the first CCIE Preparation Laboratory.
< Free Open Study >
13. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
About the Technical Reviewers
Mike Bass has worked for 22 years in computer networking, the last 17 years at Sprint. Mike's networking experience began with
mini-computer and mainframe networks and now consists of planning and design for distributed and peer-to-peer systems supporting voice,
video, and data services. Mike is currently responsible for the introduction of new networking technologies to support Sprint internal
associates.
Brian Morgan, CCIE #4865, CCSI, is the Director of Data Network Engineering at Allegiance Telecom, Inc. He's been in the networking
industry for over 12 years. Prior to going to Allegiance, Brian was an instructor/consultant teaching ICND, BSCN, BSCI, CATM, CVOICE, and
BCRAN. Brian is a co-author of the Cisco Press Remote Access Exam Certification Guide and technical editor of numerous other Cisco Press
titles.
Bill Wagner works as a Cisco Certified System Instructor for Mentor Technologies. He has 23 years of computer programming and data
communications experience. He has worked for corporations and companies such as Independent Computer Consultants, Numerax, Mc
Graw-Hill/Numerax, and Standard and Poor. His teaching experience started with the Chubb Institute, Protocol Interface Inc, Geotrain, Mentor
Technologies. He is currently teaching at Skyline Computers Corporation.
Robert L. White is an IP Network Design Engineer with Sprint's Long Distance Division internal data network. Robert's design expertise
focuses on routing protocols, external gateway connectivity, and IP address administration on a large multi-protocol network.
< Free Open Study >
14. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Acknowledgments
I would like to acknowledge the superb effort of all those involved with the development of this handbook. The reviewers of this book, Mike
Bass, Brian Morgan, Bill Wagner, and Robert White, not only found the errors in the book but also contributed suggestions on how to improve
the content and clarity of this handbook. Their efforts are greatly appreciated. I would also like to thank John Kane and Chris Cleveland of
Cisco Press for their guidance and help in bringing this project to a successful completion. Finally, I want to thank my wife, Debbie, for her
encouragement and support during the many evenings and weekends while I was spending more time with routers than with her. She was
also the initial reviewer of this book and found misspellings, grammatical errors, and things that just didn't make sense. Once again she made
me look good in the eyes of my editor.
< Free Open Study >
15. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Introduction
I have been involved with the world of networking from many directions. My experiences in education, network consulting, service provider
support, and certification have shown me that there is a common thread that frustrates people in all of these arenas. That common thread is
documentation. There are many factors that cause documentation to be frustrating but the most common are amount, clarity, and
completeness. The amount of documentation available, especially in regards to OSPF, can be overwhelming. For a person who is beginning
to learn OSPF, the question is, "Where do I begin?" There are very good books, RFCs, white papers, and command references available, but
it is difficult to know where to start. The clarity of documentation depends on your personal situation. For a seasoned OSPF designer, the
documentation may be clear and concise. To an individual preparing for a professional certification such as the CCIE, the same
documentation may be confusing. Even if the documentation is clear it is sometimes not complete. You may understand the words but be
confused by the application. The purpose of this book is to provide an OSPF handbook that is clear, concise, and complete. This book is not
meant to be read from cover to cover. The way you use this book will depend on your objectives. If you are preparing for the CCIE written and
lab exams, this book can be used as a laboratory guide to learn the purpose and proper use of every OSPF command. If you are a network
designer then this book can be used as a ready reference for any OSPF command. In order to satisfy these varying audiences the structure
of this book is reasonably simple. Each OSPF command is illustrated using the following structure:
Listing of the command structure and syntax
Syntax description for the command with an explanation of all command parameters
The purpose of the command and the situation where the command is used
The first release of the IOS in which the command appeared
One or more configuration examples to demonstrate the proper use of the command
Procedures and examples to verify that the command is working properly
How to troubleshoot the command when things are not working as intended
The example scenarios that demonstrate the proper use of the OSPF commands can be implemented on a minimum number of routers. This
will allow you to learn each command without requiring an extensive and expensive lab configuration. The scenarios are presented so that the
purpose and use of each command can be presented without clouding the issue. Some of the examples lead you into common non-working
situations in order to reinforce the understanding of the operation of the particular OSPF command.
