Routing Protocol Authentication With EIGRP

CCIE Security V4 Technology Labs Section 1:
System Hardening and Availability
Routing Protocol Authentication with

EIGRP
Last updated: May 10, 2013
Task
Remove OSPF from all devices in the network.
Add EIGRP to R1, R2, and R3.
Ensure that all loopbacks are seen in the routing tables of all routers
Configure EIGRP authentication between all routers in the topology.
Ensure that there are two key chains so that when the first key chain expires in 30 days, the second
key chain will be used.
Use cisco123key for the first key and cisco321key for the second key.
Explanation and Verification

Begin by removing OSPF from each router and SW1.
Removing OSPF from R1

R1>
R1>en
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no router ospf 1
R1(config)#do
Jan 8 23:22:42.715: %OSPF-5-ADJCHG: Process 1, Nbr 136.1.23.3 on GigabitEthernet
0/0 from FULL to DOWN, Neighbor Down: Interface down or detachedsh run int g0/0
Building configuration...
Current configuration : 159 bytes

!
interface GigabitEthernet0/0
ip address 136.1.13.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco123
duplex auto
speed auto
end
R1(config)#int g0/0
R1(config-if)#no ip ospf authentication-key cisco123
R1(config-if)#

R2>en
R2#conf t
R2(config)#
Jan 8 23:54:53.311: %OSPF-5-ADJCHG: Process 1, Nbr 136.1.23.3 on GigabitEthernet
0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config)#int g0/0
R2(config-if)#do sh run int g0/0

!
ip address 136.1.23.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123strong
duplex auto
speed auto
!
end
R2(config-if)#no ip ospf authentication message-digest

R2(config-if)#no ip ospf message-digest-key 1 md5 cisco123strong
R2(config-if)#end
R2#
Jan 8 23:55:19.419: %SYS-5-CONFIG_I: Configured from console by console

R3>
R3>en
R3#conf t
R3(config)#d
*Jan 8 22:52:32.583: %OSPF-5-ADJCHG: Process 1, Nbr 136.1.23.20 on FastEthernet0
/0.23 from FULL to DOWN, Neighbor Down: Interface down or detachedo sh run int f0
/0.13

!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 136.1.13.3 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco123
end
R3(config)#do sh run int f0/0.23


!
interface FastEthernet0/0.23
encapsulation dot1Q 23
ip address 136.1.23.3 255.255.255.0
end
R3(config)#interface FastEthernet0/0.13
R3(config-subif)#no ip ospf authentication
R3(config-subif)#no ip ospf authentication-key cisco123
R3(config-subif)#interface FastEthernet0/0.23
R3(config-subif)#no ip ospf message-digest-key 1 md5 cisco123strong
R3(config-subif)#no ip ospf message-digest-key 2 md5 cisco321strong
R3(config-subif)#
R3(config-subif)#
R3(config-subif)#
Removing OSPF from SW1

SW1>en
SW1#conf t
SW1(config)#no router ospf 1
SW1(config)#do sh run int vlan 23

!
interface Vlan23
ip address 136.1.23.20 255.255.255.0
end
SW1(config)#interface Vlan23
SW1(config-if)#no ip ospf authentication message-digest
SW1(config-if)#no ip ospf message-digest-key 2 md5 cisco321strong
SW1(config-if)#
Configuring Basic EIGRP on R1
R1(config-if)#
R1(config-if)#
R1(config-if)#router eigrp 100
R1(config-router)#net 136.1.13.0
R1(config-router)#no auto
R1(config-router)#end
R1#
Configuring Basic EIGRP on R2
R2#
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#
Configuring Basic EIGRP on R3:
R3(config)#router eigrp 100

Verification of Basic EIGRP on R1
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets

D 10.0.0.0 [90/30720] via 136.1.13.3, 00:02:33, GigabitEthernet0/0
136.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 136.1.13.0/24 is directly connected, GigabitEthernet0/0
L 136.1.13.1/32 is directly connected, GigabitEthernet0/0
D 136.1.23.0/24 [90/30720] via 136.1.13.3, 00:05:52, GigabitEthernet0/0
C 150.1.1.0/24 is directly connected, Loopback0
L 150.1.1.1/32 is directly connected, Loopback0
R1#

R2#sh ip route
o - ODR, P - periodic downloaded static route, + - replicated route

C 136.1.23.0/24 is directly connected, GigabitEthernet0/0
L 136.1.23.2/32 is directly connected, GigabitEthernet0/0
C 150.1.2.0/24 is directly connected, Loopback0
L 150.1.2.2/32 is directly connected, Loopback0
R2#

