Just another Cisco blog
Posts tagged HowTo
OSPF Authentication
Jun 1st
This post is about the different OSPF authentication methods. It will be part of a series outlining OSPF commands/technologies.
We can configure OSPF to use authentication for an entire area, or just for a single interface. Today we’ll go over both. Here’s the topology:
First we’ll setup authentication for all of area 0:
R1(config)#interface FastEthernet0/0 R1(config-if)#ip ospf message-digest-key 1 md5 cisco R1(config-if)#ip ospf 100 area 0 R1(config-if)# R1(config-if)#router ospf 100 R1(config-router)#area 0 authentication message-digest R2(config)#interface FastEthernet0/0 R2(config-if)#ip ospf message-digest-key 1 md5 cisco R2(config-if)#ip ospf 100 area 0 R2(config-if)# R2(config-if)#router ospf 100 R2(config-router)#area 0 authentication message-digest R3(config)#interface FastEthernet0/0 R3(config-if)#ip ospf message-digest-key 1 md5 cisco R3(config-if)#ip ospf 100 area 0 R3(config-if)# R3(config-if)#router ospf 100 R3(config-router)#area 0 authentication message-digest |
Nothing crazy here, we configure OSPF and an MD5 key under our area 0 interfaces, then we specify that all of area 0 should use MD5 authentication. Note that the commands differ slightly if we want to use clear-text, it would be “ip ospf authentication-key [key]” and “area 0 authentication” under the OSPF 100 process.
Let’s verify:
R1#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:32 10.1.123.2 FastEthernet0/0
3.3.3.3 1 FULL/DROTHER 00:00:35 10.1.123.3 FastEthernet0/0
R1#sh ip ospf int fa0/0
...
Message digest authentication enabled
Youngest key id is 1 |
Everything is working, our neighbors are up and we see that authentication is enabled with the key we specifcied. Note, if we leave off a key, the neigbhors will still form and MD5 will still be enabled, but it will say key 0:
BGP Multipath-Relax
May 21st
So I learned a new command today. As usual I want to share with everyone. Today’s command is “bgp bestpath as-path multipath-relax”, which is actually hidden in IOS.
To give some background, BGP will not load balance across multiple paths by default. We can configure it to do so with the “maximum-paths n” command, which is pretty well known. The criteria of this command is that all attributes must match (Weight, LP, AS Path, etc). This is acceptable if we are multihomed to a single AS, but what if we are multihomed to different ASes? In that case we are not able to load balance across theoretically equal paths. Enter the “bgp bestpath as-path multipath-relax” command…
Here’s our first topology:
(click for fullsize)
Now the config:
R1(config)#router bgp 100 R1(config-router)#no synchronization R1(config-router)#neighbor 10.1.12.2 remote-as 200 R1(config-router)#neighbor 10.1.13.3 remote-as 200 R1(config-router)#no auto-summary |
Here we see the basic BGP config on R1. We will only be configuring R1 in this post.
OSPF Lab #1 Walkthrough
May 13th
This is the walkthrough for OSPF Lab #1.
Here’s the topology:
Click here for the initial configs
Here is task one:
1. Configure R1′s s0/0.102 interface and R2′s s0/0.201 interface in area 12, this area should not receive any Type 5 LSAs. Configure R1′s s0/0.103 interface and R3′s s0/0.301 interface in area 13, R1 should only receive a default route from R3, no other OSPF routes should be in R1′s RIB (from R3). Do not use network statements to accomplish this task.
Config:
R1(config)#interface Serial0/0.102 point-to-point R1(config-subif)#ip ospf 100 area 12 R1(config-subif)# R1(config-subif)#interface Serial0/0.103 point-to-point R1(config-subif)#ip ospf 100 area 13 R1(config-subif)# R1(config-subif)#router ospf 100 R1(config-router)#area 12 stub R1(config-router)#area 13 stub R2(config)#interface Serial0/0.201 point-to-point R2(config-subif)#ip ospf 100 area 12 R2(config-subif)# R2(config-subif)#router ospf 100 R2(config-router)#area 12 stub R3(config)#interface Serial0/0.301 point-to-point R3(config-subif)#ip ospf 100 area 13 R3(config-subif)# R3(config-subif)#router ospf 100 R3(config-router)#area 13 stub no-summary |
Here we configure OSPF 100 under the routers’ interfaces (avoiding network statements). Then we configure R1 and R2′s link/area as a stub. Last we configure R1 and R3′s link/area as a totally stubby area, preventing R3 from sending anything buy a default route to R1.
RIP Lab #2
Apr 30th
This is the second and last RIP post I’ll be doing to prepare for the CCIE.
I’ve tried to include a lot in this one without making it too long. Here’s the topology:
(Click image for fullsize)
Click here for the initial configs
Here is task one:
1. Configure RIPv2 on all routers and advertise their directly connected interfaces. Ensure that these routers have full NLRI to all the loopback interfaces advertised into RIP. Ensure that all routers can ping all loopbacks. Configure RIP not to advertise on any interface by default.
Let’s go through the config:
R1(config)#router rip R1(config-router)# version 2 R1(config-router)# no auto-summary R1(config-router)# network 1.0.0.0 R1(config-router)# network 10.0.0.0 R1(config-router)# passive-interface default R1(config-router)# no passive-interface Serial0/0.102 R1(config-router)# no passive-interface Serial0/0.103 |
I’m only showing R1 here as the other routers will be nearly identical. First we enable RIP, configure the version, turn of auto-summary and configure our network statements. Then we use the “passive-interface default” command, which tells RIP that all interfaces are passive unless explicity configured otherwise. Last we configure the configure s0/0.102 and s0/0.103 NOT to be passive.
Guest Post On NF Blog
Apr 29th
I wrote a BGP Lab post on the Networking-Forum Blog. Here’s a preview:
Topology:
Tasks:
1. Configure the Oustside Border Router in AS 6500. Peer with ISP-1 and ISP-2. Ensure that the DMZ subnet is advertised to the internet.
2. Prevent AS 6500 from being used as a transit between ASes 1111 and 2222.
3. The link through ISP-1 is much faster than the link through ISP-2. Configure outgoing traffic to use ISP-1 as the primary, only use the link through ISP-2 if the primary link is down.
4. Configure incoming traffic to use the link through ISP-1 as the primary.
5. Ensure that NAT is setup to use both ISPs.
Recent Comments