dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1647
share rss forum feed

seacow

join:2012-08-21

VRF OSPF Key issue

I'm trying to make a new VRF based on what's already configured but my OSPF routes won't update. I created an interface on the PIX-515E firewall with the same OSPF password that I'm using on the link vlan 404. And added the "network 10.30.128.32 0.0.0.7 area 0" on the FW among the other routes.

The problem is that the current VRF won't receive routes from other routers in the same Area.

What I really don't understand is that the OSPF passwords on other similar configurations do not always match between the link that is connected from the VRF the FW. If I match the OSPF password on the vrf and firewall I lose all the routes that are not directly connected.

I'm thinking my ospf password must be entered in an other location but I have no clue where that would be. since the VRFs are local and all routes are received on the area 0 on the physical local router.

!
interface Loopback5
description TEST
ip vrf forwarding TEST
ip address 10.30.128.63 255.255.255.255
!
ip vrf TEST
rd 5000:1
!
interface Vlan557
description TEST_557
ip vrf forwarding TEST
ip address 10.30.128.67 255.255.255.224
no ip redirects
!
interface Vlan404
description link_404
ip vrf forwarding TEST
ip address 10.30.128.33 255.255.255.248
ip ospf message-digest-key 1 md5 7 password
ip ospf hello-interval 1
ip ospf dead-interval 3
!
router ospf 5000 vrf TEST
router-id 10.30.128.33
log-adjacency-changes
auto-cost reference-bandwidth 1000
area 0 authentication message-digest
summary-address 10.30.128.0 255.255.255.0
redistribute connected metric 1000 metric-type 1 subnets
passive-interface default
no passive-interface Vlan404
network 10.30.128.32 0.0.0.7 area 0
!
router ospf 1000
router-id 10.200.128.33
log-adjacency-changes
auto-cost reference-bandwidth 1000
area 0 authentication message-digest
summary-address 10.200.128.0 255.255.254.0
summary-address 10.201.128.0 255.255.248.0
redistribute connected metric 1000 metric-type 1 subnets
passive-interface default
no passive-interface Vlan403
no passive-interface Vlan453
no passive-interface Vlan454
no passive-interface FastEthernet0/1
network 10.200.128.16 0.0.0.3 area 0
network 10.200.128.24 0.0.0.3 area 0
network 10.200.128.32 0.0.0.7 area 0

Any Help would be appreciated

Thanks.

nosx

join:2004-12-27
00000
kudos:5
If you remove the area 0 authentication line does it work?
None of the interfaces in the VRF have the "ip ospf message-digest-key 1 md5 7 password" config line.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to seacow
'debug ip ospf adj' or so here would help.
also -- are you entering md5 sallted hashes, or cleartext keys on both ends? have you ensured no trailing whitespace on both ends?

any diagram of what you're looking to accomplish?

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

seacow

join:2012-08-21
I'll try the debug ospf cmd and I will also try without the key.

I'm entering the key in cleartext on both ends, I''m sure there are no white space after the password I've decrypted all the key the make sure they are correct.

I don't have any diagram yet other than a hand written one. I'm trying to add a new insulated network in a campus environment that will be reachable trough a link between 2 campus. On one side it's all built with vlans there's no vrf on the other side VRFs are used to regroup vlans and insulated them from one an other. There's a vlan that is dedicated to making the link with the 2 campus. An external firm that as computer in both campus would like to use the link we have between the 2 campus to access there computers on both ends. So I created 2 new subnets completely outside the currently used subnets. 10.30.128.0/24 (later subdivided because of vrf) on one side and 10.30.48.0/24 for the other campus.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by seacow:

I'll try the debug ospf cmd and I will also try without the key.

just for kicks and grins -- it may be worthwhile just to also enter the text so that it auths as a string -- rather than an md5 hash.
i've seen weird behaviours around this at times (highly code and platform dependent) but i've been able to get auth via cleartext but not with md5. however -- when i do authentication -- when working by hand -- i always try it in stages (see what i get without any trickery, then add layer by layer until i accomplish what i want). i'm not the fastest at times -- but my stuff usually works at the end of the day.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

seacow

join:2012-08-21
I've tried without Auth and it still doesn't work. The debug command won't show anything but I'm in a lab environment.

When I do "show ip ospf neighbors" my vrf doesn't show up as a neighbor other vlan that work do show up in that list.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by seacow:

I've tried without Auth and it still doesn't work. The debug command won't show anything but I'm in a lab environment.

When I do "show ip ospf neighbors" my vrf doesn't show up as a neighbor other vlan that work do show up in that list.

full configs would help -- but do you have timers set equally on both sides?

the debug command should give you an idea. it will show all adjacency events. if you're not getting anything with that -- you need to see whether or not you're speaking ospf the same way on the devices (i.e. are you multicast capable? do you need neighbours?). router-id issues? duplicate ips? ospf enabled correctly on the interfaces?

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

seacow

join:2012-08-21
I found the problem it was something really stupid.

I was missing "switchport access vlan 404" on the trunked link that leads to the FW. It was my first time messing around with VRFs. I got a better understanding now of how everything goes together on the router and firewall. I wasn't getting anything out of the debug command.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by seacow:

I wasn't getting anything out of the debug command.

which means that it wasn't trying. connectivity is a logical follow through with that.

glad you got it working.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."