03-08-2016
12:32 PM
- last edited on
03-25-2019
04:37 PM
by
ciscomoderator
I have to respond to an audit issue about BGP/EIGRP authentication. In my network we use multiple VLAN's and distribute routes to the rest of my sites via BGP. The auditors want me to add authentication to BGP to prevent someone from connecting a router to one of my switches and inserting false routes. I only setup my router to switch connections for trunking all other switch connections are setup as access, won't this keep a malicious router from connecting to my network?
03-08-2016 12:43 PM
That is not uncommon for security/auditors to ask to add authentication to your routing protocols. In this case you can simply add authentication between your BGP peers.
HTH
03-09-2016 11:33 AM
Reza, If I setup authentication on my router, which is part of the cloud backbone supplied by our Telco vendor, wouldn't the vendor also have to configure authentication on their end with a shared key I would provide. Sorry for the newbie question I am still learning.
03-08-2016 12:43 PM
Hi Dennis,
You have to keep in mind that a malicious router can connect to an access port and still talk to anyone else within the access VLAN of that port. An access port is not a prevention against malicious routers.
That being said, I find the auditor's request about "BGP authentication" to be misleading. Wasn't that meant to be EIGRP authentication instead? In BGP, you can only set up authentication for neighbors you have already configured. You cannot configure authentication in BGP for those neighbors you have not configured statically. In addition, not configuring a particular address as a BGP neighbor is in itself sufficient to prevent that IP address from talking BGP to your router and injecting false routes.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide