My Network Lab: Configuring Dynamic Routing Protocol Authentication

Cisco routers support a couple of different approaches to authenticating route advertisements received from a neighboring router:

* Plain text authentication

* Hashing authentication

Both of these approaches require routers to have matching passwords (also referred to as keys ); however, Cisco recommends the use of hashing authentication. Plain text authentication, as the name suggests, simply sends a password from one router to another in clear text. This leads to the security concern of having a malicious user capture authentication traffic containing a password and then injecting her own router, which could use the compromised password to authenticate with one of the network’s production routers.

Hashing authentication is preferred over plain text authentication, because it never sends the password over the network. Instead, a mathematical algorithm is run on the password, and the result of that algorithm (called a hash digest ) is sent from one router to its neighbor. That neighboring router also runs the hashing algorithm on its configured password, and if its hash digest matches the hash digest it receives from the first router, it can conclude that the passwords match. The two hashing algorithms that you can select from (depending on the routing protocol) include Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) . SHA is generally considered to be somewhat more secure than MD5; however, either algorithm is vastly superior to using plain text authentication.

Hashing authentication using MD5 can be configured for the following protocols within Cisco IOS:

* RIPv2

* EIGRP

* OSPFv2

* OSPFv3

* IS-IS

* BGP

SHA authentication is supported by the following protocols:

* RIP next generation (RIPng)

* Named EIGRP

* OSPFv2

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#interface loop 0

R1(config-if)#

*Jul 23 10:06:29.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#interface serial 2/0

R1(config-if)#ip address 10.1.1.1 255.255.255.252

R1(config-if)#no shut

R1(config-if)#

*Jul 23 10:06:54.739: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up

R1(config-if)#

*Jul 23 10:06:55.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

R1(config-if)#end

R1#

*Jul 23 10:06:58.731: %SYS-5-CONFIG_I: Configured from console by console

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#interface serial 2/0

R2(config-if)#ip address 10.1.1.2 255.255.255.252

R2(config-if)#no shut

R2(config-if)#

*Jul 23 10:05:23.347: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up

R2(config-if)#

*Jul 23 10:05:24.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms

R2(config-if)#

R2(config-if)#interface serial 2/1

R2(config-if)#ip address 10.2.2.1 255.255.255.252

R2(config-if)#no shut

R2(config-if)#

*Jul 23 10:06:14.075: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up

R2(config-if)#

*Jul 23 10:06:15.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up

R2(config-if)#end

R2#

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#interface loop 0

R3(config-if)#

*Jul 23 10:06:53.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

R3(config-if)#ip address 192.168.3.1 255.255.255.0

R3(config-if)#

R3(config-if)#interface serial 2/1

R3(config-if)#ip address 10.2.2.2 255.255.255.252

R3(config-if)#no shut

R3(config-if)#

*Jul 23 10:07:18.539: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up

R3(config-if)#

*Jul 23 10:07:19.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up

R3(config-if)#do ping 10.2.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms

R3(config-if)#end

R3#

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#router eigrp ?

<1-65535> Autonomous System

WORD EIGRP Virtual-Instance Name

R1(config)#router eigrp ROUTE // CONFIGURE NAMED EIGRP

R1(config-router)#?

Router configuration commands:

address-family Enter Address Family command mode

default Set a command to its defaults

exit Exit from routing protocol configuration mode

no Negate a command or set its defaults

service-family Enter Service Family command mode

shutdown Shutdown this instance of EIGRP

R1(config-router)#address-family ?

ipv4 Address family IPv4

ipv6 Address family IPv6

R1(config-router)#address-family ipv4 ?

autonomous-system Specify Address-Family Autonomous System Number

multicast Address Family Multicast

unicast Address Family Unicast

vrf Specify a specific virtual routing/forwarding instance

R1(config-router)#address-family ipv4 autonomous-system ?

<1-65535> Autonomous System

R1(config-router)#address-family ipv4 autonomous-system 1

R1(config-router-af)#network 10.1.1.0 0.0.0.3

R1(config-router-af)#network 192.168.1.0 0.0.0.255

R1(config-router-af)#end

R1#

*Jul 23 10:14:08.843: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is up: new adjacency

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#router eigrp ROUTE

R2(config-router)#address-family ipv4 autonomous-system 1

R2(config-router-af)#network 10.1.1.0 0.0.0.3

R2(config-router-af)#

*Jul 23 10:11:08.475: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is up: new adjacency

R2(config-router-af)#network 10.2.2.0 0.0.0.3

R2(config-router-af)#end

R2#

*Jul 23 10:12:02.783: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is up: new adjacency

