THE SCHOOL OF CISCO NETWORKING (SCN): CISCO - HOW TO CONFIGURE EIGRP MESSAGE DIGEST 5 (MD 5) AUTHENTICATION:
Contact No:   ### / ###/ ###
Welcome To The IT Knowledge Base Sharing Freeway "Study With The Zero Fees / Zero Money" Web - If We Believe, That If We Have Knowledge, Let Others Light Their Candles With It. - Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Ones Please. "Student Expectations And Satisfaction Is Always Our Highest Priority")

'Love All, Serve All, Help Ever Hurt Never'

Please Welcome To The "Zero Fees And Zero Money SCN Community Study Page"

We Like To Share Our Stuff With Everyone And Hope You Will Find Something Useful Here. Enjoy Our Collection And Come Back Again And Again, We'll Do Our Best To Make It Always Interesting For You. All Our Stuff Always Available May Be 100% Totally Freely. Use Only For Non-Commercial Purposes Only!

THE SCHOOL OF CISCO NETWORKING (SCN) Is A IT Support Community – Based, Non - Profit Volunteer Organizations, Offering Our Assistance And Support To Developmental Our Services Dedicated To All.

Because Large Section Of Our Students In This World, Especially In Villages, Who Are Under Privileged Expecting For Equal Opportunity In Terms Of Money And Education. We Feel The Sufferings Of Talented Students Losing Their Opportunity To Shine Because Of Their Poor Financial Status. So We Thought That Professional Education Will Be Providing Them Freely.

Our Web Site Is To Give An Easy Way To Understand Each And Every Student Who Are Going To Start CISCO Lab Practice Without Any Doubts And Our ARTICLES STUFF Are Always 100% Totally Free For Everyone, Which Is Belongings To THE SCHOOL OF CISCO NETWORKING (SCN).

Also This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes.

Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network.

For Better View Of Our Web Page - Please Use Any Latest Web Browser, Such As (Mozilla Firefox, Google Chrome, Opera, Safari, Internet Explorer, Torch, Maxthon, Sea Monkey, Avant Browser, Deepnet Explorer, And Etc ), Because Some Elements Or Scripts Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!). Thank You For Your Time And Best Of Luck!

Your Sincerely – Premakumar Thevathasan.
"Our Motivation Has Brought Us Together To Offer Our Helping Hands To The Needy Once Please,Thank You."

CISCO - HOW TO CONFIGURE EIGRP MESSAGE DIGEST 5 (MD 5) AUTHENTICATION:

FIRST UNDERSTAND WHAT EIGRP IS:

                                                                                                                                                           EIGRP (Enhanced Interior Gateway Routing Protocol) is a network protocol that lets routers exchange information more efficiently than with earlier network protocols. EIGRP evolved from IGRP (Interior Gateway Routing Protocol) and routers using either EIGRP and IGRP can interoperate because the metric (criteria used for selecting a route) used with one protocol can be translated into the metrics of the other protocol. EIGRP can be used not only for Internet Protocol (IP) networks but also for AppleTalk and Novell NetWare networks.

                                                                                                                                                             EIGRP is an interior gateway protocol suited for many different topologies and media. In a well designed network, EIGRP scales well and provides extremely quick convergence times with minimal network traffic.

EIGRP THEORY OF OPERATION:

Some of the many advantages of EIGRP are:

·        Very low usage of network resources during normal operation; only hello packets are transmitted on a stable network.
·        when a change occurs, only routing table changes are propagated, not the entire routing table; this reduces the load the routing protocol itself places on the network.
·        Rapid convergence times for changes in the network topology (in some situations convergence can be almost instantaneous).

EIGRP is an enhanced distance vector protocol, relying on the Diffused Update Algorithm (DUAL) to calculate the shortest path to a destination within a network.

MAJOR REVISIONS OF THE PROTOCOL:


There are two major revisions of EIGRP, versions 0 and 1. Cisco IOS versions earlier than 10.3(11), 11.0(8), and 11.1(3) run the earlier version of EIGRP; some explanations in this paper may not apply to that earlier version. We highly recommend using the later version of EIGRP, as it includes many performance and stability enhancements.
FOR SHORT NOTES FOR EIGRP:

Cisco Proprietary Protocol

  • Advanced distance vector
  • Automatic summarization at classful boundary (can be disabled/turned off)
    • supports VLSM/CIDR
    • manually summarized routes have AD of 5, point to NULL0
    • more specific routes within summarized range must exist in routing table, or summarized route disappears
  • multicast address 224.0.0.10
    • Unicast and multicast are used for updates
  • IP/IPX/Appletalk routed protocol support
  • no special configuration required for various layer 2 technologies
  • Unequal cost load balancing
  • Successor - Best path to a destination
  • Feasible sucessor - second best path to a destination
    • Advertised Distance - cost from next hop to final destination
    • Feasible Distance - cost from local router to final destination
    • For Feasible successor to be used, AD must be less than the FD through successor
  • Hello Packets are sent every 5 seconds on links greater than T1
    • sent every 60 seconds for T1 and slower
    • hold time interval defaults to 3 times the hello interval
    • changing default hello interval does NOT automatically update the hold time
    • ip hello-interval eigrp {as} {seconds} interface command
    • ip hold-time eigrp {as} {seconds} interface command
  • Un-acknowledged multicast updates are unicast to the host that did not ack.  This avoids hold ups
  • with further updates to the rest of the network
  • EIGRP metric is based on load, bandwidth, delay, and reliability. 
    • Cisco recommends leaving k values at default
  • Configuration of EIGRP
    • router eigrp {as}
    • network {address | wildcard mask} (wildcard is optional)
    • no auto-summary (turns off summarization at classful boundary)
    • redistribute static (redistributes any static routes into the protocol)
    • variance {#} (modifies which routes will be considered for unequal cost load balancing)
    • max-paths {#} (number of paths to be used for load balancing. default is 4, max is 16)
    • ip summary-address eigrp {as} {address | mask} (interface configuration command to summarize routes at a non classful boundary.)
    • eigrp stub receive-only ( this creates a stub in eigrp.  The “receive-only option” tells the stub router to not send ANY routes)

For More Info iP Routing Introduction to EIGRP - > http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.html


EIGRP AUTHENTICATION:

By Router Authentication
  • By default, there is no authentication required for routing protocol packets.
  • Authentication can be applied for neighbor routers to limit what routers can participate in routing based on predefined passwords.
  • When you configure a neighbor router authentication on a router, the router authenticates the source of each routing update packets that it receives.
  • This is accomplished by the exchange of an authentication key (password) known to both the routers involved.
EIGRP supports MD 5 Authentication:
  
NOTE:

Simple Password (or Plain-text authentication) – these are not secure and totally vulnerable to attacks. The passwords are sent in plain text over the wire and anyone that know how to use a simple protocol analyzer can easily capture the data.
     Correction: There is no option for configuring simple password/plain-text authentication with EIGRP
MD5 Authentication – this form of authentication is more secure because it doesn’t actually send the key 
or password over the wire. Instead, it sends hashed keys, or message digest instead of the authenticating key itself.
  • MD5 authentication is a cryptographic authentication. To set it up, a router needs a key (password)
  • and a key ID configured. An algorithm is run on the routing protocol using the key and the key ID to generate a message digest (called a hash). The message digest is sent on the wire instead of the key. When the hash is received on the other side, a similar algorithm is run and compares the result to the received message digest. If it’s a match, then it is authenticated.

EIGRP MESSAGE DIGESTS 5 (MD5) AUTHENTICATION CONFIGURATIONS:

EIGRP route authentication provides MD5 AUTHENTICATION of routing updates from the EIGRP routing protocol. The md5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

EIGRP supports message digest 5 (MD5) Authentications to prevent malicious and incorrect routing information from being introduced into the routing table of a Cisco router.
To configure EIGRP Authentication, the keys used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication.

HOW TO CONFIGURATION MD5 AUTHENTICATION:

To configure EIGRP MD5 authentication, you must configure an authenticating key and a key ID 

on both the sending and receiving routers.
  • Each key has its own key ID stored locally on the router.
  • Key chains allow you to manage several keys. But only one key is used at a time (whichever is activated at the time).
    • If the keys are not activated they cannot be use.
    • If there’s a point in time when no key is activated, neighbor authentication cannot occur and routing updates will fail.
    • The software examines the key numbers from lowest to highest and uses the first valid key it sees.


WHEN AUTHENTICATION IS CONFIGURED, AN MD5 KEYED DIGEST IS ADDED TO EACH EIGRP PACKET IN THE SPECIFIED AUTONOMOUS SYSTEM.