My hope is that this handbook will help you prepare for the CCIE exam, allow you to properly use OSPF in your network, or both.
< Free Open Study >
16. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Recommended Reading
This book assumes that you have a working knowledge of OSPF theory of operation and OSPF terminology. The following references can be
used to supplement your knowledge of OSPF.
OSPF Network Design Solutions, Thomas M. Thomas II, Cisco Press (second edition will be released December 2002)
Routing TCP/IP Volume 1, Jeff Doyle, Cisco Press
< Free Open Study >
17. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
< Free Open Study >
Icons Used in This Book
18. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
19. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the Cisco IOS Software Command
Reference. The Command Reference describes these conventions as follows:
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.
Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not
general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
< Free Open Study >
20. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Chapter 1. OSPF Process Configuration Commands
Section 1-1. router ospf process-id
Section 1-2. router ospf process-id vrf name
< Free Open Study >
21. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
< Free Open Study >
1-1 router ospf process-id
Syntax Description:
process-id— The OSPF process ID. The range of values is 1 to 65535.
Purpose: Used to enable one or more OSPF processes on a router. The process ID is only significant on the local router. Use the form of
no
the command to remove an OSPF process.
Initial IOS Software Release: 10.0
Configuration Example: Enabling an OSPF Process
Before you enable an OSPF process, there must be at least one active interface with an assigned IP address. OSPF uses the highest IP
address assigned to an active interface as the OSPF Router ID. If loopback interfaces have been configured, then OSPF will use the highest
loopback address as the Router ID even if the highest loopback IP address is smaller than the IP address of any active physical interface.
Using a loopback interface on an OSPF router is recommended because a loopback interface is never down. A loopback interface will
produce a stable OSPF router ID. The network in Figure 1-1 demonstrates that the OSPF Router ID (RID) is the highest IP address assigned
to an active physical interface. If a loopback interface is used, then OSPF will use the loopback IP address as the OSPF RID.
Figure 1-1. OSPF Router ID Selection
22. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Start by removing all IP addresses and loopback interfaces from Router B. Now, attempt to configure an OSPF process on Router B.
rtrB#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
rtrB(config)#router ospf 1
OSPF: Could not allocate router id
OSPF cannot be enabled on Router B because OSPF needs a RID and there are no IP addresses assigned on Router B. Configure the serial
interfaces on Routers A and B and then configure an OSPF process on Router B.
Router A
interface Serial0/1
bandwidth 64
ip address 10.1.1.1 255.255.255.252
clockrate 64000
_______________________________________________________________________
Router B
interface Serial0
ip address 10.1.1.2 255.255.255.252
bandwidth 64
router ospf 1
The configuration of the OSPF process on Router B was successful. Examine the OSPF RID on Router B using theshow ip ospf command.
rtrB#show ip ospf
Routing Process "ospf 1" with ID 10.1.1.2
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Number of DCbitless external LSA 0
23. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Number of DoNotAge external LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
The only active interface on Router B is Serial0, so OSPF will use the IP address assigned to Serial0 for the router ID. Add a loopback
interface to Router B and then re-examine the OSPF RID on Router B.
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
rtrB#show ip ospf
Routing Process "ospf 1" with ID 10.1.1.2
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
The OSPF RID has not changed. This is a stability feature of OSPF. The router ID will not change unless the OSPF process is restarted or if
the interface used for the RID goes down. Shut down the serial interface on Router B, re-enable the serial interface on Router B, and examine
the effect on the OSPF RID.
Verification
Verify that the OSPF RID on Router B is equal to the IP address assigned to the loopback interface.
rtrB#show ip ospf
Routing Process "ospf 1" with ID 2.2.2.2
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
24. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
Troubleshooting
Verify that a loopback interface has been configured and an IP address assigned before configuring OSPF. A loopback interface is not
mandatory, but it will add stability to your OSPF network.
< Free Open Study >
25. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
26. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
1-2 router ospf process-id vrf name
Syntax Description:
process-id— The OSPF process ID. The range of values is 1 to 65535.
name— VPN Routing/Forwarding Instance (VRF) name. Routes learned by the OSPF process will be placed in the VRF instead
of the global IP routing table.