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#router eigrp ROUTE

R3(config-router)#address-family ipv4 autonomous-system 1

R3(config-router-af)#network 10.2.2.2 0.0.0.3

R3(config-router-af)#

*Jul 23 10:12:12.347: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is up: new adjacency

R3(config-router-af)#network 192.168.3.0 0.0.0.255

R3(config-router-af)#end

R3#

R1#show ip route eigrp // VERIFY EIGRP ROUTES

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D 10.2.2.0/30 [90/23796062] via 10.1.1.2, 00:02:22, Serial2/0

D 192.168.3.0/24 [90/23796702] via 10.1.1.2, 00:01:28, Serial2/0

R1#

R1#tclsh // VERIFY CONNECTIVTY

R1(tcl)#foreach address {

+>(tcl)#192.168.1.1

+>(tcl)#10.1.1.1

+>(tcl)#10.1.1.2

+>(tcl)#10.2.2.1

+>(tcl)#10.2.2.2

+>(tcl)#192.168.3.1

+>(tcl)#} { ping $address }

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/20 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/34/44 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/34/72 ms

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#router eigrp ROUTE // SECURE NAMED EIGRP PROCESS

R1(config-router)#address-family ipv4 autonomous-system 1

R1(config-router-af)#?

Address Family configuration commands:

af-interface Enter Address Family interface configuration

default Set a command to its defaults

eigrp EIGRP Address Family specific commands

exit-address-family Exit Address Family configuration mode

help Description of the interactive help system

maximum-prefix Maximum number of prefixes acceptable in aggregate

metric Modify metrics and parameters for address advertisement

neighbor Specify an IPv4 neighbor router

network Enable routing on an IP network

no Negate a command or set its defaults

shutdown Shutdown address family

timers Adjust peering based timers

topology Topology configuration mode

R1(config-router-af)#af-interface ?

Async Async interface

Auto-Template Auto-Template interface

BVI Bridge-Group Virtual Interface

CDMA-Ix CDMA Ix interface

CTunnel CTunnel interface

Dialer Dialer interface

FastEthernet FastEthernet IEEE 802.3

GMPLS MPLS interface

Group-Async Async Group interface

LISP Locator/ID Separation Protocol Virtual Interface

LongReachEthernet Long-Reach Ethernet interface

Loopback Loopback interface

MFR Multilink Frame Relay bundle interface

Multilink Multilink-group interface

Port-channel Ethernet Channel of interfaces

Serial Serial

Tunnel Tunnel interface

Vif PGM Multicast Host interface

Virtual-PPP Virtual PPP interface

Virtual-Template Virtual Template interface

Virtual-TokenRing Virtual TokenRing

default Address-family default interface configuration

vmi Virtual Multipoint Interface

R1(config-router-af)#af-interface serial 2/0

R1(config-router-af-interface)#?

Address Family Interfaces configuration commands:

authentication authentication subcommands

bandwidth-percent Set percentage of bandwidth percentage limit

bfd Enable Bidirectional Forwarding Detection

dampening-change Percent interface metric must change to cause update

dampening-interval Time in seconds to check interface metrics

default Set a command to its defaults

exit-af-interface Exit from Address Family Interface configuration mode

hello-interval Configures hello interval

hold-time Configures hold time

next-hop-self Configures EIGRP next-hop-self

no Negate a command or set its defaults

passive-interface Suppress address updates on an interface

shutdown Disable Address-Family on interface

split-horizon Perform split horizon

summary-address Perform address summarization

R1(config-router-af-interface)#authentication ?

key-chain key-chain

mode authentication mode

R1(config-router-af-interface)#authentication mode ?

hmac-sha-256 HMAC-SHA-256 Authentication

md5 Keyed message digest

R1(config-router-af-interface)#authentication mode hmac-sha-256 ?

<0-7> Encryption type (0 to disable encryption, 7 for proprietary)

LINE password

R1(config-router-af-interface)#authentication mode hmac-sha-256 cisco123 // ENABLE SHA 256

R1(config-router-af-interface)#

*Jul 23 10:19:57.471: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is down: authentication HMAC-SHA-256 configured

R1(config-router-af-interface)#end

R1#

*Jul 23 10:25:41.283: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (Serial2/0) is up: new adjacency

*Jul 23 10:16:57.079: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is down: Auth failure

R2#

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#router eigrp ROUTE

R2(config-router)#address-family ipv4 autonomous-system 1

R2(config-router-af)#af-interface serial 2/0

R2(config-router-af-interface)#authentication mode hmac-sha-256 cisco123

R2(config-router-af-interface)#

*Jul 23 10:22:40.859: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is up: new adjacency

