Scribd
Upload
33 views34 pages

2.4 Configuring and Verifying EIGRP Authentication

Configuring and Verifying EIGRP Authentication

Uploaded by

TakatoYoichi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views34 pages

2.4 Configuring and Verifying EIGRP Authentication

Configuring and Verifying EIGRP Authentication

Uploaded by

TakatoYoichi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Chapter 2

133 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring and
Verifying EIGRP
Authentication
Chapter 2
134 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Router Authentication
Many routing protocols support authentication such that a
router authenticates the source of each routing update
packet that it receives.
Simple password authentication is supported by:
IS-IS
OSPF
RIPv2
MD5 authentication is supported by:
OSPF
RIPv2
BGP
EIGRP
Chapter 2
135 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Simple Password vs. MD5 Authentication
Simple password authentication:
Router sends packet and key.
Neighbor checks if received key matches its key.
Is not secure.
MD5 authentication:
Configure a key(password) and key-id; router generates a message
digest, or hash, of the key, key-id and message.
Message digest is sent with packet; key is not sent.
Is secure.
Chapter 2
136 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP MD5 Authentication
EIGRP supports MD5 authentication.
Router generates and checks every EIGRP packet. Router
authenticates the source of each routing update packet that
it receives.
Configure a key(password) and key-id; each participating
neighbor must have same key configured.
Chapter 2
137 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
MD5 Authentication
EIGRP MD5 authentication:
Router generates a message digest, or hash, of the key, key-id, and
message.
EIGRP allows keys to be managed using key chains.
Specify key-id (number, key, and lifetime of key).
First valid activated key, in order of key numbers, is used.
Chapter 2
138 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Planning for EIGRP
The following key parameters must be defined in enough
detail before configuring EIGRP authentication:
The EIGRP AS number
The authentication mode (MD5)
The definition of one or more keys to authenticate EIGRP packets,
according to the network security plan.
The keys lifetime, if multiple keys are defined.
Once defined, the following steps may be implemented:
1.Configure the authentication mode for EIGRP.
2.Configure the key chain.
3.Optionally configure the keys lifetime parameters.
4.Enable authentication to use the key(s) in the key chain.
Chapter 2
139 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure the Authentication Mode for EIGRP
Specify MD5 authentication for EIGRP packets.
Rout er ( conf i g- i f ) #
ip authentication mode eigrp autonomous-system md5
Enable EIGRP packet authentication using key in the key-chain.
Rout er ( conf i g- i f ) #
ip authentication key-chain eigrp autonomous-system name-
of-chain
Chapter 2
140 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure the Key Chain
Define the keychain in key chain configuration mode.
Rout er ( conf i g) #
key chain name-of-chain
Identify the key and enter the key-id configuration mode.
Rout er ( conf i g- keychai n) #
key key-id
Rout er ( conf i g- keychai n- key) #
key-string text
Identify key string (password)
Chapter 2
141 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure Keys Lifetime Parameters (Optional)
Specify when the key will be accepted for received packets.
Rout er ( conf i g- keychai n- key) #
accept-lifetime start-time {infinite | end-time |
duration seconds}
Specify when the key can be used for sending EIGRP packets.
Rout er ( conf i g- keychai n- key) #
send-lifetime start-time {infinite | end-time |
duration seconds}
Chapter 2
142 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Enable Authentication to Use the Key Chain
Enable EIGRP packet authentication using key in the key-chain.
Rout er ( conf i g- i f ) #
