OSPF Authentication tips

Authentication in OSPF isn’t all that mysterious.  But there are a few points that can trip people up.  Here are 3 different things to be aware of.  All of these tips are on the IP Expert BLS videos.

Authenticating with an unspecified password

Regardless of if you use plain text authentication or an MD5 hash, you can actually enable authentication, not specify a password, and have the neighbors stay up.  For instance, setup OSPF and get your neighbors up.  Go to one of your interfaces and enter the “ip ospf authentication” command.  Eventually, the neighbor on the other side of the link will go away.  Configure the same command on the other side of the link, and the neighbor will come back up.  Even though you didn’t specify a password.

Now this can get you into trouble if the lab says to use a specific password.  You might forget, but everything will continue to work.  So you think you got the points where you didn’t.

Another pitfall that falls in this category is if the lab asks you to use md5 authentication with a password of Cisco.  So you configure “ip ospf authentication message-digest” and “ip ospf authentication-key cisco”.  Everything comes up, and you think you got the points.  Well, you didn’t because the ip ospf authentication-key specifies a clear-text password.  To configure the md5 password, you need to use “ip ospf message-digest-key” command.  So on the lab, be careful that you are entering the correct commands and properly verifying using the “show ip ospf interface” command.

MD5 key number mismatch

Another tip that you might not know is that the MD5 key numbers need to match in addition to the password.  So if the interface on one side of the link uses key 1, and the interface on the other side used key 2, the routers will not become neighbors.  If you do a debug, you’ll see the following message.

*Mar  1 00:19:44.943: OSPF: Rcv pkt from 10.10.20.1, Serial0/0 : Mismatch Authentication Key – No message digest key 2 on interface

Area 0 authentication and virtual links

One last tip comes when area 0 is setup for authentication and you use virtual links.  If you run into this scenario, you need to configure authentication on the virtual link.  If you don’t, you’ll configure the virtual link, but nothing will come up.  Debugs will show the message below on the far end router.

*Mar  1 00:34:36.771: OSPF: Rcv pkt from 10.10.20.1, OSPF_VL0 : Mismatch Authentication type. Input packet specified type 1, we use type 0

The configuration needs to be entered on the virtual link using “area x virtual-link x.x.x.x authentication” commands.

Why I like the new Cisco 360 program

It pretty much comes down to 1 word.  Competition.  It’ll be interesting to the what sort of success the program enjoys.  But we can see how it has affected the CCIE training industry already.  The other vendors are definitely stepping their games to compete.

Not a lot of companies could step into the CCIE training market and cause this big of a stir.  I think most people would agree that Cisco will grab a appreciable share of the corporate paid training dollars.  Authorized training will probably be the top choice from a company purchasing training for their employees.  Most likely, the 3rd party training market will see reduced revenues overall.  So it becomes important for them to step up their offerings in order to grab as many customers as they can.

So what have we seen so far?  Well, IP Expert has made a number of additions to their company.  The CCIE Blog site launched, which has seen some good traffic.  They also announced the IP Exert University.  Although in terms of real benefit to the CCIE candidates, these changes aren’t overly beneficial.  They did update a number of their workbook labs.  I haven’t had time to check those out yet.  But their biggest offering probably was the Blended Learning Solution (BLS) that came out a number of months back.  But that was after they were aware of Cisco’s impending offering. So far the BLS has had great success and good reviews.  I have been using it in my studies so far and have been very happy with it.

Internetwork Expert has probably announced the most impressive changes lately.  With their new program (dubbed the CCIE 2.0), they will be offering a more interactive approach to training.  I believe this is in direct response to the Cisco 360 program, which also features an interactive learning approach.  Not all of the details are out yet, but the high-level overview showed a program that adapts to your progress.  Sounds great in theory.  We’ll just have to see how well it gets implemented.  But if that turns out to be a success, I could see it being a considerable advantage over the other vendors.

In the end, whether people enroll in the 360 program or not, I think we all benefit from it.

Internetwork Expert’s CCIE 2.0 Program

OK, I have to admit that I wish they had chosen something different than CCIE 2.0 to call their product.  It just brings to mind the web 2.0 buzzword that didn’t really mean much and nobody could tell you what it meant.  That being said, I am pretty excited about this program.  I was unfortunately unable to attend the live broadcast of the announcement, but I caught the recording later that day.

This appears to be the evolution (and possibly replacement to) their end-to-end program.  The main theme of the program is instructor/student interaction throughout the entire lab preparation process, and adaptive training materials.   I’m pretty sure this is to compete with some of the similar concepts in the new Cisco 360 program.

The details of the program will be released in a webcast on Wednesday, November 12.  You can sign up for it here.  But the high-level overview showed some interesting features.  The program kicks off with an assessment test to see where you are at.  Based on that, a curriculum will be designed for you that focuses your studies in the areas where you need it.  Throughout the program, there will be subsequent assessments to track your progress.

This isn’t anything earth-shattering.  Most people do this on their own to one extent or another.  But I do think that it will help streamline your studies.  I equate it to having a personal trainer or financial adviser.  Yeah, you can do the planning and logistical work yourself.  But why not let someone with much more experience than you lead you along the path?  The biggest benefit that I see from this should be increasing your odds of passing the lab on your first try.

Another big item announced was that IE would be taking the path of continual incremental updates to their products as opposed to full updates with long periods of time in between.  I’m not so sure how I like this.  It’s a good idea, but I think I may have a problem with it personally.  For some reason, I see myself going over videos/labs on a certain topic, moving on to others things, and then seeing that those old topic materials were updated.  Then I’ll be thinking, do I go back and look at the updated materials?  Maybe there is some new stuff that’ll help me on the lab.  Of course, that could greatly extend the time of my studies.  It could be a detriment to those personalities would are prone to overpreparing.  But as long as they are working with their training advisers, it should be all good.

One of the last big items was the announcement of polymorphic labs.  So rather than have static labs for people to go through, the poly labs will adapt to your strengths and weaknesses.  So you won’t have to focus on the subjects that you already have mastered.  This should get you more benefit out of the labs.

So these are some great changes that I think will really transform CCIE studying.  The real question will be if the execution of the program will match the marketing.  I sure hope that it does.  If so, I think it’ll be a definite step forward in CCIE training.  I have a month or 2 before I start my lab preparation (still working on the written test).  So I’ve got some time to see how the program goes before making a decision.  But I have my fingers crossed.