Purpose: In a Multiprotocol Label Switching (MPLS) virtual private network (VPN) environment, this formof the OSPF router command is
used to transfer VPN customer routes between the service provider and the VPN customer. In an MPLS/VPN environment, there are three
types of routers, as shown in Figure 1-2.
Figure 1-2. General MPLS/VPN Architecture
Provider (P) routers
Customer edge (CE) routers
Provider edge (PE) routers
P routers are routers in the service provider network that have no connections to CE routers. PE routers are the interface routers between the
customer and the service provider. Tag or label switching and an interior gateway protocol (IGP), such as OSPF, are run between P and PE
routers to exchange internal service provider routes. These routes are installed in the global IP routing table on the P and PE routers. The PE
routers have additional IP routing tables, one for each attached VPN customer. These routing tables are called VRF instances. When OSPF
is configured using the vrf option, routes learned from the CE will be placed into the appropriate VRF on the PE router. These VPN routes will
be exchanged between PE routers via multiprotocol IBGP. For a detailed discussion of MPLS and MPLS VPNs, see the Cisco Press book
MPLS and VPN Architectures by Ivan Pepelnjak and Jim Guichard.
Initial IOS Software Release: 12.0
< Free Open Study >
27. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
Chapter 2. OSPF Area Commands
Section 2-1. area area-id authentication
Section 2-2. area area-id authentication message-digest
Section 2-3. area area-id default-cost cost
Section 2-4. area area-id nssa
Section 2-5. area area-id nssa default-information-originate
Section 2-6. area area-id nssa no-redistribution
Section 2-7. area area-id nssa no-summary
Section 2-8. area area-id range ip-address mask
Section 2-9. area area-id range ip-address mask advertise
Section 2-10. area area-id range ip-address mask not-advertise
Section 2-11. area area-id stub
Section 2-12. area area-id stub no-summary
Section 2-13. area transit-area-id virtual-link router-id
Section 2-14. area transit-area-id virtual-link router-id authentication authentication-key password
Section 2-15. area transit-area-id virtual-link router-id authentication message-digest
Section 2-16. area transit-area-id virtual-link router-id authentication null
Section 2-17. area transit-area-id virtual-link router-id authentication-key password
Section 2-18. area transit-area-id virtual-link router-id dead-interval seconds
Section 2-19. area transit-area-id virtual-link router-id hello-interval seconds
Section 2-20. area transit-area-id virtual-link router-id message-digest-key key-id md5 password
Section 2-21. area transit-area-id virtual-link router-id retransmit-interval seconds
Section 2-22. area transit-area-id virtual-link router-id transmit-delay seconds
< Free Open Study >
28. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
< Free Open Study >
29. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
2-1 area area-id authentication
NOTE
This command requires the following additional commands:
For a physical interface: ip ospf authentication-key password (see Section 19-2)
For a virtual link if authentication is used in area 0: area transit-area virtual-link router-id authentication-key password
(see Section 2-17)
Syntax Description:
area-id— OSPF area ID. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address
format in the range 0.0.0.0 to 255.255.255.255. This command will enable simple password authentication in the indicated OSPF
area. By default, authentication is not enabled.
transit-area— The OSPF area across which the virtual link is configured.
password— Clear-text password to be used for authentication in the selected area on the selected interface or virtual link. The
password is an alphanumeric string from 1 to 8 characters.
router-id— OSPF router ID of the router at the remote end of the virtual link.
Purpose: To enable simple clear-text password authentication in an OSPF area. OSPF simple authentication requires the use of the router
configuration command to enable authentication in an area and the interface or virtual-link command for password configuration. Because this
router configuration command enables authentication in an area, you must configure every interface in the area for authentication if using
Cisco IOS Software Release 11.X or earlier. In Cisco IOS Software Release 12.X, the authentication used on an interface can be different
than the authentication enabled for an area. When using Cisco IOS Software Release 12.X, the authentication method used on different
interfaces in the same area does not need to be the same. You can remove authentication from selected interfaces using the interface
command ip ospf authentication null (see Section 19-1). The password does not need to be the same on every interface in the area, but
both ends of a common link must use the same password. Authentication is enabled by area (Cisco IOS Software Release 11.X and earlier),
so it is possible to employ authentication in one area without using authentication in other areas. The clear-text password is not encrypted, so
it will be possible for someone to intercept OSPF protocol packets and compromise the password.
