- •Chapter 8 Lab 8-2, Routing Protocol Authentication
- •Step 2: Configure named eigrp routing.
- •192.168.1.1
- •Step 3: Secure the named eigrp routing process.
- •192.168.1.1
- •Step 4: Configure ospf routing.
- •192.168.1.1
- •Step 5: Secure the ospf routing protocol.
- •192.168.1.1
- •Device Configurations (Instructor version)
Step 5: Secure the ospf routing protocol.
OSPF will use the OSPFv2 Cryptographic Authentication.
On R1, create the key chain to be used for OSPF authentication.
R1(config)# key chain SHA-CHAIN
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R1(config-keychain-key)# exit
R1(config-keychain)# exit
R1(config)#
Next, enable authentication on the serial 0/0/0 interface of R1.
R1(config)# interface s0/0/0
R1(config-if)# ip ospf authentication key-chain SHA-CHAIN
R1(config-if)#
Jan 10 11:08:34.075: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial0/0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
Notice how the adjacency with R2 has changed to down. This is because R1 no longer accepts the updates from R2 because they are not authenticated.
On R2, create the key chain to be used for authentication.
R2(config)# key chain SHA-CHAIN
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string secret-1
R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R2(config-keychain-key)# exit
R2(config-keychain)# exit
R2(config)#
Next, enable authentication on the serial 0/0/0 and serial 0/0/1 interfaces of R2.
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
R2(config-if)# exit
R2(config)#
R2(config)# interface s0/0/1
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
R2(config-if)#
Jan 10 11:08:42.523: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial0/0/0 from LOADING to FULL, Loading Done
R2(config-if)#
Jan 10 11:09:14.487: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial0/0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
Notice how the first informational message is saying that the adjacency with R1 has been restored because they are now authenticating each other’s routing updates.
However, the second information message is saying that the adjacency with R3 has changed to down. This is because R2 no longer accepts the updates from R3 because they are not authenticated.
On R3, create the key chain to be used for authentication.
R3(config-router)# key chain SHA-CHAIN
R3(config-keychain)# key 1
R3(config-keychain-key)# key-string secret-1
R3(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R3(config-keychain-key)# exit
R3(config-keychain)# exit
R3(config)#
Next, enable authentication on the serial 0/0/1 interface of R3.
R3(config)#interface s0/0/1
R3(config-if)#ip ospf authentication key-chain SHA-CHAIN
R3(config-if)#
Jan 10 11:09:20.223: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial0/0/1 from LOADING to FULL, Loading Done
R3#
Verify the routing table of R1.
R1# show ip route ospf | begin Gateway
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 10.2.2.0/30 [110/128] via 10.1.1.2, 00:05:23, Serial0/0/0
192.168.3.0/32 is subnetted, 1 subnets
O 192.168.3.1 [110/129] via 10.1.1.2, 00:04:23, Serial0/0/0
R1#
Verify the routing table of R1.
R1# show ip ospf interface s0/0/0 | section Crypto
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain SHA-CHAIN
R1#
From the R1 router, run the following Tcl script to verify connectivity.
foreach address {