CONFIGURING EIGRP MD5 AUTHENTICATION STEPS ARE BELOW:

Task
Command
Step 1 EnableMD5 authentication in IP Enhanced IGRP packets.
ip authentication mode eigrp autonomous-system md5
Step 2 Enable authentication of IP Enhanced IGRP packets.
ip authentication key-chain eigrp autonomous-system key-chain
Step 3 Exit to global configuration mode.
Exit
Step 4 Identify a key chain. (Match the name configured in Step 1).
key chain name-of-chain
Step 5 In key chain configuration mode, identify the key number. This is the key ID.
key key-id
Step 6 In key chain key configuration mode, identify the key string (password).
key-string text
Step 7 Optionally specify the time period during which the key can be received.
accept-lifetime start-time {infinite | end-time | duration seconds}
Step 8 Optionally specify the time period during which the key can be sent
send-lifetime start-time {infinite | end-time | duration seconds}
  • The autonomous-system is the EIGRP autonomous system number in which authentication is to be used.
  • The key-chain is the name of the authentication key chain from which a key is to be obtained for that interface.
  • The key key-id configures the key ID number of an authentication key on a key chain. You can use any number from 0 to 2147483647 and it does not have to be configured in order.
  • The key-string command configures the alphanumeric password used to authenticate sent and received EIGRP packets. The key string can contain from 1 to 80 uppercase to lowercase alphanumeric characters, except that the first character cannot be a number.


STEP 1: CREATE AN (AUTHENTICATION) KEY CHAIN:

a. Create the chain and give it a name with the key chain name global command (this also puts the user into key chain config mode).

b. Create one or more key numbers using the key number command in the key chain configuration mode.

c. Define the authentication key’s value using the key-string value command in key configuration mode.

d. (Optional) Define the lifetime (time period) for both sending and accepting this particular key.

STEP 2: ENABLE EIGRP MD5 AUTHENTICATION ON AN INTERFACE:

For a particular EIGRP ASN, using the ip authentication mode eigrp asn md5 interface subcommand.

STEP 3: REFER TO THE CORRECT KEY CHAIN TO BE USED ON AN INTERFACE:

USING THE IP AUTHENTICATION KEY-CHAIN EIGRP ASN NAME-OF-CHAIN INTERFACE SUBCOMMAND.

IOS configures the key values separately, then requires an interface subcommand to refer to the key values. To support the ability to have multiple keys, and even multiple sets of keys, the configuration includes the concept of a key chain and multiple keys on each key chain.

IOS lets you configure multiple key chains so that different key chains can be used on different interfaces. Each key chain can include multiple keys. Having multiple keys in one key chain allows neighbors to still be up and working while the keys are being changed. Changing keys enhances security.

EIGRP authentication lifetime of a key can be configured as well. If this isn’t configured, the key is valid forever. However, if it is configured, the router uses the key only during the listed times.

To support the useful lifetime concept, a router must know the time and date. Routers can set the time and date with the clock set EXEC command. Routers can also use Network Time Protocol (NTP), a protocol that allows routers to synchronize their time-of-day clocks.

For authentication to work, neighboring routers must both have EIGRP MD5 authentication enabled, and the key strings they currently use must match. Note that the key chain name does not need to match. The most common problems relate to when the useful lifetime settings do not match, or one of the router’s clocks has the wrong time. NTP should be enabled and used before restricting keys to a particular time frame.

EXAMPLE CONFIGURE EIGRP ROUTE AUTHENTICATION THE STEPS FOR SETTING THE EIGRP ROUTE AUTHENTICATION ARE:

1. IDENTIFY A KEY-CHAIN TO BE USED IN THE AUTHENTICATION,

Router(config)#key chain NAME

WHERE NAME IS THE NAME OF THE KEY-CHAIN THAT WILL BE CREATED

2. IDENTIFY THE KEY NUMBER,

Router(config-keychain)#key NO

WHERE NO IS THE NUMBER OF THE KEY

3. IDENTIFY THE KEY STRING,


Router(config-keychain)#key-string STRNG

WHERE STRNG IS THE KEY STRING

4. YOU CAN STOP HERE OR SETUP A PERIOD IN WHICH THE KEY WILL BE EFFECTIVE,

Router(config-keychain)#accept-lifetime START-TIME {INFINITE | END-TIME | DURATION}

Router(config-keychain)#send-lifetime START-TIME {INFINITE | END-TIME | DURATION}
Note:

You can set a start time and either end time, or duration in seconds, or you can leave the operation infinite.

