Saturday, May 28, 2011

Configure ASA Failover

I will explain in this article how to configure failover with a cisco ASA.
The product used in this article is an ASA5520-BUN-K9. ASA 5520 has a failover license included.

ASA 5520 has 4 Gigabit interfaces and 1 management interface. The management interface is a fastethernet interface.

Instead of using one of the Gigabit interface to create the failover, we will use the management interface.

The primary unit:



failover lan unit primary
we configured this unit as primary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface ip FAILOVERINT 192.168.1.1 255.255.255.252 standby 192.168.1.2
we assigned active and standby ip address to the failover link
failover link FAILOVERINT Management0/0
Specifies the interface to be used as stateful failover link. If you added this command the Management0/0 interface cannot be use for anything else than failover
failover polltime unit 1 holdtime 5
failover polltime interface 1 holdtime 5
These 2 commands are used to specify the holdtime. If one interface goes down on the primary ASA, the secondary ASA will be the primary. The state of active/standby failover is not active until the interface that was down goes up again. The holdtime that the ASA failover status will know that the interface is up again. So the state of the failover will be heathy again and ready in case a second failure. You must configure this holdtime as low as possible, especially as in our case, we have dedicated physical interface for the failover.

failover
enable the failover

interface Management0/0
description this interface is used for failover
no shut
On the interface that was dedicated for the failover, we must not configure anything except making this interface up

The secondary unit:

failover lan unit secondary
we configured this unit as secondary
failover lan interface FAILOVERINT Management0/0
we specified the Management0/0 interface to be used as the failover interface
failover interface IP FAILOVERINT 192.168.1.1 255.255.255.252 STANDBY 192.168.1.2
we assigned active and standby ip address to the failover link
failover
we enabled failover

interface Management0/0
description this interface is used for failover
no shut
we brought up the the interface Management0/0 that will be used in failover.

I hope this article was helpful, and my explanation was clear.


https://www.security-architecture.com

Saturday, May 14, 2011

OSPF Authentication

When we think about OSPF authentication, we have to think about negotiation between 2 routers:
  • The authentication method: it can be either clear text (type 1) or md5 (type 2). If the authentication method differs between 2 routers,  the neighbour relationship cannot be formed between these 2 routers, even if we set the authentication method without setting keys. Same case if one has authentication method enabled, while the other doesn't have.
  • The authentication key. Each key has an identifier and a value (alphanumeric). The router negotiate all of his keys, the same key number on both routers, must match the same value. Once there is one match, the authentication is successful.
Note that the authentication method type 0 means there is no authentication configured.
*May 14 10:38:57.843: OSPF: Rcv pkt from 192.168.253.5, FastEthernet1/0 : Mismatch Authentication type. Input packet specified type 2, we use type 0
OSPF Authentication method can be configured under interface configuration mode or router configuration mode. In both cases, the authentication process occurs per interface.
For example If I enter the command:
router ospf 1
area 0 authentication message-digest
This command lets the router enable md5 authentication on all interfaces that are in area 0.

Here is an example. The network is very simple. 3 routers connected to the same ethernet network with a network ID 192.168.253.0

Case1:
We will configure the authentication method on R3 to be type 1, and on R5 & R2 to be type 2

Router R5:
router ospf 1
log-adjacency-changes
network 192.168.253.5 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.5 255.255.255.0
ip ospf authentication message-digest
speed auto
end

Router R2:
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
network 192.168.253.2 0.0.0.0 area 0
interface FastEthernet1/0
ip address 192.168.253.2 255.255.255.0
duplex auto
speed auto
end

Router R3:
router ospf 1
log-adjacency-changes
network 192.168.253.3 0.0.0.0 area 0
interface FastEthernet0
ip address 192.168.253.3 255.255.255.0
ip ospf authentication
speed auto

As you see that in Router2, I configured the authentication method under the router configuration mode :
 area 0 authentication message-digest  ; Will enable authentication type 2 on all interfaces that are in area 0
While in R3 and R5, We configured the authentication method under the interface configuration mode:
ip ospf authentication ; will enable authentication type 1 on interface f0 (R3)
ip ospf authentication message-digest  ; will enable authentication type 2 on interface f0 (R5)

If we try to see the neighbour relationship on R3:
Router R3:
R3#show ip ospf neigh
R3#

This debug is on Router R5:
00:25:01: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authenticat ion type. Input packet specified type 1, we use type 2
00:25:05: OSPF: Send with youngest Key 0
00:25:11: OSPF: Rcv pkt from 192.168.253.3, FastEthernet0 : Mismatch Authentication type. Input packet specified type 1, we use type 2

Now if we change the authentication method on Router 3, the neighbour relationship will be successful:
R3:
int f0
ip ospf authentication message-digest



R3#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
192.168.253.5 1 FULL/DR 00:00:38 192.168.253.5 FastEthernet0
172.18.20.20 1 FULL/BDR 00:00:31 192.168.253.2 FastEthernet0
R3#
You can see the authentication type, by using the command: show ip ospf int
R2#show ip ospf int f1/0
FastEthernet1/0 is up, line protocol is up
Internet Address 192.168.253.2/24, Area 0
Process ID 1, Router ID 172.18.20.20, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.253.5, Interface address 192.168.253.5
Backup Designated router (ID) 172.18.20.20, Interface address 192.168.253.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:05
Supports Link-local Signaling (LLS)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.253.5 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0

If you see that there is no key configured, it uses default key 0 ( which by default has no value).

Case2:
Now that authentication method negotiation was successful, let us configure the keys.
For a clear text authentication (method type 1), you can configure only 1 key:
int f0
ip ospf authentication-key blogkey
where blogkey is the alphanumeric key, this negotiation is simple, it is only 1 key that must have the same alphanumeric match.

For the md5 authentication ( method type 2), you can configure as many keys as you want. Each 2 routers will check their key-ids, when there is key-id match they will negotiate the alphanumeric key.
int f0
ip opsf message-digest-key 30 md5 blogmd5key

If no key-id was found in both routers, that has the same alphanumeric, then the negotiation will fail, and the neighbour relationship will not be established.

I hope this was helpful for ospf authentication. Please don't hesitate to write your comments or questions
You can follow our FTP services and solutions blog on http://www.ftp.services




                                                                                    

Blog Tags:  CCNP CCNA CCIP CCIE Boot Camp Bangalore India Shanghai China IT Jobs Network Engineer Dubai  IT Manager North America  System Administrator Doha