R3#sh ip route

C 10.0.0.0/24 is directly connected, FastEthernet0/0.10
L 10.0.0.3/32 is directly connected, FastEthernet0/0.10
D 150.1.1.0 [90/156160] via 136.1.13.1, 00:04:03, FastEthernet0/0.13
D 150.1.2.0 [90/156160] via 136.1.23.2, 00:03:43, FastEthernet0/0.23
R3#
Because each router is receiving routes, we can now move on to the addition of authentication. It's
important to look before enabling authentication. This helps with isolating issues between the
configuration of the routing process and the configuration of the authentication process.
Configuring EIGRP Authentication on R1

R1#
R1#conf t
R1(config)#key chain EIGRP
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco123key
R1(config-keychain-key)#send-lifetime 12:00:00 1 Feb 2013 12:00:00 1 Mar 2013
R1(config-keychain-key)#accept-lifetime 12:00:00 1 Feb 2013 12:00:00 1 Mar 2013
R1(config-keychain-key)#exit
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string cisco321key
R1(config-keychain-key)#send-lifetime 11:45:00 30 Jan 2013 infinite
R1(config-keychain-key)#accept-lifetime 11:45:00 30 Jan 2013 infinite
R1(config-keychain-key)#exit
R1(config-keychain)#int g0/0
R1(config-if)#ip authentication mode eigrp 100 md5
Jan 8 23:49:16.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 136.1.13.3 (Giga

bitEthernet0/0) is down: authentication mode changedauthen
R1(config-if)#ip authentication key-chain eigrp 100 EIGRP

R1(config-if)#end
R1#
Above, you can see the neighbor drop when authentication is applied to the interface. This is to be
expected, of course. The neighbor should come back when R3 is configured.

You can copy and paste the config from R1 onto R2 because they match.
key chain EIGRP
key 1
key-string cisco123key
accept-lifetime 12:00:00 Feb 1 2013 12:00:00 Mar 1 2013
send-lifetime 12:00:00 Feb 1 2013 12:00:00 Mar 1 2013
key 2
accept-lifetime 11:45:00 Jan 30 2013 infinite
send-lifetime 11:45:00 Jan 30 2013 infinite
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP
end
When you copy and paste, be sure to watch the interfaces. In this case, both R1 and R2 are using
G0/0. Also, ensure that there are no spaces after the password. In general, copying and pasting
passwords is not recommended, but in this case it is OK do so.

Tie the configurations together with R3 and bring the neighbors back up.
You can copy and paste the key chain because it's the same.
key chain EIGRP

key 1
accept-lifetime 12:00:00 Feb 1 2013 12:00:00 Mar 1 2013
send-lifetime 12:00:00 Feb 1 2013 12:00:00 Mar 1 2013
key 2
accept-lifetime 11:45:00 Jan 30 2013 infinite
send-lifetime 11:45:00 Jan 30 2013 infinite
You also must configure each sub interface for authentication.

R3(config-keychain-key)#int f0/0.13
R3(config-subif)# ip authentication mode eigrp 100 md5
R3(config-subif)# ip authentication key-chain eigrp 100 EIGRP
R3(config-subif)#
R3(config-subif)#int f0/0.23
R3(config-subif)# ip authentication mode eigrp 100 md5
R3(config-subif)# ip authentication key-chain eigrp 100 EIGRP
R3(config-subif)#end
R3#
R3#
*Jan 8 23:23:32.495: %SYS-5-CONFIG_I: Configured from console by console
R3#
As you can see in the output of the CLI, the neighbors have come back. Now verify routes in each
router's routing table.
At this point, the neighbors will most likely still be down. This is because we set the key to be
active at a future date. Change the clock to put each router in the time frame with which key 1 is
active.
R1#
R1#clock set 12:30:00 Feb 1 2013
R1#
R2(config)#end
R2#clock set 12:30:00 Feb 1 2013
R2#
R3#clock set 12:30:00 Feb 1 2013

R3#
Now each router's neighbor should come back.

R1#
Feb 1 12:30:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:00
:17 UTC Wed Jan 9 2013 to 12:30:00 UTC Fri Feb 1 2013, configured from console by
console.
Feb 1 12:30:00.535: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 136.1.13.3 (Giga
bitEthernet0/0) is up: new adjacency
R2#
Jan 9 00:29:35.803: %SYS-5-CONFIG_I: Configured from console by console
Feb 1 12:30:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:29
:36 UTC Wed Jan 9 2013 to 12:30:00 UTC Fri Feb 1 2013, configured from console by
console.
R2#
Feb 1 12:34:00.687: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 136.1.23.3 (Giga
bitEthernet0/0) is up: new adjacency
R2#
R3#
*Feb 1 12:30:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:2
5:59 UTC Tue Jan 8 2013 to 12:30:00 UTC Fri Feb 1 2013, configured from console b
y console.
Feb 1 12:30:10.503: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 136.1.13.1 (Fast
Ethernet0/0.13) is up: new adjacency
Verifying Authentication on Each Router

The following is performed only on R1. However, in your lab you would certainly want to perform this
on each router. First we look to see if our neighbor is there.
R1#sh ip eigrp neigh

EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q S
eq
(sec) (ms) Cnt N
um
0 136.1.13.3 Gi0/0 11 00:05:06 3 100 0 2
4
Verify that we have EIGRP routes.