Initial Cisco IOS Software Release: 10.0
Configuration Example: Simple Password Authentication
For the network in Figure 2-1, start by configuring OSPF without authentication in Area 0.
Figure 2-1. Network Used to Demonstrate OSPF Authentication Configuration and
Troubleshooting
30. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router B
interface Loopback0
31. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 10.1.1.2 255.255.255.252
!
interface Serial1
ip address 10.1.1.5 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0
ip address 10.1.1.6 255.255.255.252
!
interface Serial1
ip address 10.1.1.10 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
Verify the OSPF configuration on Routers A, B, and C by displaying the state of each router's OSPF neighbors.
32. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:38 10.1.1.10 Serial0/0
2.2.2.2 1 FULL/ - 00:00:37 10.1.1.2 Serial0/1
_______________________________________________________________________
rtrB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/ - 00:00:35 10.1.1.1 Serial0
3.3.3.3 1 FULL/ - 00:00:30 10.1.1.6 Serial1
_______________________________________________________________________
rtrC#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:30 10.1.1.5 Serial0
1.1.1.1 1 FULL/ - 00:00:37 10.1.1.9 Serial1
Verify that OSPF is not using authentication.
rtrA#show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
33. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 6 times
Area ranges are
Number of LSA 3. Checksum Sum 0x25F8D
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Modify the configurations on Routers A, B, and C by adding simple password authentication to Area 0. For this example, you will use the
clear-text password "cisco".
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
ip ospf authentication-key cisco
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
ip ospf authentication-key cisco
clock rate 64000
!
router ospf 1
area 0 authentication
34. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 10.1.1.2 255.255.255.252
ip ospf authentication-key cisco
!
interface Serial1
ip address 10.1.1.5 255.255.255.252
ip ospf authentication-key cisco
clock rate 64000
!
router ospf 1
area 0 authentication
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0
ip address 10.1.1.6 255.255.255.252
ip ospf authentication-key cisco
35. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
!
interface Serial1
ip address 10.1.1.10 255.255.255.252
ip ospf authentication-key cisco
clock rate 64000
!
router ospf 1
area 0 authentication
network 10.1.1.0 0.0.0.15 area 0
Verification
Verify that the OSPF neighbor relationships are still active.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:31 10.1.1.10 Serial0/0
2.2.2.2 1 FULL/ - 00:00:30 10.1.1.2 Serial0/1
_______________________________________________________________________
rtrB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/ - 00:00:38 10.1.1.1 Serial0
3.3.3.3 1 FULL/ - 00:00:33 10.1.1.6 Serial1
_______________________________________________________________________
36. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
rtrC#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:33 10.1.1.5 Serial0
1.1.1.1 1 FULL/ - 00:00:30 10.1.1.9 Serial1
Verify that simple authentication is enabled for Area 0.
rtrA#show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has simple password authentication
SPF algorithm executed 9 times
Area ranges are
Number of LSA 3. Checksum Sum 0x24F95
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
The password used can be seen by anyone looking at your configuration. For added security, the password in the configuration can be
encrypted using the global configuration command service password-encryption, as shown in the following configuration.
Router A
service password-encryption
37. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Listing the configuration will show that the password has been encrypted. Although the password is encrypted in the configuration, it will still
be sent in clear text by OSPF.
rtrA#show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtrA
!
ip subnet-zero
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip directed-broadcast
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
no ip directed-broadcast
ip ospf authentication-key 7 121A0C041104
no ip mroute-cache
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
38. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
no ip directed-broadcast
ip ospf authentication-key 7 02050D480809
clockrate 64000
Troubleshooting
Step 1. Before enabling authentication in an OSPF area, verify that there is a neighbor relationship among all OSPF routers by
using the show ip ospf neighbor command.
