Академический Документы
Профессиональный Документы
Культура Документы
Here’s an example of a network with 3 OSPF routers on a FastEthernet network. They are connected to the
same switch (multi-access network) so there will be a DR/BDR election. OSPF has been configured so all
routers have become OSPF neighbors, let’s take a look:
When a router is not the DR or BDR it’s called a DROTHER. I have no idea if we have to pronounce it
like “BROTHER with a D” or “DR-OTHER” Here we can see that router Nancy is a DROTHER.
Susan#show ip ospf neighbor
Of course we can change which router becomes the DR/BDR by playing with the priority. Let’s turn router
Nancy in the DR:
You change the priority if you like by using the ip ospf priority command:
The default priority is 1.
A priority of 0 means you will never be elected as DR or BDR.
You need to use clear ip ospf process before this change takes effect.
Nancy#show ip ospf neighbor
As you can see router Donna is still the DR, we need to reset the OSPF neighbor adjacencies so that we’ll
elect the new DR and BDR.
Now you can see router Nancy is the DR because the other routers are DROTHER and BDR.
Or we can confirm it from router Donna, you’ll see that router Nancy is the DR and that the priority is 200.
Something you need to be aware of is that the DR/BDR election is per multi-access segment…not per
area!). Let me give you an example:
In the example above we have 2 multi-access segments. Between router Donna and Nancy, and between
router Donna and Susan. For each segment there will be a DR/BDR election.
In the example above you can see that router Nancy is the DR for the 192.168.12.0/24 segment and router
Susan is the DR for the 192.168.13.0/24 segment.
Last but not least let me show you an example where we don’t have a DR/BDR election:
Here’s an example of a point-to-point link running HDLC. You can see that we have a neighbor but we
didn’t do an election for DR or BDR. Makes sense because there is always only one router on the other
side.
R1(config)#router ospf 1
R1(config-router)#default-information originate ?
always Always advertise default route
metric OSPF default metric
metric-type OSPF metric type for default routes
route-map Route-map reference
<cr>
There are a number of things. We can change the metric or metric type but the most important thing most
people forget is the always keyword.
If you use the default-information originate you can advertise a default route in OSPF. OSPF won’t
advertise a default route if you don’t already have it in your routing table. If you add the always keyword
it will advertise the default route even if you don’t have it in the routing table. Once you have advertised
the default route it will look like this on other routers:
Above you see the topology I’m going to use for authentication. Just two routers but we can use it to check
all different methods of authentication.
Donna(config)#router ospf 1
Donna(config-router)#network 192.168.12.0 0.0.0.255 area 0
Mary(config)#router ospf 1
Mary(config-router)#network 192.168.12.0 0.0.0.255 area 0
Donna(config)#router ospf 1
Donna(config-router)#area 0 authentication
If you have a lot of interfaces you probably don’t want to enable OSPF authentication for each interface.
You can also enable area-wide authentication by using the area authentication command. In my example
above I enabled authentication for area 0.
If you use the show ip ospf interface command you can see OSPF information per interface. You can also
check if authentication is enabled. You can see the neighbor count is 1 and simple password authentication
is enabled.
I love debugs…when it comes to Cisco not Google but debug is your friend. It gives you so much
information. If you use debug ip ospf packet you can see that authentication is enabled. In my example I
receive a packet and it says aut:1 which means that plain text authentication is enabled.
Aut:0 is no authentication.
Aut:1 is plain text authentication.
Aut:2 is MD5 authentication.
Just two routers in the same area, nothing special. Here is the configuration to enable MD5 authentication:
For MD5 authentication you need different commands. First use ip ospf message-digest-key X md5 to
specify the key number and a password. It doesn’t matter which key number you choose but it has to be the
same on both ends. To enable OSPF authentication you need to type in ip ospf authentication message-
digest.
Donna(config)#router ospf 1
Donna(config-router)#area 0 authentication message-digest
If you don’t want to enable OSPF authentication per interface you can use the area authentication
message-digest command.
Donna#show ip ospf interface fastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 0
Process ID 1, Router ID 192.168.12.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.12.2, Interface address 192.168.12.2
Backup Designated router (ID) 192.168.12.1, Interface address
192.168.12.1
Flush timer for old DR LSA due in 00:01:53
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
OSPF IN DEPTH CNE - MAHER ABDELSHKOUR
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.12.2 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
Using show ip ospf interface we see MD5 authentication is enabled and we are using key ID 1. We have a
neighbor so it seems to be working.
Donna#debug ip ospf packet
OSPF packet debugging is on
Debug shows us that MD5 authentication is enabled (aut:2) and we are using key ID 1. Debug is also great
to fix authentication errors, here’s why:
I’ll debug the OSPF neighbor adjacency and reset the OSPF neighbors.
Donna#
OSPF: Rcv pkt from 192.168.12.2, FastEthernet0/0 : Mismatch
Authentication Key - Message Digest Key 1
Somewhere in the debug you’ll see the message above. This means that we are using MD5 key ID 1 on
both sides but that the password is incorrect.
That’s all I wanted to show you for now. I hope you enjoyed reading this article.