R1#sh ip route eigrp

Finally, we enable our debug to verify that each packet contains authentication.
R1#debug eigrp packet

(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SI
AREPLY)
EIGRP Packet debugging is on
R1#
Feb 1 12:35:20.583: EIGRP: Sending HELLO on Gi0/0 - paklen 60
Feb 1 12:35:20.583: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/
rely 0/0
Feb 1 12:35:20.583: {type = 2, length = 40}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {00020010 00000001 00000000 00000000 00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:20.583: {12C14427}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 1, length = 12}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {01000100 0000000F}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 4, length = 8}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {08000200}
Feb 1 12:35:20.583: }
Feb 1 12:35:21.535: EIGRP: received packet with MD5 authentication, key id = 1
Feb 1 12:35:21.535: EIGRP: Received HELLO on Gi0/0 - paklen 60 nbr 136.1.13.3
rely 0/0 peerQ un/rely 0/0
Feb 1 12:35:21.535: {type = 2, length = 40}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {00020010 00000001 00000000 00000000 00000000 63
697363 6F313233 6B657900}
Feb 1 12:35:21.535: {00000000}
Feb 1 12:35:21.535: }
Feb 1 12:35:21.535: {type = 1, length = 12}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {01000100 0000000F}
Feb 1 12:35:21.539: }
Feb 1 12:35:21.539: {type = 4, length = 8}
Feb 1 12:35:21.539: {vector = {
Feb 1 12:35:21.539: {05020300}
Feb 1 12:35:21.539: }un
Feb 1 12:35:24.947: EIGRP: Sending HELLO on Gi0/0 - paklen 60
rely 0/0
Feb 1 12:35:24.947: {type = 2, length = 40}
Feb 1 12:35:24.947: {vector = {
Feb 1 12:35:24.947: {00020010 00000001 00000000 00000000 00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:24.947: {12C14427}
Feb 1 12:35:24.947: }
Feb 1 12:35:24.947: {type = 1, length = 12}
Feb 1 12:35:24.947: {vector = {
Feb 1 all
All possible debugging has been turned off
R1#12:35:24.947: {01000100 0000000F}
Feb 1 12:35:24.947: }
Feb 1 12:35:24.947: {type = 4, length = 8}
Feb 1 12:35:24.947: {vector = {
Feb 1 12:35:24.947: {08000200}
Feb 1 12:35:24.947: }
Bonus:
1. Change the clock on R1 so that the key rolls over to #2. What do the debugs show you on R1 and
R3?
2. On R2, change the Key 1 key-string to baddkey. What do the debugs show you?
3. On R1, remove authentication from the interface. What do the debugs show you?
4. List item

Routing Protocol Authentication With EIGRP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Routing Protocol Authentication With EIGRP

Uploaded by

Copyright:

Available Formats

CCIE Security V4 Technology Labs Section 1:

System Hardening and Availability

Routing Protocol Authentication with

Explanation and Verification

Removing OSPF from R1

Current configuration : 159 bytes

Removing OSPF from R2

Current configuration : 189 bytes

R2(config-if)#no ip ospf authentication message-digest

Removing OSPF from R3

Current configuration : 158 bytes

R3(config)#do sh run int f0/0.23

Current configuration : 234 bytes

Removing OSPF from SW1

Current configuration : 150 bytes

Configuring Basic EIGRP on R1

Configuring Basic EIGRP on R2

R3(config)#router eigrp 100

Verification of Basic EIGRP on R1

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 2 subnets

Verification of Basic EIGRP on R2

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 2 subnets

Verification of Basic EIGRP on R3

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

Configuring EIGRP Authentication on R1

Jan 8 23:49:16.235: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 136.1.13.3 (Giga

R1(config-if)#ip authentication key-chain eigrp 100 EIGRP

Configuring EIGRP Authentication on R2

Configuring EIGRP Authentication on R3

key chain EIGRP

You also must configure each sub interface for authentication.

R3#clock set 12:30:00 Feb 1 2013

Now each router's neighbor should come back.

Verifying Authentication on Each Router

R1#sh ip eigrp neigh

Verify that we have EIGRP routes.

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 2 subnets

R1#debug eigrp packet

You might also like