Step 2. Verify that authentication has been enabled for every OSPF router with an interface in the area where authentication is
being deployed.
Step 3. Verify that every interface in an OSPF area that is using authentication is configured with the proper password.
Step 4. If any OSPF neighbor relationships disappear after configuring authentication, then debugging can be used to determine
the problem. For example, change the password on Router A, Interface Serial 0/0, to bosco, as shown here.
Router A
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
ip ospf authentication-key bosco
List the OSPF neighbors for Router A.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:36 10.1.1.2 Serial0/1
Router A has lost Router C as a neighbor. Enable debugging on Router A to see if the problem can be determined.
rtrA#debug ip ospf events
OSPF events debugging is on
rtrA#
39. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
03:41:09: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial0/1 10.1.1.2
03:41:09: OSPF: End of hello processing
03:41:09: OSPF: Rcv pkt from 10.1.1.10, Serial0/0 : Mismatch Authentication Key
- Clear Text
Be careful when configuring passwords. A space is a valid character, so if you use the passwordcisco<space> then there will be a password
mismatch, but you won't be able to tell by looking at the configuration.
Change the password on Router A, serial 0/0, back to cisco and remove the OSPF router configuration command area 0 authentication.
Router A
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
ip ospf authentication-key cisco
!
router ospf 1
no area 0 authentication
Router A should drop both OSPF neighbors.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 INIT/ - 00:00:38 10.1.1.10 Serial0/0
2.2.2.2 1 INIT/ - 00:00:39 10.1.1.2 Serial0/1
Now debug the OSPF traffic on Router B or C to determine the problem.
rtrB#debug ip ospf events
OSPF events debugging is on
rtrB#
03:55:35: OSPF: Rcv pkt from 10.1.1.1, Serial0 : Mismatch Authentication type. I
nput packet specified type 0, we use type 1
03:55:40: OSPF: Rcv hello from 3.3.3.3 area 0 from Serial1 10.1.1.6
40. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
03:55:40: OSPF: End of hello processing
Routers B and C are using type 1 authentication (simple password) and Router A is using type 0 authentication (none).
< Free Open Study >
41. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
< Free Open Study >
2-2 area area-id authentication message-digest
NOTE
This command requires the following additional commands:
For a physical interface: ip ospf message-digest-key key-id md5 password (see Section 19-9)
For a virtual link if authentication is used in Area 0: area transit-area virtual-link router-id message-digest-key key-id md5
password (see Section 2-20)
Syntax Description:
area-id— OSPF area ID. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address
format in the range 0.0.0.0 to 255.255.255.255. This command will enable simple password authentication in the indicated OSPF
area. By default, authentication is not enabled.
key-id— Key used to encrypt a password. The range of values is 1 to 255. Both ends of a link must use the same key and password.
password— Password to be used for authentication in the selected area on the selected interface or virtual link. The password is
an alphanumeric string from 1 to 8 characters.
transit-area— The OSPF area across which the virtual link is configured.
router-id— OSPF router ID of the router at the remote end of the virtual link.
Purpose: To enable MD5 password authentication in an OSPF area. OSPF MD5 authentication requires the use of the router configuration
command to enable authentication in an area and the interface or virtual link command for key and password configuration. Since this router
configuration command enables authentication in an area, every interface in the area must be configured with an authentication key and
password if using Cisco IOS Software Release 11.X or earlier. In Cisco IOS Software Release 12.X, the authentication used on an interface
can be different from the authentication enabled for an area. When using Cisco IOS Software Release 12.X, the authentication method used
on different interfaces in the same area does not need to be the same. Authentication can be turned off on selected interfaces using the
command ip ospf authentication null (see Section 19-1). The key and password do not need to be the same on every interface, but both
ends of a common link need to use the same key and password. Authentication is enabled by area (Cisco IOS Software Release 11.X and
earlier) so it is possible to employ authentication in one area without using authentication in other areas. The password is encrypted, so it is
extremely difficult for someone to intercept OSPF protocol packets and compromise the password.
Initial Cisco IOS Software Release: 11.0
Configuration Example 1: MD5 Password Authentication
42. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
For the network in Figure 2-2, initially configure OSPF without authentication in Area 0.
Figure 2-2. Network Used to Demonstrate OSPF MD5 Authentication Configuration and
Troubleshooting
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
43. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 10.1.1.2 255.255.255.252
!
interface Serial1
ip address 10.1.1.5 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0
ip address 10.1.1.6 255.255.255.252
!
interface Serial1
ip address 10.1.1.10 255.255.255.252
44. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.15 area 0
Verify the OSPF configuration on Routers A, B, and C by displaying the state of each router's OSPF neighbors.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:38 10.1.1.10 Serial0/0
2.2.2.2 1 FULL/ - 00:00:37 10.1.1.2 Serial0/1
_______________________________________________________________________
rtrB#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/ - 00:00:35 10.1.1.1 Serial0
3.3.3.3 1 FULL/ - 00:00:30 10.1.1.6 Serial1
_______________________________________________________________________
rtrC#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:30 10.1.1.5 Serial0
1.1.1.1 1 FULL/ - 00:00:37 10.1.1.9 Serial1
Verify that OSPF is not using authentication.
rtrA#show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
45. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 6 times
Area ranges are
Number of LSA 3. Checksum Sum 0x25F8D
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Modify the configurations on Routers A, B, and C by adding MD5 password authentication to area 0. For this example, use the passwords
ciscoab, ciscobc, and ciscoac to demonstrate that multiple passwords can be used in an area.
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
ip ospf message-digest-key 1 md5 ciscoac
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
46. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
ip ospf message-digest-key 2 ciscoab
clock rate 64000
!
router ospf 1
area 0 authentication message-digest
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 10.1.1.2 255.255.255.252
ip ospf message-digest-key 2 md5 ciscoab
!
interface Serial1
ip address 10.1.1.5 255.255.255.252
ip ospf message-digest-key 3 md5 ciscobc
clock rate 64000
!
router ospf 1
area 0 authentication message-digest
network 10.1.1.0 0.0.0.15 area 0
_______________________________________________________________________
Router C
interface Loopback0
47. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
ip address 3.3.3.3 255.255.255.255
!
interface Serial0
ip address 10.1.1.6 255.255.255.252
ip ospf message-digest-key 3 ciscobc
!
interface Serial1
ip address 10.1.1.10 255.255.255.252
ip ospf message-digest-key 1 md5 ciscoac
clock rate 64000
!
router ospf 1
area 0 authentication message-digest
network 10.1.1.0 0.0.0.15 area 0
Verification
Verify that the OSPF neighbor relationships are still active.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:31 10.1.1.10 Serial0/0
2.2.2.2 1 FULL/ - 00:00:30 10.1.1.2 Serial0/1
_______________________________________________________________________
rtrB#show ip ospf neighbor
48. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/ - 00:00:38 10.1.1.1 Serial0
3.3.3.3 1 FULL/ - 00:00:33 10.1.1.6 Serial1
_______________________________________________________________________
rtrC#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/ - 00:00:33 10.1.1.5 Serial0
1.1.1.1 1 FULL/ - 00:00:30 10.1.1.9 Serial1
Verify that MD5 authentication is enabled for Area 0.
rtrA#show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has message digest authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 3. Checksum Sum 0x14A19
Number of DCbitless LSA 0
Number of indication LSA 0
49. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Number of DoNotAge LSA 0
The password used can be seen by anyone looking at your configuration. For added security, the password in the configuration can be
encrypted using the global configuration command service password-encryption, as shown in the following configuration.
Router A
service password-encryption
Listing the configuration will show that the password has been encrypted.
rtrA#show running-config
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtrA
!
ip subnet-zero
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip directed-broadcast
!
interface Serial0/0
ip address 10.1.1.9 255.255.255.252
no ip directed-broadcast
ip ospf message-digest-key 1 md5 7 02050D4808090E22
50. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
no ip mroute-cache
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
no ip directed-broadcast
ip ospf message-digest-key 2 md5 7 045802150C2E4D4C
clockrate 64000
Configuration Example 2: Changing Keys and Passwords
For additional security, you may choose to periodically change the key and password. With clear-text authentication, changing passwords will
cause a loss of OSPF connectivity from the time you change the password on one interface until you change the password at the other end of
the link. With MD5 authentication, you can configure a new key and password on a link while leaving the old key and password in place. The
old key and password will continue to be used until the new key and password are configured on the other end of the link. Modify the key and
password on the link between Routers A and B. Add a new key and password on Router A in order to observe the behavior when the new
key and password have only been configured on one end of the link.
