Just another Cisco blog
Posts tagged CCIP
OSPF Authentication
Jun 1st
This post is about the different OSPF authentication methods. It will be part of a series outlining OSPF commands/technologies.
We can configure OSPF to use authentication for an entire area, or just for a single interface. Today we’ll go over both. Here’s the topology:
First we’ll setup authentication for all of area 0:
R1(config)#interface FastEthernet0/0 R1(config-if)#ip ospf message-digest-key 1 md5 cisco R1(config-if)#ip ospf 100 area 0 R1(config-if)# R1(config-if)#router ospf 100 R1(config-router)#area 0 authentication message-digest R2(config)#interface FastEthernet0/0 R2(config-if)#ip ospf message-digest-key 1 md5 cisco R2(config-if)#ip ospf 100 area 0 R2(config-if)# R2(config-if)#router ospf 100 R2(config-router)#area 0 authentication message-digest R3(config)#interface FastEthernet0/0 R3(config-if)#ip ospf message-digest-key 1 md5 cisco R3(config-if)#ip ospf 100 area 0 R3(config-if)# R3(config-if)#router ospf 100 R3(config-router)#area 0 authentication message-digest |
Nothing crazy here, we configure OSPF and an MD5 key under our area 0 interfaces, then we specify that all of area 0 should use MD5 authentication. Note that the commands differ slightly if we want to use clear-text, it would be “ip ospf authentication-key [key]” and “area 0 authentication” under the OSPF 100 process.
Let’s verify:
R1#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:32 10.1.123.2 FastEthernet0/0
3.3.3.3 1 FULL/DROTHER 00:00:35 10.1.123.3 FastEthernet0/0
R1#sh ip ospf int fa0/0
...
Message digest authentication enabled
Youngest key id is 1 |
Everything is working, our neighbors are up and we see that authentication is enabled with the key we specifcied. Note, if we leave off a key, the neigbhors will still form and MD5 will still be enabled, but it will say key 0:
Quick BGP Challenge #1
May 12th
This is the first little challenge I’m posting on here. If you frequent the forums, you likely saw the one I had for OSPF. I thought of another challenge while talking to a buddy. Here’s the topology:
Make R1 prefer the path through R3 for the 192.168.1.0/24 network. The configuration must be on R1. Do not use Weight or Local Preference to accomplish this. Assume that all previous configuration is correct.
This one is a little different than the OSPF challenge in that there are many ways to accomplish it. I’ve thought of a few, I want to see what everyone else comes up with.
Go!
Troubleshooting Lab #6
Apr 7th
First lab with our new topology. I’m excited! This should be an easy one. When functioning correctly, Customer “a” connects to AS 6500 using MPLS VPNs and running OSPF with the provider between sites. Site 2 (CE2a) has internet access through a physical connection to AS 6500s global RIB, it also has a GRE tunnel to PE1 which connects to the MPLS VPN. Customer “b” has a similar configuration. Customer “b” is using EIGRP. Both customers have a single “internet” circuit which is reachable from only one site, all internet traffic from the other site will go over the WAN first.
The issue today is users in VLAN 40 are having issues accessing the internet (87.3.85.1), determine why.
New Troubleshooting Lab Topology
Apr 3rd
The old topology I’ve been using for the weekly labs is pretty limited. I created a new one today which should keep us going for awhile. It’s relatively complex, it consists of two customer MPLS VPNs and lots of routing. The two customer VPNs also have internet access through one of their sites. We are simulating the internet with Peer1 and Peer2. Here’s the diagram:
(click image for fullsize)
I should have the first lab up early next week after I work out some issues I’m having. So tell me what you guys think.
Here’s the .net file:
New Troubleshooting .net file
Troubleshooting Lab #2
Mar 6th
I don’t usually post on weekends, but I want to try out an idea for troubleshooting labs (and I’m bored). This is the second in the series. We got a lot of answers for the last one, most all of which were correct. I’ve started requiring approval for all comments, this way the answer won’t be posted immediately after I make the post. I think this will be more fun and encourage more people to answer.
This time we’ll have the topology and a .net file, but I won’t be posting configs and you guys won’t be able to do “sh run”. I’ve saved the configs inside the .net file. Run the topology and login with username “tshoot” and password “tshoot”. This user only has privilege level 1, so show commands will be available, but show run will not be. Obviously you could get around this pretty easily, but that would defeat the purpose. 
BGP Multi-Exit Discriminator (MED)
Feb 8th
Today we’ll go over another important BGP topic: MED. From Cisco:
“MED is an optional nontransitive attribute. MED is a hint to external neighbors about the preferred path into an autonomous system (AS) that has multiple entry points. The MED is also known as the external metric of a route. A lower MED value is preferred over a higher value.”
So, to summarize, MED is used to influence incoming traffic from a multi-homed neighbor AS.
Here’s our diagram:
In this case we’ll say that the link between PE1 and CE1 is only a T1, while the link between PE2 and CE1 is a DS3. Obviously we will want traffic to use the faster link, the PE2-CE1 DS3.
First we’ll configure our interfaces and basic BGP:
PE1: hostname PE1 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/0 description To PE2 ip address 10.1.1.2 255.255.255.254 ! interface Serial0/1 description To CE1 bandwidth 1500 ip address 172.16.1.2 255.255.255.254 ! router bgp 5300 no synchronization bgp log-neighbor-changes neighbor 2.2.2.2 remote-as 5300 neighbor 2.2.2.2 update-source Loopback0 neighbor 2.2.2.2 next-hop-self neighbor 172.16.1.3 remote-as 1200 no auto-summary ! ip route 2.2.2.2 255.255.255.255 10.1.1.3 PE2: hostname PE2 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 description To PE1 ip address 10.1.1.3 255.255.255.254 ! interface Serial0/2 description To CE1 bandwidth 45000 ip address 172.16.1.4 255.255.255.254 ! router bgp 5300 no synchronization bgp log-neighbor-changes neighbor 1.1.1.1 remote-as 5300 neighbor 1.1.1.1 update-source Loopback0 neighbor 1.1.1.1 next-hop-self neighbor 172.16.1.5 remote-as 1200 no auto-summary ! ip route 1.1.1.1 255.255.255.255 10.1.1.2 CE1: hostname CE1 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Loopback1 ip address 192.168.1.1 255.255.255.0 ! interface Loopback2 ip address 192.168.2.1 255.255.255.0 ! interface Loopback3 ip address 192.168.3.1 255.255.255.0 ! interface Loopback4 ip address 192.168.4.1 255.255.255.0 ! interface Serial0/1 description To PE1 bandwidth 1500 ip address 172.16.1.3 255.255.255.254 ! interface Serial0/2 description To PE2 bandwidth 45000 ip address 172.16.1.5 255.255.255.254 ! router bgp 1200 no synchronization bgp log-neighbor-changes network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 neighbor 172.16.1.2 remote-as 5300 neighbor 172.16.1.4 remote-as 5300 no auto-summary |
Recent Comments