From: EIGRP HMAC-SHA-256 Authentication and EIGRP MD5 Authentication
! Identifies a key chain and enters key chain configuration mode.
Device(config)# key chain KEYCHAIN1
! Identifies the key number and enters key chain key configuration mode.
Device(config-keychain)# key 1
! Identifies the key string.
Device(config-keychain-key)# key-string 0987654321
! Specifies the time period during which the key can be received.
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
! Specifies the time period during which the key can be sent.
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config)# interface GigabitEthernet1/0
! Enables MD5 authentication in EIGRP packets.
Device(config-if)# ip authentication mode eigrp 1 md5
! Enables authentication of EIGRP packets.
Device(config-if)# ip authentication key-chain eigrp 1 KEYCHAIN1
! Identifies a key chain and enters key chain configuration mode.
Device(config)# key chain KEYCHAIN1
! Identifies the key number and enters key chain key configuration mode.
Device(config-keychain)# key 1
! Identifies the key string.
Device(config-keychain-key)# key-string 0987654321
! Specifies the time period during which the key can be received.
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
! Specifies the time period during which the key can be sent.
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config)# router eigrp VIRTUAL-NAME1
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# af-interface GigabitEthernet0/0
! Specifies an authentication key chain for EIGRP.
Device(config-router-af-interface)# authentication key-chain KEYCHAIN1
! Specifies the type of authentication used in an EIGRP address family for the EIGRP instance.
Device(config-router-af-interface)# authentication mode md5
Device(config)# router eigrp NAME1
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# af-interface GigabitEthernet0/0
! Specifies the type of authentication to be used in an EIGRP address family for the EIGRP instance. ! In this case, the HMAC-SHA-256 authentication method is used.
! Command syntax: authentication mode {hmac-sha-256 encryption-type password | md5}
Device(config-router-af-interface)# authentication mode hmac-sha-256 7 password1
- EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol.
- The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
- You can configure multiple keys with specific lifetimes.
- Only one authentication packet is sent, regardless of how many valid keys exist.
- The software examines the key numbers in the order from lowest to highest, and uses the first valid key that it encounters.
Defining an Autonomous System for EIGRP MD5 Authentication
! Identifies a key chain and enters key chain configuration mode.
Device(config)# key chain KEYCHAIN1
! Identifies the key number and enters key chain key configuration mode.
Device(config-keychain)# key 1
! Identifies the key string.
Device(config-keychain-key)# key-string 0987654321
! Specifies the time period during which the key can be received.
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
! Specifies the time period during which the key can be sent.
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config)# interface GigabitEthernet1/0
! Enables MD5 authentication in EIGRP packets.
Device(config-if)# ip authentication mode eigrp 1 md5
! Enables authentication of EIGRP packets.
Device(config-if)# ip authentication key-chain eigrp 1 KEYCHAIN1
Defining a Named Configuration for EIGRP Route Authentication
! Identifies a key chain and enters key chain configuration mode.
Device(config)# key chain KEYCHAIN1
! Identifies the key number and enters key chain key configuration mode.
Device(config-keychain)# key 1
! Identifies the key string.
Device(config-keychain-key)# key-string 0987654321
! Specifies the time period during which the key can be received.
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
! Specifies the time period during which the key can be sent.
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config)# router eigrp VIRTUAL-NAME1
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# af-interface GigabitEthernet0/0
! Specifies an authentication key chain for EIGRP.
Device(config-router-af-interface)# authentication key-chain KEYCHAIN1
! Specifies the type of authentication used in an EIGRP address family for the EIGRP instance.
Device(config-router-af-interface)# authentication mode md5
Configuring HMAC-SHA-256 Authentication
- Packets exchanged between neighbors must be authenticated to ensure that a device accepts packets only from devices that have the same preshared authentication key.
- EIGRP authentication is configurable on a per-interface basis.
- The HMAC algorithm takes as input the data to be authenticated (that is, the EIGRP packet) and a shared secret key that is known to both the sender and the receiver; the algorithm gives a 256-bit hash output that is used for authentication. If the hash value provided by the sender matches the hash value calculated by the receiver, the packet is accepted by the receiver; otherwise, the packet is discarded.
- For successful authentication, all of the following must be true:
- The sender and receiver must have the same shared secret.
- The source address chosen by the sender must match the source address in the IP header that the receiver receives.
- The EIGRP packet data that the sender transmits must match the EIGRP packet data that the receiver receives.
- Authentication cannot succeed if any of the following is true:
- The sender does not know the shared secret expected by the receiver.
- The IP source address in the IP header is modified in transit.
- Any of the EIGRP packet data is modified in transit.
Device(config)# router eigrp NAME1
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# af-interface GigabitEthernet0/0
! Specifies the type of authentication to be used in an EIGRP address family for the EIGRP instance. ! In this case, the HMAC-SHA-256 authentication method is used.
! Command syntax: authentication mode {hmac-sha-256 encryption-type password | md5}
Device(config-router-af-interface)# authentication mode hmac-sha-256 7 password1
Comments
Post a Comment