When you earned your CCNA, you thought you learned everything there is to know about RIP. Close, but not quite! There are some additional details you need to know to pass the BSCI exam and get one step closer to the CCNP exam, and one of those involves RIP update packet authentication.
You're familiar with some advantages of using RIPv2 over RIPv1, support for VLSM chief among them. But one advantage that you're not introduced to in your CCNA studies is the ability to configure routing update packet authentication.
You have two options, clear text and MD5. Clear text is just that - a clear text password that is visible by anyone who can pick a packet off the wire. If you're going to go to the trouble of configuring update authentication, you should use MD5. The MD stands for "Message Digest", and this is the algorithm that produces the hash value for the password that will be contained in the update packets.
Not only must the routers agree on the password, they must agree on the authentication method. If one router sends an MD5-hashed password to another router that is configured for clear-text authentication, the update will not be accepted. debug ip rip is a great command for troubleshooting authenticated updates.
R1, R2, and R3 are running RIP over a frame relay cloud. Here is how RIP authentication would be configured on these three routers.
R1#conf t
R1(config)#key chain RIP
< The key chain can have any name. >
R1(config-keychain)#key 1
< Key chains can have multiple keys. Number them carefully when using multiples. >
R1(config-keychain-key)#key-string CISCO
< This is the text string the key will use for authentication. >
R1(config)#int s0
R1(config-if)#ip rip authentication mode text
< The interface will use clear-text mode. >
R1(config-if)#ip rip authentication key-chain RIP
< The interface is using key chain RIP, configured earlier. >
R2#conf t
R2(config)#key chain RIP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO
R2(config)#int s0.123
R2(config-subif)#ip rip authentication mode text
R2(config-subif)#ip rip authentication key-chain RIP
R3#conf t
R3(config)#key chain RIP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO
R3(config)#int s0.31
R3(config-subif)#ip rip authentication mode text
R3(config-subif)#ip rip authentication key-chain RIP
To use MD5 authentication rather than clear-text, simply replace the word "text" in the ip rip authentication mode command with md5.
Here's what a successfully authentication RIPv2 packet looks like, courtesy of debug ip rip. Clear-text authentication is in effect and the password is "cisco".
3d04h: RIP: received packet with text authentication cisco
3d04h: RIP: received v2 update from 150.1.1.3 on Ethernet0
3d04h: 100.0.0.0/8 via 0.0.0.0 in 1 hops
3d04h: 150.1.2.0/24 via 0.0.0.0 in 1 hops
Here's what it looks like when the remote device is set for MD5 authentication and the local router is set for clear-text. You'll also see this message if the password itself is incorrect.
3d04h: RIP: ignored v2 packet from 150.1.1.3 (invalid authentication)
"Debug ip rip" may be a simple command as compared to the debugs for other protocols. but it's also a very powerful debug. Start using debugs as early as possible in your Cisco studies to learn how router commands really work!
Showing posts with label clear. Show all posts
Showing posts with label clear. Show all posts
Thursday, December 25, 2008
Wednesday, December 24, 2008
Cisco CCNA Certification Exam Tutorial: The OSPF RID
OSPF is a major topic on your CCNA exam, as well it should be. OSPF is a widely-used WAN protocol, and you need to learn the fundamentals before moving on to more complicated configurations. One such detail is the OSPF Router ID, or RID.
The RID is the dotted decimal value by which other OSPF routers will identify a given OSPF router. There are some interesting defaults for this value, and a command you should know to hardcode the RID. You had also better know what has to happen for this command to take effect, so let's take a more detailed look at the OSPF RID.
In this example, R1 has an adjacency with R2 and R3 over the 172.12.123.0/24 frame network. R1 is the hub, with R2 and R3 as the spokes. No other interfaces are OSPF-enabled on any of the routers. Running show ip ospf neighbor on R1, we see some unusual values under "Neighbor ID", which is another name for the OSPF RID.