ip authentication key-chain eigrp autonomous-system
name-of-chain
Chapter 2
143 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0
Fa0/0
R1 R2
172.16.1.0 /24
EIGRP AS 100
R1# show running-config
!
<out put omi t t ed>
!
key chai n R1chai n
key 1
key- st r i ng FI RST- KEY
accept - l i f et i me 04: 00: 00 J an 1 2009 i nf i ni t e
send- l i f et i me 04: 00: 00 J an 1 2009 04: 00: 00 J an 31 2009
key 2
key- st r i ng SECOND- KEY
accept - l i f et i me 04: 00: 00 J an 25 2009 i nf i ni t e
send- l i f et i me 04: 00: 00 J an 25 2009 i nf i ni t e
!
<out put omi t t ed>
!
i nt er f ace Fast Et her net 0/ 0
i p addr ess 172. 16. 1. 1 255. 255. 255. 0
!
i nt er f ace Ser i al 0/ 0/ 0
bandwi dt h 64
i p addr ess 192. 168. 1. 101 255. 255. 255. 224
i p aut hent i cat i on mode ei gr p 100 md5
i p aut hent i cat i on key- chai n ei gr p 100 R1chai n
!
r out er ei gr p 100
net wor k 172. 16. 1. 0 0. 0. 0. 255
net wor k 192. 168. 1. 0
aut o- summar y
172.17.2.0 /24
S0/0/0
S0/0/0
64 kbps
192.168.1.96 /27
.101
.102
.1 .1
Chapter 2
144 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0
Fa0/0
R1 R2
172.16.1.0 /24
EIGRP AS 100
R2# show running-config
!
<out put omi t t ed>
!
key chai n R2chai n
key 1
key- st r i ng FI RST- KEY
accept - l i f et i me 04: 00: 00 J an 1 2009 i nf i ni t e
send- l i f et i me 04: 00: 00 J an 1 2009 i nf i ni t e
key 2
key- st r i ng SECOND- KEY
accept - l i f et i me 04: 00: 00 J an 25 2009 i nf i ni t e
send- l i f et i me 04: 00: 00 J an 25 2009 i nf i ni t e
!
<out put omi t t ed>
!
i nt er f ace Fast Et her net 0/ 0
i p addr ess 172. 17. 2. 2 255. 255. 255. 0
!
i nt er f ace Ser i al 0/ 0/ 0
bandwi dt h 64
i p addr ess 192. 168. 1. 102 255. 255. 255. 224
i p aut hent i cat i on mode ei gr p 100 md5
i p aut hent i cat i on key- chai n ei gr p 100 R2chai n
!
r out er ei gr p 100
net wor k 172. 17. 2. 0 0. 0. 0. 255
net wor k 192. 168. 1. 0
aut o- summar y
172.17.2.0 /24
S0/0/0
S0/0/0
64 kbps
192.168.1.96 /27
.101
.102
.1 .1
Chapter 2
145 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying MD5 Authentication
R1#
*Apr 21 16: 23: 30. 517: %DUAL- 5- NBRCHANGE: I P- EI GRP( 0) 100: Nei ghbor 192. 168. 1. 102
( Ser i al 0/ 0/ 0) i s up: new adj acency
R1#
R1# show i p ei gr p nei ghbor s
I P- EI GRP nei ghbor s f or pr ocess 100
H Addr ess I nt er f ace Hol d Upt i me SRTT RTO Q Seq
( sec) ( ms) Cnt Num
0 192. 168. 1. 102 Se0/ 0/ 0 12 00: 03: 10 17 2280 0 14
R1#
R1# show i p r out e
<out put omi t t ed>
Gat eway of l ast r esor t i s not set
D 172. 17. 0. 0/ 16 [ 90/ 40514560] vi a 192. 168. 1. 102, 00: 02: 22, Ser i al 0/ 0/ 0
172. 16. 0. 0/ 16 i s var i abl y subnet t ed, 2 subnet s, 2 masks
D 172. 16. 0. 0/ 16 i s a summar y, 00: 31: 31, Nul l 0
C 172. 16. 1. 0/ 24 i s di r ect l y connect ed, Fast Et her net 0/ 0
192. 168. 1. 0/ 24 i s var i abl y subnet t ed, 2 subnet s, 2 masks
C 192. 168. 1. 96/ 27 i s di r ect l y connect ed, Ser i al 0/ 0/ 0
D 192. 168. 1. 0/ 24 i s a summar y, 00: 31: 31, Nul l 0
R1#
R1# pi ng 172. 17. 2. 2
Type escape sequence t o abor t .
Sendi ng 5, 100- byt e I CMP Echos t o 172. 17. 2. 2, t i meout i s 2 seconds:
! ! ! ! !
Success r at e i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 12/ 15/ 16 ms
Chapter 2
146 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying MD5 Authentication
R1# show key chain
Key- chai n R1chai n:
key 1 - - t ext FI RST- KEY"
accept l i f et i me ( 04: 00: 00 J an 1 2009) - ( al ways val i d) [ val i d now]
send l i f et i me ( 04: 00: 00 J an 1 2009) - ( 04: 00: 00 J an 31 2009)
key 2 - - t ext SECOND- KEY"
accept l i f et i me ( 04: 00: 00 J an 25 2009) - ( al ways val i d) [ val i d now]
send l i f et i me ( 04: 00: 00 J an 25 2009) - ( al ways val i d) [ val i d now]
Chapter 2
147 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Troubleshooting MD5 Authentication
R1# debug eigrp packets
EI GRP Packet s debuggi ng i s on
( UPDATE, REQUEST, QUERY, REPLY, HELLO, I PXSAP, PROBE, ACK, STUB, SI AQUERY, SI AREPLY)