Router A
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
no ip directed-broadcast
ip ospf message-digest-key 2 md5 ciscoab
ip ospf message-digest-key 4 md5 cisconew
clockrate 64000
Verify that the OSPF neighbor relationship between Routers A and B is still active.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:34 10.1.1.10 Serial0/0
2.2.2.2 1 FULL/ - 00:00:35 10.1.1.2 Serial0/1
51. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
You can determine if Router A is using both keys when communicating with Router B by viewing the interface properties or by enabling
OSPF debugging.
rtrA#show ip ospf interface s0/1
Serial0/1 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 4
Rollover in progress, 1 neighbor(s) using the old key(s):
key id 2
rtrA#debug ip ospf events
OSPF events debugging is on
rtrA#
01:30:25: OSPF: Rcv hello from 3.3.3.3 area 0 from Serial0/0 10.1.1.10
01:30:25: OSPF: End of hello processing
01:30:26: OSPF: Rcv hello from 2.2.2.2 area 0 from Serial0/1 10.1.1.2
01:30:26: OSPF: End of hello processing
01:30:30: OSPF: Send with youngest Key 1
01:30:30: OSPF: Send with key 2
01:30:30: OSPF: Send with key 4
Notice that both keys are being used for authentication. Configure the new key and password on Router B while leaving the old key and
52. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
password in place.
Router B
interface Serial0
ip address 10.1.1.2 255.255.255.252
no ip directed-broadcast
ip ospf message-digest-key 2 md5 ciscoab
ip ospf message-digest-key 4 md5 cisconew
Routers A and B will now use the youngest key (the last key configured).
rtrA#show ip ospf interface s0/1
Serial0/1 is up, line protocol is up
Internet Address 10.1.1.1/30, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 4
The old key and password can now be removed from routers A and B using the no form of the interface command.
Troubleshooting
Step 1. Before enabling authentication in an OSPF area, verify that there is a neighbor relationship among all OSPF routers by
using the show ip ospf neighbor command.
53. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
Step 2. Verify that authentication has been enabled for every OSPF router with an interface in the area where authentication is
being deployed.
Step 3. Verify that every interface using authentication in an OSPF area has been configured with the proper key and password.
Step 4. If any OSPF neighbor relationships disappear after configuring md5 authentication, debugging can be used to determine
the problem. For example, change the key-id on router B, interface Serial 0, to 5. Use the no form of the command to remove the
original key and password before applying the new key.
Router B
interface Serial0
ip address 10.1.1.2 255.255.255.252
no ip ospf message-digest-key 2 md5 ciscoab
ip ospf message-digest-key 5 md5 ciscoab
List the OSPF neighbors for Router A.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/ - 00:00:31 10.1.1.10 Serial0/0
Router A has lost Router C as a neighbor. Enable debugging on Router A to see if you can determine the problem.
rtrA#debug ip ospf events
OSPF events debugging is on
rtrA#
00:09:34: OSPF: Rcv pkt from 10.1.1.2, Serial0/1 : Mismatch Authentication Key -
No message digest key 5 on interface
Be careful when configuring passwords. A space is a valid character, so if you use the password cisco<space> then there will be a password
mismatch, but you won't be able to tell by looking at the configuration, especially if the password is encrypted in the configuration.
On Router A, remove the OSPF router configuration command area 0 authentication message-digest. Restore the proper key on Serial0
on Router B.