EXAMPLE FOR LIFE TIME MD5:

config)# key chain <name>
config-keychain)# key <#>
config-keychain-key)# key-string < password> start time) (End time)
config-keychain-key)#accept-lifetime<h:m:s mm dd yy>duration< mm- infinite >
config-keychain-key)#send-lifetime <h:m:s mm dd yy> duration < mm- infinite >
 
config)# interface <int>
config-if)#   ip  authentication mode eigrp <AS#><md5> 
config-if)#   ip authentication key-chain eigrp <AS<name>


MD5 VERIFICATION:

Helpful commands for verifying MD5 authentication:
  • show eigrp neighbors 
    • make sure that the neighbor table show that two router have successfully formed an EIGRP adjacency
  • show ip route 
    • verify that network on the neighboring router has been learned via EIGRP over the right serial connection.
TROUBLESHOOTING MD5 AUTHENTICATION:
  • Here’s an example of a successful authentication using the debug eigrp packets command:
           # debug eigrp packets


TO VERIFY THAT THE AUTHENTICATION WORKED:

Use the show ip eigrp neighbors command. If the authentication fails, the neighbor relationship will not form. You can see more details about the authentication process using the debug eigrp packets command.
#
show ip eigrp neighbors

SIMPLE LAB EXAMPLE FOR MD5:

CONFIGURATION TO ENABLE EIGRP ON

ROUTER A:


Router A (config# router eigrp 100
(Enable eigrp protocol and 100 is autonomous number).
Router A (config-router)# network 30.0.0.0
(Advertised router a serial network 30.0.0.0).
Router A (config-router)# network 10.0.0.0
(Advertised router a ethernet network 10.0.0.0).

NEXT GOING TO CONFIGURATION TO ENABLE EIGRP ON

ROUTER B:

IN GLOBAL CONFIGURATION MODE:

Router B (config) # router eigrp 10
(Enable eigrp protocol and 10 is autonomous number)
Router B (config-router) # network 30.0.0.0
(Advertised router b serial network 30.0.0.0).
Router B (config-router) # network 15.0.0.0
(Advertised router b ethernet network 15.0.0.0).



NOW CONFIGURE EIGRP AUTHENTICATION

ON ROUTER A
IN GLOBAL CONFIGURATION MODE:

FIRST CREATE THE KEY CHAIN WITH THE NAME CISCO USED IN THIS EXAMPLE.

A (config) # key chain cisco
Now set the key number 1 used in this example.
A (config-keychain) # key 1
Now set the key string for the key name champion used in this example.
A (config-keychain-key) # key-string pREM
A (config-keychain-key) # end

Now specify the interface that you want to configure eigrp message authentication.

A (config) # interface serial 0
A (config-if) # ip authentication key-chain eigrp 1 cisco
A (config-if) # ip authentication mode eigrp 1 md 5
A (config-if) # end

Now configure eigrp authentication on router b

On global configuration mode:

FIRST CREATE THE KEY CHAIN WITH THE NAME CISCO USED IN THIS EXAMPLE.

B (config) # key chain cisco

Now set the key number 1 used in this example.

B (config-keychain) # key 1



NOW SET THE KEY STRING FOR THE KEY NAME pREM USED IN THIS EXAMPLE.

B (config-keychain-key) # key-string pREM
B (config-keychain-key) # end
  


NOW SPECIFY THE INTERFACE THAT YOU WANT TO CONFIGURE EIGRP MESSAGE AUTHENTICATION.

B (config) # interface serial 0
B (config-if) # ip authentication key-chain eigrp 1 cisco
B (config-if) # ip authentication mode eigrp 1 md 5
B (config-if) # end            

EIGRP MD5 ARTICLE SUMMARY:

EIGRP Authentication
    • EIGRP supports cleartext and MD5 authentication.  It looks like we’re only concerned with MD5 for the exams (for obvious security reasons)
    • ip authentication mode eigrp {as} md5 (interface config mode)
    • ip authentication key-chain eigrp {as} {name of keychain}
    • key chain {name of keychain} (global config mode)
      • key {key-id} (this can be between 0-2147483647)
      • key-string {key}
  • As of IOS 12.3, EIGRP sends a graceful goodbye message when bringing the process down.  Goodbye messages are sent inside of Hello packets
  • Helpful Commands
    • show ip eigrp neighbors
    • show ip route
    • show ip route eigrp
    • show ip protocols – shows active routing protocol info (displays k values)
    • show ip eigrp interfaces
    • show ip eigrp toplogy – successor/feasible successor
    • show ip eigrp traffic
    • debug eigrp packets
  • Key technologies
    • DUAL Finite State
    • RTP
    • Neighbor discovery/recovery
    • Protocol dependant modules (ip, ipx, appletalk)


This Article Written Author By: Premakumar Thevathasan.
CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.

1 comment:

Anonymous said...

This is very excellent way of teaching every one can be easy to understand this Article.