The other day I was at work doing an interoperability test with Cisco and Brocade multilayer switches, and we ran into a strange issue that really highlighted my “tunnel view” to the Cisco world.
We were setting up basic OSPF stuff using md5 authentication and we couldn’t get the Cisco and Brocade to form an adjacency. A debug ip ospf adjacency command on the Cisco switch revealed that the Cisco was using “type 2” authentication, and the Brocade was using “type 0”.
Here’s a quick breakdown of the authentication types:
Type 0 | No authentication |
Type 1 | Clear text authentication |
Type 2 | md5 authentication |
I set up a SPAN on the Cisco switch and sure enough, we were getting the OSPF Hello packets from the Brocade with no authentication.
After some digging, it turns out the Brocade has an Auth-Change-Wait-Time command in interface configuration mode. This is set to 300 seconds (5 minutes) by default. While I don’t quite understand it, the description states it allows for graceful authentication implementation. So after you enable md5 on the interface, it waits 300 seconds before actually sending OSPF Hellos with authentication. We toyed around with it and took a packet capture to confirm the behavior, and then set it to 0 to immediately start sending packets with authentication and we were good to go.
Here’s a screenshot of the behavior in Wireshark with the parameter set to 20 seconds. You’ll see the OSPF adjacency start forming at almost exactly 20 seconds.
No comments:
Post a Comment