EIGRP Authentication
Every packet type sent will include the authentication information.
EIRP has two types of authentications MD5 (2) and HMAC-SHA-256 (3). There is also type zero (0) which no authentication.
- In classic mode we only have MD5
- In named mode we have MD5 and HMAC-SHA-256
To demonstrate Authentication, R1 and R4 will use named mode and, R2 and R3 will use classic mode.
For MD5 authentication, first, we create the Keychain on all routers. Be careful to not add a space before or after the key string.
Key chains names do not have to match, but the key IDs and Key string should match.
MD5 Authentication
1 - Create the Key Chain.
R1#conf t
R1(config)#key chain cisco
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco*123
Verification
show key chain.
R1#sho key chain
Key-chain cisco:
key 1 -- text "cisco*123"
cryptographic-algorithm: Unknown Crypto
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
2 - Configure the authentication on the interface.
2.1 - Classic mode
- EIGRPv4
R2(config-router)#int rang g1-2
R2(config-if-range)#ip authentication mode eigrp 1 md5
R2(config-if-range)#ip authentication key-chain eigrp 1 cisco
- EIGRPv6
R2(config-router)#int rang g1-2
R2(config-if-range)#ipv6 authentication mode eigrp 1 md5
R2(config-if-range)#ipv6 authentication key-chain eigrp 1 cisco
2.2. Named mode
It can be done under specific interface of all the interfaces inside af-interface default.
router eigrp CORE
!
address-family ipv4 unicast autonomous-system 1
!
af-interface default
authentication mode md5
authentication key-chain cisco
exit-af-interface
!
address-family ipv6 unicast autonomous-system 1
!
af-interface g1
authentication mode md5
authentication key-chain cisco
exit-af-interface
!
hmac-sha-256
It is supported only in named mode. To demonstrate the configuration, R2 will be moved back to named mode configuration.
The password configuration goes at the end of the command. The below configuration has been applied to R1, R2 and R4.
router eigrp CORE
!
address-family ipv4 unicast autonomous-system 1
!
af-interface GigabitEthernet1
authentication mode hmac-sha-256 cisco
!
address-family ipv6 unicast autonomous-system 1
!
af-interface default
authentication mode hmac-sha-256 cisco
Verification (from another lab)
R1#show ip eigrp interfaces detail g1
EIGRP-IPv4 VR(MULTI-AF) Address-Family Interfaces for AS(100)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi1 1 0/0 0/0 1 0/0 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 122/6
Hello's sent/expedited: 1671/9
Un/reliable mcasts: 0/101 Un/reliable ucasts: 148/51
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 3
Retransmissions sent: 15 Out-of-sequence rcvd: 3
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "MD5_KEYS"
Topologies advertised on this interface: base
Topologies not advertised on this interface:
Key rotation.
Key chain can have more than one key ID and the lowest key id is always used.
We will create 3 different key number to test the key rotation, under the already created key chain cisco. We will use al the 3 routers.
key chain cisco
key 1
key-string cisco*123
accept-lifetime 20:30:00 Jul 7 2025 20:32:00 Jul 7 2025
send-lifetime 20:30:00 Jul 7 2025 20:32:00 Jul 7 2025
key 2
key-string cisco2
accept-lifetime 20:31:00 Jul 7 2025 20:33:00 Jul 7 2025
send-lifetime 20:31:00 Jul 7 2025 20:33:00 Jul 7 2025
key 3
key-string cisco3
accept-lifetime 20:32:00 Jul 7 2025 infinite
send-lifetime 20:32:00 Jul 7 2025 infinite
As per the above output, there is overlapping between the keys because one key cannot expire before the next key is already valid, if not done this way, the neighborship will go down.
OSPF Authentication
- IOSPF authentication is not part of the hello packet. It is part of the OPSF Header.
- OSPF has 3 types of authentications
- None (Type 0)
- Simple password authentication (Type 1)
- Md5 or SHA (Type 2)
Authentication can be configured under the interface or under the global process number.
- Type 1 authentication example.
Below is an example of Type 1 authentication. R1 uses the authentication in the area and router 2 uses in the interface.
