Tuesday, February 7, 2012

IPV6 OSPFV3

OSPFV3 OVERVIEW
----------------
RFC 5340
Similar in operation to OSPFV2
    -transport via protocol 80 unicast and multicast FF02::5 & FF02::6
ENabled at link level
    - ipv6 ospf [process-id] area [area=od]
    - automatically enables global process
Normal OSPF rules still apply
    -adjacency parameters
    -OSPFv3 network types
    -IPV4 formateed router-id needed
sh ipv6 ospf interfaces
sh ipv6 ospf neighbors  - router id is ipv4

int vlan 8
ipv6 ospf 1 area 0
or on non broadcast
int s0/0
ipv6 ospf 1 area 0
ipv6 ospf neighbor "link local address"
ipv6 ospf network-type non-broadcast

Most IPv4 routing protocols support some form of neighbor authentication, provided by either a plaintext password or MD5 HMAC. However, OSPFv3 (OSPF for IPv6) doesn't include any authentication capabilities of its own; instead, it relies entirely on IPsec to secure communications between neighbors. This is beneficial in simplifying the OSPFv3 protocol and standardizing its authentication mechanism
OSPFV3 supports authentication which is more advanced than the authentication in v2 firstly
it is secured with ipsec AH for authentication and ESP for encryption. We can use either SHA
or MD5 as the hashing algorith. We previously did not have encryption

Interface Ethernet 0
ipv6 enable
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec api 500 md5 123456789ABCDEF123456789ABCDEF
the api number and the md5 must match
we can use
debug ipv6 ospf adj - to debug if the adj is not forming

LAB
----



r5
---
r5(config)#int s0/0/0
r5(config-if)#ipv6 ospf 1 area 0
r5(config-if)#
r1
---
r5(config)#int s0/0/0
r5(config-if)#ipv6 ospf 1 area 0
r5(config-if)#

The relationship is not coming up

If we look at the interface it is non broadcase so i need to define the neighbor statement
r1#sh ipv6 ospf int
Serial0/0 is up, line protocol is up
  Link Local Address FE80::20D:28FF:FE70:2040, Interface ID 5
  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1
  Network Type NON_BROADCAST, Cost: 64
  Transmit Delay is 1 sec, State WAITING, Priority 1
  No designated router on this network
  No backup designated router on this network
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    Hello due in 00:00:11
    Wait time before Designated router selection 00:01:41
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 0
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)
r1#

r1(config-if)#int s0/0
r1(config-if)#ipv6 ospf neighbor 2001:155::5
OSPFv3: Neighbor address needs to be a link-local address
r1(config-if)#ipv6 ospf neighbor
r1#

so we need to use the link local address in the neighbor command
r1(config)#int s0/0
r1(config-if)#ipv6 ospf neighbor FE80::213:19FF:FED6:F4D2
r1(config-if)#

same config needs to be done r5 changing the link local address only

r5
----
r5(config)#int s0/0/0
r5(config-if)#ipv6 ospf neighbor FE80::20D:28FF:FE70:2040
r5(config-if)#


notice when we do the

r5(config)#do sh ipv6 ospf neigh
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
1.1.1.1           1   FULL/BDR        00:01:36    5               Serial0/0/0
r5(config)#

we peer with the ipv4 router id

ok on r1
-----------
we want to advertise the r1 loopback

r1(config-if)#ipv6 address 2001:1:1:1::1/128
r1(config-if)#ipv6 ospf 1 area 0
r1(config-if)#


r5
----
we are recieving the route + we can ping
r5#sh ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
O   2001:1:1:1::1/128 [110/64]
     via FE80::20D:28FF:FE70:2040, Serial0/0/0
C   2001:155::/64 [0/0]
     via ::, Serial0/0/0
L   2001:155::5/128 [0/0]
     via ::, Serial0/0/0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0
r5#ping 2001:1:1:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:1:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
r5#

Lets bring r2 into the equation

r5
---
r5(config)#int s0/0/0
r5(config-if)#ipv6 ospf neighbor FE80::21A:A2FF:FE64:DF80
r5(config-if)#

r2
---
r2(config)#int s0/0
r2(config-if)#ipv6 ospf 1 area 0
r2(config-if)#ipv6 ospf neighbor FE80::213:19FF:FED6:F4D2


r2#sh ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
O   2001:1:1:1::1/128 [110/64]
     via FE80::20D:28FF:FE70:2040, Serial0/0
C   2001:155::/64 [0/0]
     via ::, Serial0/0
L   2001:155::2/128 [0/0]
     via ::, Serial0/0
L   FE80::/10 [0/0]
     via ::, Null0
L   FF00::/8 [0/0]
     via ::, Null0
r2#

we are learning the ospf route from r1 the loopback so all looks good
ok lets configure authentication starting with r2

r2(config-if)#$ion ipsec spi 300 md5 0 12345678ABCDEF12345678ABCDEF1234
r2(config-if)#
*Mar  1 07:11:20.023: %IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= FE80::21A:A2FF:FE64:DF80, src_addr= FE80::213:19FF:FED6:F4D2, prot= 89
r2(config-if)#exit
r2(config)#do sh run int s0/0
Building configuration...
Current configuration : 480 bytes
!
interface Serial0/0
 ip address 155.0.0.2 255.255.255.0
 encapsulation frame-relay
 ipv6 address 2001:155::2/64
 ipv6 ospf neighbor FE80::213:19FF:FED6:F4D2
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 300 md5 12345678ABCDEF12345678ABCDEF1234
 frame-relay map ipv6 2001:155::5 205
 frame-relay map ipv6 2001:155::2 205 broadcast
 frame-relay map ipv6 FE80::213:19FF:FED6:F4D2 205 broadcast
 frame-relay map ip 155.0.0.5 205 broadcast
 frame-relay lmi-type cisco
end
our neighbor relationship to r5 has gone down
Mar  1 07:12:50.015: %IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= FE80::21A:A2FF:FE64:DF80, src_addr= FE80::213:19FF:FED6:F4D2, prot= 89
*Mar  1 07:12:50.027: %OSPFv3-5-ADJCHG: Process 1, Nbr 5.5.5.5 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
as we are receving a non encryptec ipsec packet

r5
===
r5#sh run int s0/0/0
Building configuration...
Current configuration : 702 bytes
!
interface Serial0/0/0
 ip address 155.0.0.5 255.255.255.0
 encapsulation frame-relay
 ipv6 address 2001:155::5/64
 ipv6 ospf neighbor FE80::21A:A2FF:FE64:DF80
 ipv6 ospf neighbor FE80::20D:28FF:FE70:2040
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 300 md5 12345678ABCDEF12345678ABCDEF1234
 frame-relay map ipv6 2001:155::2 502 broadcast
 frame-relay map ipv6 FE80::21A:A2FF:FE64:DF80 502 broadcast
 frame-relay map ipv6 2001:155::1 501 broadcast
 frame-relay map ipv6 FE80::20D:28FF:FE70:2040 501 broadcast
 frame-relay map ip 155.0.0.4 504 broadcast
 frame-relay map ip 155.0.0.1 501 broadcast
 frame-relay map ip 155.0.0.3 503 broadcast
 frame-relay map ip 155.0.0.2 502 broadcast
end

r5#sh ipv6 ospf neigh
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
12.12.12.12       1   FULL/DR         00:01:57    5               Serial0/0/0
N/A               0   ATTEMPT/DROTHER    -        5               Serial0/0/0
r5#

our relationship with r1 has gone down as we have enabled authentication while our relationship with r2 has gone up as both are authenticating

ok by configuring the same on r1 will bring back up the ospf authentication

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)