Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
You can configure EIGRP neighbor authentication, also known as neighbor router authentication
or route authentication, such that routers can participate in routing based on predefined passwords.
By default, no authentication is used for EIGRP packets. EIGRP can be configured to use Message
Digest Algorithm 5 (MD5) authentication.
When you configure neighbor authentication on a router, the router authenticates the source of
each routing update packet that it receives. For EIGRP MD5 authentication, you must configure
an authenticating key and a key ID on both the sending and the receiving router. The key is
sometimes referred to as a password.
The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false
routing messages from unapproved sources.
Each key has its own key ID, which the router stores locally. The combination of the key ID and
the interface that is associated with the message uniquely identifies the MD5 authentication key
in use.
Implementing EIGRP 185
EIGRP enables you to manage keys by using key chains. Each key definition within the key chain
can specify a time interval for which that key is activated (its lifetime). Then, during the lifetime
of a given key, routing update packets are sent with this activated key. Only one authentication
packet is sent, regardless of how many valid keys exist. The software examines the key numbers
in order from lowest to highest, and it uses the first valid key that it encounters.
Keys cannot be used during time periods for which they are not activated. Therefore, it is
recommended that for a given key chain, key activation times overlap to avoid any period of time
for which no key is activated. If a time exists during which no key is activated, neighbor
authentication cannot occur, and therefore, routing updates fail.
Creating a Key Chain
Perform the following steps to create a key chain:
Step 1 Enter the key chain command to enter the configuration mode for the key
chain. The value provided for the name-of-chain parameter for the key
chain command indicates the name of the authentication key chain from
which a key is to be obtained.
Step 2 Use the key command to identify a key ID to use, and enter configuration
mode for that key. The value provided for the key-id parameter of the key
command indicates the ID number of an authentication key on a key chain.
The range of keys is from 0 to 2147483647. The key ID numbers need not
be consecutive.
Step 3 Use the key-string command to identify the key string (password) for this
key. The value provided for the text parameter of the key-string command
indicates the authentication string that is to be used to authenticate sent and
received EIGRP packets. The string can contain from 1 to 80 uppercase and
lowercase alphanumeric characters. The first character cannot be a number,
and the string is case sensitive.
Step 4 Optionally, use accept-lifetime to specify the time during which this key is
accepted for use on received packets. If you do not enter an accept-lifetime
command, the time is infinite. Table 5-7 describes the accept-lifetime
command parameters.
NOTE The routers must know the correct time to rotate through keys in synchronization with
the other participating routers. This ensures that all the routers are using the same key at the
same moment.
186 Chapter 5: Implementing EIGRP
Step 5 Optionally, specify the time during which this key can be used for sending
packets using the send-lifetime command. If you do not enter a sendlifetime
command, the time is infinite. Table 5-8 describes the sendlifetime
command parameters.
Table 5-7 accept-lifetime Parameters
Parameter Description
start-time Beginning time that the key that is specified by the key command is valid for use on
received packets. The syntax can be either of the following:
hh:mm:ss month date year
hh:mm:ss date month year
where
hh: Hours
mm: Minutes
ss: Seconds
month: First three letters of the name of the month
date: Date (1–31)
year:Year (four digits)
The default start time. The earliest acceptable date is January 1, 1993.
infinite The key is valid for use on received packets from the start-time value on, with no end
time.
end-time The key is valid for use on received packets from the start-time value until the endtime
value. The syntax is the same as that for the start-time value. The end-time value
must be after the start-time value. The default end time is infinite.
seconds Length of time (in seconds) that the key is valid for use on received packets. The
range is from 1 to 2147483646.
Implementing EIGRP 187
Table 5-8 send-lifetime Parameters
Parameter Description
start-time Beginning time that the key specified by the key command is valid to be used for
sending packets. The syntax can be either of the following:
hh:mm:ss month date year
hh:mm:ss date month year
where
hh: Hours
mm: Minutes
ss: Seconds
month: First three letters of the name of the month
date: Date (1–31)
year:Year (four digits)
The default start time and the earliest acceptable date is January 1, 1993.
infinite The key is valid to be used for sending packets from the start-time value on.
end-time The key is valid to be used for sending packets from the start-time value until the endtime
value. The syntax is the same as that for the start-time value. The end-time value
must be after the start-time value. The default end time is infinite.
seconds Length of time (in seconds) that the key is valid to be used for sending packets. The
range is from 1 to 2147483646.
NOTE If the service password-encryption command is not used when you are implementing
EIGRP authentication, the key string is stored as plain text in the router configuration. If you
configure the service password-encryption command, the key string is stored and displayed in
an encrypted form; when it is displayed, an encryption type of 7 is specified before the encrypted
key string.
188 Chapter 5: Implementing EIGRP
Configuring MD5 Authentication for EIGRP
To configure MD5 authentication for EIGRP, complete the following steps:
Step 1 Enter configuration mode for the interface on which you want to enable
authentication.