- Configuration
R1
router ospf 1
area 0 authentication
interface Ethernet0/0
ip ospf authentication-key cisco
R2
interface Ethernet0/0
ip ospf authentication
ip ospf authentication-key cisco
Verification
R1
R1#sho ip ospf interface e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 155.1.12.1/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 150.1.1.1, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
R2
R2#sho ip ospf int e0/0
Ethernet0/0 is up, line protocol is up
Internet Address 155.1.12.2/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 150.1.2.2, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.1.1
Suppress hello for 0 neighbor(s)
Simple password authentication enabled
- Type 2 authentication.
- It uses MD5 and HMAC-SHA
- MD5 can be configured directly in the interface or withing a Key chain.
- HMAC only goes inside the Key Chain
Below is an example of Type 2 authentication.
1 - MD5 interface configuration.
R3 uses the authentication in the area and R4 uses in the interface.
R3
router ospf 1
area 0 authentication message-digest
interface Ethernet0/0
ip ospf message-digest-key 1 md5 cisco*123
R4
interface Ethernet0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco*123
- Verification
R3#sho ip ospf int e0/0 | sec auth
Cryptographic authentication enabled
Youngest key id is 1
R4#sho ip ospf int e0/0 | sec auth
Cryptographic authentication enabled
Youngest key id is 1
2 - MD5 interface configuration under Key Chain.
R3 and R8 use MD5 authentication, but with key chain.
R3 and R8
key chain MYMD5
key 1
key-string MYMD5
cryptographic-algorithm md5
R3
interface GigabitEthernet3
ip ospf authentication key-chain MYMD5
R8
interface GigabitEthernet1
ip ospf authentication key-chain MYMD5
Verification
R3
R3#sho ip ospf int g3 | se auth
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm MD5 - key chain MYMD5
R8
R8#sho ip ospf int g1 | sec auth
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm MD5 - key chain MYMD5
3 - HMAC-SHA authentication. This is similar to the key chain configuration of MD5 as shown in the previous example.
We will use the link between R3 and R8 but with different cryptographic algorithm in the key chain.
R3 and R8
key chain MYMD5
key 1
key-string MYMD5
cryptographic-algorithm hmac-sha-256
- Verification
R3
R3#sho ip ospf int g3 | se auth
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain MYMD5
R8
R8#sho ip ospf int g1 | sec auth
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain MYMD5
R2#sho run | sec key|e0/1
key chain cisco
key 1
key-string cisco*123
cryptographic-algorithm hmac-sha-256
ip ospf authentication-key cisco
ip ospf authentication key-chain cisco
R2#sho run int e0/1
Building configuration...
Current configuration : 169 bytes
!
interface Ethernet0/1
ip address 155.1.24.2 255.255.255.0
ip ospf authentication key-chain cisco
ip ospf network point-to-point
ip ospf 1 area 0
duplex auto
end
R2#sho ip os
R2#sho ip ospf int e0/1
Ethernet0/1 is up, line protocol is up
Internet Address 155.1.24.2/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 150.1.2.2, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/3/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.4.4
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain cisco
R4#sho run | sec key cha
key chain cisco
key 1
key-string cisco*123
cryptographic-algorithm hmac-sha-256
R4#sho run int e0/1
Building configuration...
Current configuration : 169 bytes
!
interface Ethernet0/1
ip address 155.1.24.4 255.255.255.0
ip ospf authentication key-chain cisco
ip ospf network point-to-point
ip ospf 1 area 0
duplex auto
end
R4#sho ip osp int e0/1
Ethernet0/1 is up, line protocol is up
Internet Address 155.1.24.4/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 150.1.4.4, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 1/3/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 1 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 150.1.2.2
Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Sending SA: Key 1, Algorithm HMAC-SHA-256 - key chain cisco
R4#
====
Virtual link authentication.
For virtual link, we need to specify the command inside the process. Below is the example for simple password and md5 authentication.
Type 1
router ospf 1
area 0 virtual-link 1.1.1.1 authentication authentication-key cisco
Type 2
router ospf 1
area 0 virtual-link 1.1.1.1 message-digest-key 1 md5 cisco*123
To verify if the authentication is enabled, use show ip ospf virtual-links
No comments:
Post a Comment