*J an 21 16: 38: 51. 745: EI GRP: r ecei ved packet wi t h MD5 aut hent i cat i on, key i d = 1
*J an 21 16: 38: 51. 745: EI GRP: Recei ved HELLO on Ser i al 0/ 0/ 0 nbr 192. 168. 1. 102
*J an 21 16: 38: 51. 745: AS 100, Fl ags 0x0, Seq 0/ 0 i dbQ 0/ 0 i i dbQ un/ r el y 0/ 0 peer Q
un/ r el y 0/ 0
R2# debug eigrp packets
EI GRP Packet s debuggi ng i s on
( UPDATE, REQUEST, QUERY, REPLY, HELLO, I PXSAP, PROBE, ACK, STUB, SI AQUERY, SI AREPLY)
R2#
*J an 21 16: 38: 38. 321: EI GRP: r ecei ved packet wi t h MD5 aut hent i cat i on, key i d = 2
*J an 21 16: 38: 38. 321: EI GRP: Recei ved HELLO on Ser i al 0/ 0/ 0 nbr 192. 168. 1. 101
*J an 21 16: 38: 38. 321: AS 100, Fl ags 0x0, Seq 0/ 0 i dbQ 0/ 0 i i dbQ un/ r el y 0/ 0 peer Q
un/ r el y 0/ 0
Chapter 2
148 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0
Fa0/0
R1 R2
172.16.1.0 /24
EIGRP AS 100
R1( conf i g- i f ) # key chain R1chain
R1( conf i g- keychai n) # key 2
R1( conf i g- keychai n- key) # key-string wrongkey
R1( conf i g- keychai n- key) #
172.17.2.0 /24
S0/0/0
S0/0/0
64 kbps
192.168.1.96 /27
.101
.102
.1 .1
R2# debug eigrp packets
EI GRP Packet s debuggi ng i s on
( UPDATE, REQUEST, QUERY, REPLY, HELLO, I PXSAP, PROBE, ACK, STUB, SI AQUERY, SI AREPLY)
*J an 21 16: 50: 18. 749: EI GRP: pkt key i d = 2, aut hent i cat i on mi smat ch
*J an 21 16: 50: 18. 749: EI GRP: Ser i al 0/ 0/ 0: i gnor ed packet f r om192. 168. 1. 101, opcode = 5 ( i nval i d
aut hent i cat i on)
*J an 21 16: 50: 18. 749: EI GRP: Dr oppi ng peer , i nval i d aut hent i cat i on
*J an 21 16: 50: 18. 749: EI GRP: Sendi ng HELLO on Ser i al 0/ 0/ 0
*J an 21 16: 50: 18. 749: AS 100, Fl ags 0x0, Seq 0/ 0 i dbQ 0/ 0 i i dbQ un/ r el y 0/ 0
*J an 21 16: 50: 18. 753: %DUAL- 5- NBRCHANGE: I P- EI GRP( 0) 100: Nei ghbor 192. 168. 1. 101
( Ser i al 0/ 0/ 0) i s down: Aut h f ai l ur e
R2#
R2# show ip eigrp neighbors
I P- EI GRP nei ghbor s f or pr ocess 100
R2#
Chapter 2
149 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Optimizing EIGRP
Implementations
Chapter 2
150 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Factors That Influence EIGRP Scalability
Quantity of routing information exchanged between peers:
without proper route summarization, this can be excessive.
Number of routers that must be involved when a topology
change occurs.
Depth of topology: the number of hops that information must
travel to reach all routers.
Number of alternate paths through the network.
Chapter 2
151 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Query Process
Queries are sent when a route is lost and no feasible
successor is available.
The lost route is now in activestate.
Queries are sent to all neighboring routers on all interfaces
except the interface to the successor.
If the neighbors do not have their lost-route information,
queries are sent to their neighbors.
If a router has an alternate route, it answers the query; this
stops the query from spreading in that branch of the
network.
Chapter 2
152 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Overwhelming EIGRP Query Process
In a large internetwork EIGRP queries can generate many
resources.
Several solutions exist to optimize the query propagation process
and to limit the amount of unnecessary EIGRP load on the links,
including:
Summarization
EIGRP stub routing feature.
Chapter 2
153 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stuck-in-Acti ve
If a router does not receive a reply to all the outstanding
queries within default 3 minutes (180 seconds), the route
goes into Stuck-in-Active (SIA) state.
Common SIA reasons:
A router is too busy to answer the query.
A router cannot allocate the memory to process the query.
The circuit between the two routers is not reliable.
The router has unidirectional links.
SIA solutions:
Redesign the network to limit the query range by route summarization
and the ip summary-address eigrp command.
Configure the remote routers as stub EIGRP routers.
Chapter 2
154 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Summarization
