interface FastEthernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252 ip rip authentication mode md5
ip rip authentication key−chain cisco
!
router rip version 2 network 10.0.0.0
network 192.168.10.0 no auto−summary
The configuration in Listing 1.1 displays Router A's MD5 configuration. Router A is configured with a key chain value of systems, a key value of 1, and a key−string value of router. Listing 1.2 displays Router B's MD5 configuration. Router B is configured with a key chain value of cisco, a key value of 1, and a key−string value of router.
Note Notice that the key−chain <name> command of each router can have a different value; however, the key−string <string> command must match for each key <number> that is configured on each neighbor.
You can use the command debug ip rip to examine how RIP receives the encrypted routing updates. Entering this command on Router A and Router B displays the output shown in Listing 1.3 and Listing 1.4, respectively.
Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing updates from Router B.
Router−A#debug ip rip
RIP protocol debugging is on Router−A#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.2 on Serial0/0 10.10.12.0/24 −> 0.0.0.0 in 1 hops
10.10.13.0/24 −> 0.0.0.0 in 1 hops
Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing updates from Router A.
Router−B#debug ip rip
RIP protocol debugging is on Router−B#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.1 on Serial0/0 10.10.10.0/24 via 0.0.0.0 in 1 hops 10.10.11.0/24 via 0.0.0.0 in 1 hops
Configuring EIGRP Authentication
EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.
27
EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.
The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:
1.Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.
2.Specify the key number with the key <number> command in key chain configuration mode. You can configure multiple keys.
3.For each key, identify the key string with the key−string <string> command.
4.Optionally, you can configure the period for which the key can be sent and received. Use the following commands:
accept−lifetime <starttime> {infinite|end−time|duration − seconds}
send−lifetime <starttime> {infinite|end−time|duration seconds}
5.Exit key chain configuration mode with the exit command.
6.Under interface configuration mode, enable the authentication of EIGRP updates with this command:
ip authentication key−chain eigrp <autonomous system> <key chain name>
7. Enable MD5 authentication of EIGRP updates using the following command:
ip authentication mode eigrp <autonomous system> md5
Listing 1.5 shows how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication, and Listing 1.6 shows the configuration for Router B.
Listing 1.5: Router A's configuration with MD5 authentication.
key chain router−a key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252 ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a clockrate 64000
!
router eigrp 2 network 10.0.0.0 network 192.168.10.0 no auto−summary
eigrp log−neighbor−changes
28
Listing 1.6: Router B's configuration with MD5 authentication.
key chain router−b key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252 ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b clockrate 64000
!
router eigrp 2 network 10.0.0.0 network 192.168.10.0 no auto−summary
eigrp log−neighbor−changes
Listing 1.5 configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. Listing 1.6 configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value.
Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:
Router−A#debug eigrp packet EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK) Router−A#
EIGRP: received packet with MD5 authentication EIGRP: received packet with MD5 authentication
Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.
Listing 1.7: Route table of Router A with correct authentication configured.
Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0 C 10.10.10.0 is directly connected, Loopback0
29
C 10.10.11.0 is directly |
connected, Ethernet0/0 |
||
D |
10.10.12.0 [90/409600] |
via |
192.168.10.2, 00:18:36, Serial0/0 |
D |
10.10.13.0 [90/409600] |
via |
192.168.10.2, 00:18:36, Serial0/0 |
Router−A#
You can change Router A's key−string value for key 1 to see what kind of an effect this will have. The following lines will change the key−string value for key 1 on Router A to ospf:
Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#
Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:
Router−A#debug eigrp packet EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK) Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid authentication)
Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing 1.8 displays the routing table of Router A.
Listing 1.8: Route table of Router A with incorrect authentication configured.
Router−A#sh ip route
...
C192.168.10.0/24 is directly connected, Ethernet0/0 10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#
Tip You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.
30