R2(config-router-af-interface)#exit

R2(config-router-af)#af-interface serial 2/1

R2(config-router-af-interface)#authentication mode hmac-sha-256 cisco456

R2(config-router-af-interface)#

*Jul 23 10:23:57.835: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is down: authentication HMAC-SHA-256 configured

R2(config-router-af-interface)#end

R2#

*Jul 23 10:26:31.195: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.2 (Serial2/1) is up: new adjacency

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#router eigrp ROUTE

R3(config-router)#address-family ipv4 autonomous-system 1

R3(config-router-af)#af-interface serial 2/1

R3(config-router-af-interface)#authentication mode hmac-sha-256 cisco456

R3(config-router-af-interface)#

*Jul 23 10:26:40.727: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is up: new adjacency

R3(config-router-af-interface)#end

R3#

R1#show ip route eigrp

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

D 10.2.2.0/30 [90/23796062] via 10.1.1.2, 00:05:35, Serial2/0

D 192.168.3.0/24 [90/23796702] via 10.1.1.2, 00:01:43, Serial2/0

R1#

R1#tclsh

R1(tcl)#foreach address {

+>(tcl)#192.168.1.1

+>(tcl)#10.1.1.1

+>(tcl)#10.1.1.2

+>(tcl)#10.2.2.1

+>(tcl)#10.2.2.2

+>(tcl)#192.168.3.1

+>(tcl)#} { ping $address }

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/32 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/32 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#no router eigrp ROUTE

R1(config)#

R1(config)#router ospf 1

R1(config-router)#network 192.168.1.0 0.0.0.255 area 0

R1(config-router)#network 10.1.1.0 0.0.0.3 area 0

R1(config-router)#end

R1#

*Jul 23 10:39:23.735: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/0 from LOADING to FULL, Loading Done

*Jul 23 10:29:31.807: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (Serial2/0) is down: Interface PEER-TERMINATION received

R2#

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#no router eigrp ROUTE // REMOVE EIGRP ROUTING PROTOCOL

R2(config)#

R2(config)#router ospf 1 // CONFIGURE OSPF ROUTING PROTOCOL

R2(config-router)#network 10.1.1.0 0.0.0.3 area 0

R2(config-router)#

*Jul 23 10:36:23.351: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial2/0 from LOADING to FULL, Loading Done

R2(config-router)#network 10.2.2.0 0.0.0.3 area 0

R2(config-router)#end

R2#

*Jul 23 10:37:56.143: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial2/1 from LOADING to FULL, Loading Done

*Jul 23 10:29:56.123: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.2.2.1 (Serial2/1) is down: Interface PEER-TERMINATION received

R3#

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#no router eigrp ROUTE

R3(config)#

R3(config)#router ospf 1

R3(config-router)#network 192.168.3.0 0.0.0.255 area 0

R3(config-router)#network 10.2.2.0 0.0.0.3 area 0

R3(config-router)#

*Jul 23 10:38:05.703: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.2.1 on Serial2/1 from LOADING to FULL, Loading Done

R3(config-router)#end

R3#

R1#tclsh

R1(tcl)#foreach address {

+>(tcl)#192.168.1.1

+>(tcl)#10.1.1.1

+>(tcl)#10.1.1.2

+>(tcl)#10.2.2.1

+>(tcl)#10.2.2.2

+>(tcl)#192.168.3.1

+>(tcl)#} { ping $address }

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/42/48 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/24 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/72 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/64 ms

R1#conf t

R1(config)#interface serial 2/0

R1(config-if)#ip ospf ?

<1-65535> Process ID

authentication Enable authentication

authentication-key Authentication password (key)

bfd Enable BFD on this interface

cost Interface cost

database-filter Filter OSPF LSA during synchronization and flooding

dead-interval Interval after which a neighbor is declared dead

demand-circuit OSPF Demand Circuit

flood-reduction OSPF Flood Reduction

hello-interval Time between HELLO packets

lls Link-local Signaling (LLS) support

message-digest-key Message digest authentication password (key)

mtu-ignore Ignores the MTU in DBD packets

network Network type

prefix-suppression OSPF prefix suppression

priority Router priority

resync-timeout Interval after which adjacency is reset if oob-resync is

not started

retransmit-interval Time between retransmitting lost link state

My Network Lab

Saturday, August 3, 2019

Configuring Dynamic Routing Protocol Authentication

No comments:

Post a Comment