Poorly designed networks can make summarization difficult.
Manually summarize the routes whenever possible to support a hierarchical
network design.
The more networks EIGRP summarizes, the lower the number of queries
being sent out.
Ultimately reduces the occurrence of SIA errors.
Chapter 2
155 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Summarization
This network design is better because subnet addresses from individual
major networks are localized within each cloud, allowing summary routes
configured using the ip summary-address eigrp command to be
injected into the core.
As an added benefit, the summary routes act as a boundary for the queries
generated by a topology change.
Chapter 2
156 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Stub Networks
The EIGRP Stub Routing feature:
Improves network stability
Reduces resource utilization
Simplifies remote router (spoke) configuration
Chapter 2
157 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Stub Routing
Stub routing is commonly used in hub-and-spoke topology.
Stub router sends a special peer information packet to all
neighboring routers to report its status as a stub router.
Any neighbor that receives a packet informing it of the stub status
does not query the stub router for any routes.
Stub routers are not queried and instead, hub routers connected to
the stub router answer the query on behalf of the stub router.
Only the remote routers are configured as stubs.
Chapter 2
158 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Stub
Configure a router as a stub router.
Rout er ( conf i g- r out er ) #
eigrp stub [receive-only | connected | static | summary | redistributed]
Parameter Description
receive-only
Restricts the router from sharing any of its routes with any other router within
an EIGRP AS.
Keyword cannot be combined with any other keyword.
connected
Permits the EIGRP stub routing feature to send connected routes.
This option is enabled by default and is the most widely practical stub option.
static
Permits the EIGRP stub routing feature to send static routes.
Redistributing static routes with the redistribute static command is still
necessary.
summary
Permits the EIGRP stub routing feature to send automatically summarized
and / or manually summarized routes.
This option is enabled by default.
redistributed
Permits the EIGRP stub routing feature to send redistributed routes.
Redistributing routes with the redistribute command is still necessary.
Chapter 2
159 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Example: EIGRP Stub Parameters
If stub connected is
configured:
B will advertise 10.1.2.0/24 to A.
B will not advertise 10.1.2.0/23,
10.1.3.0/23, or 10.1.4.0/24.
If stub summary is
configured:
B will advertise 10.1.2.0/23 to A.
B will not advertise 10.1.2.0/24,
10.1.3.0/24, or 10.1.4.0/24.
Chapter 2
160 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Example: EIGRP Stub Parameters (Cont.)
If stub static is
configured:
B will advertise 10.1.4.0/24 to A.
B will not advertise 10.1.2.0/24,
10.1.2.0/23, or 10.1.3.0/24.
If stub receive-only is
configured:
B wont advertise anything to A,
so A needs to have a static
route to the networks behind B
to reach them.
Chapter 2
161 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Graceful Shutdown
Graceful shutdown, implemented with the goodbye message
feature, is designed to improve EIGRP network convergence.
In the figure, router A is using router B as the successor for a
number of routes; router C is the feasible successor for the same routes. Router B normally
would not tell router A if the EIGRP process on router B was going down, for example, if router
B was being reconfigured. Router A would have to wait for its hold timer to expire before it
would discover the change and react to it. Packets sent during this time would be lost.
With graceful shutdown, the goodbye message is broadcast when an EIGRP routing process is
shut down to inform adjacent peers about the impending topology change. This feature allows
