Introduction:
In this document you will learn to configure authentication using "EIGRP Name mode" configuration.
Advantage of EIGRP name configuration for Authentication:
1) This mode allow you to use h-based Message Authentication Code (HMAC) which offers Secure Hash Algorithms SHA2-256 bit Algorithms
2) The addition of SHA2-256 HMAC authentication to EIGRP packets ensures that users’ routers only accept routing updates from other routers that know the same pre-shared key. This prevents someone from purposely or accidentally adding another router to the network and causing a problem
3) The SHA2 key is a concatenation of the user-configured shared secret key along with the IPv4/IPv6 address from which this particular packet is sent. This prevents Hello Packet DoS replay attacks with a spoofed source address
4) Simpler configuration mode using a common ‘password’
5) Keychain support when additional security is needed
In traditional way, EIGRP authentication was configuring under interface mode and it was only supporting Message Digest 5 (MD5) authentication as shown below:
Router(config)#interface fa0/0
Router(config-if)#ip authentication mode eigrp 1 md5
Router(config-if)#ip authentication key-chain eigrp 1 mykey
For more information on EIGRP tradition Authentication you can refer this "Configuring EIGRP Authentication"
In "EIGRP NAME" configuration you can configure authentication in two way:
1) Simple configuration using only one password
2) Additional security can be added with key-chains
Configuration Examples:
A) Simple configuration using only one password:
In following example, I have 2 router R1 and R2 running EIGRP. We will configure only one password Under "EIGRP Name" mode.
Configuring R1:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa1/0
R1(config-if)#ip add 10.1.1.1 255.255.255.252
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#router eigrp CISCO
R1(config-router)#address-family ipv4 unicast autonomous-system 1
R1(config-router-af)#network 10.1.1.0 0.0.0.3
R1(config-router-af)#af-interface fa1/0
R1(config-router-af-interface)#authentication ?
key-chain key-chain
mode authentication mode
R1(config-router-af-interface)#authentication mode ?
hmac-sha-256 HMAC-SHA-256 Authentication
md5 Keyed message digest
R1(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R1(config-router-af-interface)#exit-af-interface
R1(config-router-af)#exit-address-family
R1(config-router)#end
R1#
Configuring R2:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int fa1/0
R2(config-if)#ip add 10.1.1.2 255.255.255.252
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#router eigrp CISCO
R2(config-router)#address-family ipv4 unicast autonomous-system 1
R2(config-router-af)#net 10.1.1.0 0.0.0.3
R2(config-router-af)#af-interface fa1/0
R2(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R2(config-router-af-interface)#exit-af-interface
R2(config-router-af)#exit-address-family
R2(config-router)#end
R2#
Verification:
R1#sh ip eigrp 1 neighbors
EIGRP-IPv4 VR(CISCO) Address-Family Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.1.2 Fa1/0 13 00:06:00 352 3168 0 2
R1#
B) Additional security with key-chains:
The following example shows how to configure advanced SHA authentication with password cisco and several key strings. The key-chain concept is used same here only syntax is different.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#key chain CHAIN
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string secure_traffic
R1(config-keychain-key)#!
R1(config-keychain-key)#router eigrp CISCO
R1(config-router)#address-family ipv4 auto 1
R1(config-router-af)#af-interface fa1/0
R1(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R1(config-router-af-interface)#authentication key-chain CHAIN
R1(config-router-af-interface)#exit-af-interface
R1(config-router-af)#end
R1(config-router-af)#end
*Sep 20 02:20:11.427: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (FastEthernet1/0) is down: keychain changed
You can see neighborship went down as R2 is not configure with key-chain
Now let's configure Key-Chain on R2:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#key chain CHAIN
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string secure_traffic
R2(config-keychain-key)#!
R2(config-keychain-key)#router eigrp CISCO
R2(config-router)#address-family ipv4 auto 1
R2(config-router-af)#af-interface fa1/0
R2(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R2(config-router-af-interface)#authentication key-chain CHAIN
R2(config-router-af-interface)#exit-af-interface
R2(config-router-af)#end
R2#
*Sep 20 02:21:48.831: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.1 (FastEthernet1/0) is up: new adjacency
From the above output you can see, after configuring key chain on R2,it authenticate with R1 and neighborship between them came UP.
C) Applying same password to all interfaces With Single command:
In this example R1 is connected to R2, R4 and R5 as shown below.R1 is running EIGRP and authenticating each neighbor with single authentication command.R1 is using "af-interface default" command instead of specifying password under each interface.