Step 2 Use the ip authentication mode eigrp autonomous-system md5 command
to specify that MD5 authentication is to be used for EIGRP packets. The
value provided for the autonomous-system parameter of the ip
authentication mode eigrp md5 command indicates the EIGRP AS
number in which authentication is to be used.
Step 3 Use the ip authentication key-chain eigrp autonomous-system name-ofchain
command to specify which key chain to use for the authentication of
EIGRP packets. Table 5-9 describes the parameters for this command.
Example: MD5 Authentication Configuration
Figure 5-7 shows an example network used for the configuration of EIGRP MD5 authentication
for Router X in Example 5-6.
Figure 5-7 Network Topology for EIGRP MD5 Configuration Example
Table 5-9 ip authentication key-chain eigrp Parameters
Parameter Description
autonomous-system The EIGRP AS number in which authentication is to be used
name-of-chain The name of the authentication key chain from which a key is to be obtained
Example 5-6 Configuring EIGRP MD5 Authentication on Router X
RouterX
<output omitted>
key chain RouterXchain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
172.16.1.1 Router X 192.168.1.101
S0/0/1
172.17.2.2
S0/0/1
192.168.1.101
Fa0/0 Fa0/0
Router Y
Implementing EIGRP 189
MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode
eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterXchain command
specifies that the key chain RouterXchain is to be used for EIGRP AS 100.
The key chain RouterXchain command enters configuration mode for the RouterXchain key
chain. Two keys are defined. Key 1 is set to “first key” with the key-string firstkey command. This
key is acceptable for use on packets that are received by Router X from 4:00 a.m. (0400) on
January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite
command. However, the send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 command
specifies that this key is valid for use only when packets are sent for one minute on January 1,
2006; afterward, it is no longer valid for use in sending packets.
Key 2 is set to “second key” with the key-string secondkey command. This key is acceptable for
use on packets that are received by Router X from 4:00 a.m. (0400) on January 1, 2006, onward,
as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be
used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the
send-lifetime 04:00:00 Jan 1 2006 infinite command.
Therefore, Router X accepts and attempts to verify the MD5 digest of any EIGRP packets with a
key ID equal to 1. Router X will also accept a packet with a key ID equal to 2. All other MD5
packets are dropped. Router X sends all EIGRP packets using key 2 because key 1 is no longer
valid for use in sending packets.
Example 5-7 shows the configuration of EIGRP MD5 authentication for Router Y in Figure 5-7.
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 RouterXchain
Example 5-7 Configuring EIGRP MD5 Authentication on Router Y
RouterY
<output omitted>
key chain RouterYchain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
Example 5-6 Configuring EIGRP MD5 Authentication on Router X (Continued)
continues
190 Chapter 5: Implementing EIGRP
MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode
eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterYchain command
specifies that the key chain RouterYchain is to be used for EIGRP AS 100.
The key chain RouterYchain command enters configuration mode for the RouterYchain key
chain. Two keys are defined. Key 1 is set to “first key” with the key-string firstkey command. This
key is acceptable for use on packets that are received by Router Y from 4:00 a.m. (0400) on
January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite
command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1,
2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.
Key 2 is set to “second key” with the key-string secondkey command. This key is acceptable for
use on packets that are received by Router Y from 4:00 a.m. (0400) on January 1, 2006, onward,
as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be
used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the
send-lifetime 04:00:00 Jan 1 2006 infinite command.
Therefore, Router Y accepts and attempts to verify the MD5 digest of any EIGRP packets with a
key ID equal to 1 or 2. Router Y uses key 1 to send all EIGRP packets because it is the first valid
key in the key chain.
Verifying MD5 Authentication
Example 5-8 shows the output of the show ip eigrp neighbors and show ip route commands on
Router X.
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 RouterYchain
Example 5-7 Configuring EIGRP MD5 Authentication on Router Y (Continued)
Implementing EIGRP 191
The fact that the neighbor table shows the IP address of Router Y indicates that the two routers
have successfully formed an EIGRP adjacency. The routing table verifies that the 172.17.0.0
network has been learned through EIGRP over the serial connection. Therefore, the MD5
authentication for EIGRP must have been successful between Router X and Router Y.
The results of a ping to the Router Y FastEthernet interface address are also displayed to illustrate
that the link is working.
Summary of Implementing EIGRP
The following summarizes the key points that were discussed in the previous sections:
■ EIGRP is a classless, advanced distance vector routing protocol that runs the DUAL
algorithm.
■ EIGRP requires you to configure an autonomous system number that must match on all
routers to exchange routes.
■ EIGRP is capable of load balancing across unequal-cost paths.
■ EIGRP supports MD5 authentication to protect against unauthorized, rogue routers entering
your network.
No comments:
Post a Comment