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/DROTHER 00:01:57 172.12.123.3 Serial0
2.2.2.2 0 FULL/DROTHER 00:01:57 172.12.123.2 Serial0
Notice the Neighbor ID of each remote address is the loopback address. How can that be if they’re not OSPF-enabled?
When determining the Router ID (RID) of an OSPF-enabled router, OSPF will always use the numerically highest IP address on the router’s loopback interfaces, regardless of whether that loopback is OSPF-enabled.
What if there is no loopback? OSPF will then use the numerically highest IP address of the physical interfaces, regardless of whether that interface is OSPF-enabled.
BOTTOM LINE: An interface does not have to be running OSPF to have its IP address used as the OSPF RID.
The OSPF RID can be changed, but it requires a restart or to reinitialize the OSPF routing process. Use the router-id command to change the default RID of each router as shown, and clear the OSPF process to do so.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#router-id 11.11.11.11
Reload or use "clear ip ospf process" command, for this to take effect
R1#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
1d05h: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached
1d05h: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached
After entering the router-id command, the router console informed you that you have to reload the router or reset the OSPF processes for this to take effect. You enter the clear ip ospf process command to do this. Notice that when you’re asked if you really want to do this, the prompt is “no”? That’s because all the OSPF adjacencies on this router will be lost and will have to begin the process again. That’s OK on a practice rack, not good in a production network. Don’t use that one at work.
The OSPF RID is not a complicated concept, but the fact that an interface doesn't have to be OSPF-enabled in order to have its IP address act as the RID takes some getting used to. And remember - when the router or switch asks you a question and the prompted answer is "no", take one step back and make sure you really want to do what you're about to do!
The RID is the dotted decimal value by which other OSPF routers will identify a given OSPF router. There are some interesting defaults for this value, and a command you should know to hardcode the RID. You had also better know what has to happen for this command to take effect, so let's take a more detailed look at the OSPF RID.
In this example, R1 has an adjacency with R2 and R3 over the 172.12.123.0/24 frame network. R1 is the hub, with R2 and R3 as the spokes. No other interfaces are OSPF-enabled on any of the routers. Running show ip ospf neighbor on R1, we see some unusual values under "Neighbor ID", which is another name for the OSPF RID.
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/DROTHER 00:01:57 172.12.123.3 Serial0
2.2.2.2 0 FULL/DROTHER 00:01:57 172.12.123.2 Serial0
Notice the Neighbor ID of each remote address is the loopback address. How can that be if they’re not OSPF-enabled?
When determining the Router ID (RID) of an OSPF-enabled router, OSPF will always use the numerically highest IP address on the router’s loopback interfaces, regardless of whether that loopback is OSPF-enabled.
What if there is no loopback? OSPF will then use the numerically highest IP address of the physical interfaces, regardless of whether that interface is OSPF-enabled.
BOTTOM LINE: An interface does not have to be running OSPF to have its IP address used as the OSPF RID.
The OSPF RID can be changed, but it requires a restart or to reinitialize the OSPF routing process. Use the router-id command to change the default RID of each router as shown, and clear the OSPF process to do so.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#router-id 11.11.11.11
Reload or use "clear ip ospf process" command, for this to take effect
R1#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
1d05h: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached
1d05h: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached
After entering the router-id command, the router console informed you that you have to reload the router or reset the OSPF processes for this to take effect. You enter the clear ip ospf process command to do this. Notice that when you’re asked if you really want to do this, the prompt is “no”? That’s because all the OSPF adjacencies on this router will be lost and will have to begin the process again. That’s OK on a practice rack, not good in a production network. Don’t use that one at work.
The OSPF RID is not a complicated concept, but the fact that an interface doesn't have to be OSPF-enabled in order to have its IP address act as the RID takes some getting used to. And remember - when the router or switch asks you a question and the prompted answer is "no", take one step back and make sure you really want to do what you're about to do!
Subscribe to:
Posts (Atom)