R2R4R5
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int fa1/0 R2(config-if)#ip add 10.1.1.2 255.255.255.252 R2(config-if)#no sh R2(config-if)#exit
R2(config)#router eigrp CISCO R2(config-router)#address-family ipv4 unicast autonomous-system 1 R2(config-router-af)#net 10.1.1.0 0.0.0.3 R2(config-router-af)#af-interface default R2(config-router-af-interface)#authentication mode hmac-sha-256 cisco R2(config-router-af-interface)#exit R2(config-router-af)#exit R2(config-router)#end R2# | R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int fa1/0 R4(config-if)#ip add 10.1.1.6 255.255.255.252 R4(config-if)#no sh R4(config-if)#exit
R4(config)#router eigrp CISCO R4(config-router)#address-family ipv4 unicast autonomous-system 1 R4(config-router-af)#net 10.1.1.4 0.0.0.3 R4(config-router-af)#af-interface default R4(config-router-af-interface)#authentication mode hmac-sha-256 cisco R4(config-router-af-interface)#exit R4(config-router-af)#exit R4(config-router)#end R4# | R5#conf t Enter configuration commands, one per line. End with CNTL/Z. R5(config)#int fa1/0 R5(config-if)#ip add 10.1.1.10 255.255.255.252 R5(config-if)#no sh R5(config-if)#exit
R5(config)#router eigrp CISCO R5(config-router)#address-family ipv4 unicast autonomous-system 1 R5(config-router-af)#net 10.1.1.8 0.0.0.3 R5(config-router-af)#af-interface default R5(config-router-af-interface)#authentication mode hmac-sha-256 cisco R5(config-router-af-interface)#exit-af-interface R5(config-router-af)#exit-address-family R5(config-router)#end R5# |
R1 configuration:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa1/0
R1(config-if)#ip add 10.1.1.1 255.255.255.252
R1(config-if)#no sh
R1(config-if)#int fa2/0
R1(config-if)#ip add 10.1.1.5 255.255.255.252
R1(config-if)#no sh
R1(config-if)#int fa2/1
R1(config-if)#ip add 10.1.1.9 255.255.255.252
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#
R1(config)#router eigrp CISCO
R1(config-router)#address-family ipv4 unicast auto 1
R1(config-router-af)#net 10.1.1.0 0.0.0.3
R1(config-router-af)#net 10.1.1.4 0.0.0.3
R1(config-router-af)#net 10.1.1.8 0.0.0.3
R1(config-router-af)#af-interface default
R1(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R1(config-router-af-interface)#exit-af-interface
R1(config-router-af)#exit-address-family
R1(config-router)#end
R1#
Verification on R1:
From below logs show all three neighbor authenticate and neighborship has been UP.
R1#
*Sep 20 02:40:29.043: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.6 (FastEthernet2/0) is up: new adjacency
*Sep 20 02:40:30.623: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.10 (FastEthernet2/1) is up: new adjacency
*Sep 20 02:41:28.671: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.2 (FastEthernet1/0) is up: new adjacency
R1#
R1#sh ip eigrp neighbors
EIGRP-IPv4 VR(CISCO) Address-Family Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.1.1.2 Fa1/0 12 00:02:59 64 576 0 3
1 10.1.1.10 Fa2/1 11 00:03:57 92 552 0 3
0 10.1.1.6 Fa2/0 13 00:03:59 1 5000 0 3
R1#
D) IPv6 authentication using "EIGRP name" configuration:
To configure eigrp authentication for IPv6 you just need to mention authentication under IPv6 address family as shown below:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ipv6 unicast-routing
R1(config)#int fa2/0
R1(config-if)#ipv
R1(config-if)#ipv6 en
R1(config-if)#ipv6 enable
R1(config-if)#exit
R1(config)#router eigrp CISCO
R1(config-router)#address-family ipv6 unicast autonomous-system 1
R1(config-router-af)#af-interface fa2/0
R1(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R1(config-router-af-interface)#end
R1#
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ipv6 unicast-routing
R4(config)#int fa1/0
R4(config-if)#ipv6 enable
R4(config-if)#exit
R4(config)#router eigrp CISCO
R4(config-router)# address-family ipv6 unicast autonomous-system 1
R4(config-router-af)#af-interface FastEthernet1/0
R4(config-router-af-interface)#authentication mode hmac-sha-256 cisco
R4(config-router-af-interface)#end
R4#
Verification:
R4#sh ipv6 eigrp neighbors
EIGRP-IPv6 VR(CISCO) Address-Family Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 Link-local address: Fa1/0 14 00:04:00 190 1140 0 4
FE80::C800:21FF:FE90:38
R4#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::C800:21FF:FE90:38 4 ca00.2190.0038 STALE Fa1/0