supporting EIGRP peers to synchronize and recalculate neighbor relationships more efficiently
than would occur if the peers discovered the topology change after the hold timer expired.
The goodbye message is supported in Cisco IOS Software Release 12.3(2), 12.3(3)B, and
12.3(2)T and later. Goodbye messages are sent in hello packets. EIGRP sends an interface
goodbye message with all K values set to 255 when taking down all peers on an interface.
router eigrp 100
eigrp nsf
....
Chapter 2
162 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 Summary
The chapter focused on the following topics:
Features of EIGRP, including fast convergence, use of partial updates, multiple network layer support,
use of multicast and unicast, VLSM support, seamless connectivity across all data link layer protocols
and topologies, and sophisticated metric.
EIGRPs underlying processes and technologiesneighbor discovery/recovery mechanism, RTP,
DUAL finite state machine, and protocol-dependent modules.
EIGRP's tablesneighbor table, topology table, and routing table
EIGRP terminology:
Advertised distance (the metric for an EIGRP neighbor router to reach the destination; the metric between the next-
hop router and the destination)
Feasible distance (the sum of the AD from the next-hop neighbor, and the cost between the local router and the next-
hop router)
Successor (a neighboring router that has a least-cost loop-free path to a destination, the lowest FD)
Feasible successor (a neighboring router that has a loop-free backup path to a destination).
Passive routes, those not undergoing recomputation; active routes, those undergoing recomputation
The five EIGRP packet types: hello, update, query, reply, and acknowledgment.
Updates, queries, and replies are sent reliably.
Chapter 2
163 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 Summary
EIGRP initial route discovery process, started by a router sending hello packets.
Neighboring routers reply with update packets, which populate the router's
topology table. The router chooses the successor routes and offers them to the
routing table.
The DUAL process including selecting FSs. To qualify as an FS, a next-hop router
must have an AD less than the FD of the current successor route for the particular
network, to ensure a loop-free network.
The EIGRP metric calculation, which defaults to bandwidth (the slowest bandwidth
between the source and destination) +delay (the cumulative interface delay
along the path).
Planning EIGRP implementations, including:
IP addressing
Network topology
EIGRP traffic engineering.
The list of tasks for each router in the network include:
Enabling the EIGRP routing protocol (with the correct AS number)
Configuring the proper network statements
Optionally configuring the metric to appropriate interfaces.
Chapter 2
164 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 Summary (continued)
Basic EIGRP configuration commands.
Commands for verifying EIGRP operation.
Configuring a passive-interface.
Propagating a default route.
EIGRP summarization.
EIGRP over Frame Relay.
EIGRP over MPLS.
EIGRP load-balancing
EIGRP operation in WAN environments:
Configuring, verifying, and troubleshooting EIGRP MD5 authentication.
EIGRP scalability factors, including the amount of information exchanged, the number
of routers, the depth of the topology, and the number of alternative paths through the
network.
The SIA state and how to limit the query range to help reduce SIAs.
Configuring the remote routers as stub EIGRP routers.
Graceful shutdown, which broadcasts a goodbye message (in a hello packet, with all K
values set to 255) when an EIGRP routing process is shut down, to inform neighbors
Chapter 2
165 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Resources
http://www.cisco.com/go/eigrp
http://www.cisco.com/en/US/customer/docs/ios/iproute_eigr
p/command/reference/ire_book.html
Chapter 2
166 2007 2010, Cisco Systems, Inc. All rights reserved. Cisco Public

You might also like