Router A
interface Serial0/0
54. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
ip address 10.1.1.9 255.255.255.252
ip ospf authentication-key cisco
!
router ospf 1
no area 0 authentication message-digest
_______________________________________________________________________
Router B
interface Serial0
ip address 10.1.1.2 255.255.255.252
no ip ospf message-digest-key 5 md5 ciscoab
ip ospf message-digest-key 2 md5 ciscoab
Router A should drop both OSPF neighbors.
rtrA#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 INIT/ - 00:00:38 10.1.1.10 Serial0/0
2.2.2.2 1 INIT/ - 00:00:39 10.1.1.2 Serial0/1
Now debug the OSPF traffic on Router B or C to determine the problem.
rtrB#debug ip ospf events
OSPF events debugging is on
rtrB#
21:43:04: OSPF: Rcv hello from 3.3.3.3 area 0 from Serial1 10.1.1.6
21:43:04: OSPF: End of hello processing
21:43:05: OSPF: Send with youngest Key 4
21:43:05: OSPF: Send with youngest Key 3
21:43:08: OSPF: Rcv pkt from 10.1.1.1, Serial0 : Mismatch Authentication type. I
55. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
nput packet specified type 0, we use type 2
Routers B and C are using type 2 authentication (MD5) and Router A is using type 0 authentication (none).
< Free Open Study >
56. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
< Free Open Study >
2-3 area area-id default-cost cost
NOTE
This command requires the following additional commands:
area area-id nssa (see Section 2-4)
or
area area-id stub (see Section 2-11)
Syntax Description:
area-id— OSPF area ID. This value can be entered as a decimal number in the range of 0 to 4,294,967,295 or in IP address form
in the range 0.0.0.0 to 255.255.255.255.
cost— The default cost of an OSPF stub area's advertised external default route metric. The range of values is 0 to 16,777,215.
The default value is 1. The cost value will be added to the cost of reaching the Area Border Router (ABR) that is advertising the
default route.
Purpose: External networks will not be advertised into a stub or totally stubby area. External networks are networks that have been
redistributed into OSPF. External OSPF routes and inter-area OSPF routes are not advertised into a totally stubby area. When an OSPF area
is configured as a stub area, a default route will be generated by the ABR into the stub area in place of the external routes. When an OSPF
area is configured as a totally stubby area, the default route replaces the external and inter-area routes. The purpose of this command is to
set the cost of the default route advertised into a stubby, totally stubby, or not-so-stubby area. If this command is not used, then the cost of
the default route will be 1. When configuring stub areas, all routers with interfaces in the stub area must be configured with the same stub
area type.
Initial Cisco IOS Software Release: 10.0
Configuration Example: Setting the Default Cost for a Stub Area
Initially, the network in Figure 2-3 is configured without a stubby area to compare the differences between the routes advertised into a normal
area with those advertised into a stubby area. You will redistribute the loopback interface on Router C in order to generate an external route
on Routers A and B.
Figure 2-3. External OSPF Routes Are Not Advertised into an OSPF Stub Area. Inter-area and
External Routes Are Not Advertised into a Totally Stubby Area
57. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
Router A
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.3 area 1
_______________________________________________________________________
58. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .
Router B
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Serial0
ip address 10.1.1.2 255.255.255.252
!
interface Serial1
ip address 10.1.1.5 255.255.255.252
clock rate 64000
!
router ospf 1
network 10.1.1.0 0.0.0.3 area 1
network 10.1.1.4 0.0.0.3 area 0
_______________________________________________________________________
Router C
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial0
ip address 10.1.1.6 255.255.255.252
!
router ospf 1
redistribute connected subnnets
network 10.1.1.4 0.0.0.3 area 0
59. This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks
.
If you examine the IP routing table on Router A, you can see that all OSPF routes are being advertised into Area 1.
rtrA#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O E2 3.3.3.3 [110/20] via 10.1.1.2, 00:00:04, Serial0/1
10.0.0.0/30 is subnetted, 3 subnets
C 10.1.1.0 is directly connected, Serial0/1
O IA 10.1.1.4 [110/128] via 10.1.1.2, 00:00:04, Serial0/1
Modify the configurations on Routers A and B so that Area 1 is a stub area.
Router A
router ospf 1
area 1 stub
network 10.1.1.0 0.0.0.3 area 1
_______________________________________________________________________
Router B
router ospf 1