Routing Protocol Authentication (EIGRP )
A router authenticates the source of each routing update packet that it receives. Many routing protocols support authentication like OSPF, EIGRP, ISIS, BGP, and RIPv2.
Cisco routers support of different approaches to authentication route advertisements received from a neighboring router:
- Plan text authentication
- Hashing authentication (using MD5)
Simple password authentication:
Router sends packets and key (if a routing protocol doesn’t support multiple keys, the key number associated with a routing update is 0). Neighboring router check whether key matches its key. The outing update is rejected if the keys do not match. The only routing protocols the plan text authentication are RIPv2, OSPF, and ISIS.
(for simple password authentication of OSPF and RIPv2 click here)
MD5 authentication
Configure a key (password) and key ID, router generate a message digest or hash of the key, key ID and message. Message digest is send with packet key is not sent. The neighboring router receives the update and run a hashing algorithm on the routing update with local key, the results in a hash digest. If hash digit matches, the router accept the packet, if it not the update is rejected. This process is more secure than a plain text authentication. IS-IS, OSPF, RIPv2 and EIGRP use MD5.
Before we start EIGRP configuration check out some important of EIGRP CCIE exam topics.
Here is the lists of all EIGRP labs and theories CCNA to CCIE
let see the configuration:-
Topology:
Goal:
- configure the topology as per the diagram
- configure EIGRP 65001 and advertise connected interfaces
- configure router 1 and router 2 to form a neighbours and exchange routing information only after the successful authentication process .
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.1.1.1 YES manual up up
Serial3/0 1.1.1.1 YES manual up up
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 20.1.1.1 YES manual up up
Serial3/0 1.1.1.2 YES manual up up
R1(config)#router eigrp 65001
R1(config-router)#network 10.0.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#end
R2(config)#router eigrp 65001
R2(config-router)#network 20.0.0.0
R2(config-router)#network 1.0.0.0
R2(config-router)#end
R1(config)#key chain internetworks
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string ccie
R1(config-keychain-key)#exit
R1(config-keychain)#exit
R1(config)#interface serial 3/0
R1(config-if)#ip authentication mode eigrp 65001 md5
*Mar 18 14:26:40.951: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65001: Neighbor 1.1.1.2 (Serial3/0) is down: authentication mode changed
R1(config-if)#ip authentication key-chain eigrp 65001 internetworks
R1(config-if)#end
R2#
*Mar 18 14:26:40.903: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65001: Neighbor 1.1.1.1 (Serial3/0) is down: Interface PEER-TERMINATION received
R2#
*Mar 18 14:26:45.239: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65001: Neighbor 1.1.1.1 (Serial3/0) is up: new adjacency
R2#
*Mar 18 14:27:26.999: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65001: Neighbor 1.1.1.1 (Serial3/0) is down: Auth failure
R2(config)#key chain internetworks
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string ccie
R2(config-keychain-key)#exit
R2(config-keychain)#exit
R2(config)#interface serial 3/0
R2(config-if)#ip authentication mode eigrp 65001 md5
R2(config-if)#ip authentication key-chain eigrp 65001 internetworks
*Mar 18 14:30:54.267: %DUAL-5-NBRCHANGE: EIGRP-IPv4 65001: Neighbor 1.1.1.1 (Serial3/0) is up: new adjacency
R2(config-if)#end
R1#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(65001)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.2 Se3/0 14 00:01:59 70 420 0 7
R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(65001)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.1 Se3/0 10 00:02:27 1296 5000 0 6
No comments:
Post a Comment