Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2112
Views
8
Helpful
6
Replies

Key chain in EIGRP Named mode with HMAC-SHA

Go to solution
Muhammad Rafi
Level 1
Level 1

‎12-23-2014 04:06 AM - edited ‎03-07-2019 09:59 PM

Hi All, 

 

is it ok to use key chain with eigrp named mode hmac or hmac-sha itself is strong enough to prevent replay attacks without key chain? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-23-2014 04:40 AM

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-23-2014 04:40 AM

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Bilal Nawaz

‎12-23-2014 04:40 AM

Thanks Bilal, why did you use 0 ? doesn't that mean disable encryption ? what I want to encrypt my password as well rather than in clear text 

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Muhammad Rafi

‎12-23-2014 06:30 AM

I specified 0 because i am entering the password as I know it, that does not disable the authentication, maybe encryption. If i was to enter 7 then i think the passwords are encrypted.

hth

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Bilal Nawaz

‎12-23-2014 06:30 AM

Router-A(config-router-af-interface)#authentication mode hmac-sha-256 ?
  <0-7>  Encryption type (0 to disable encryption, 7 for proprietary)
  LINE   password

 

can you explain this please ?

 

0 Helpful

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Muhammad Rafi

‎12-23-2014 09:08 AM

Sorry Bilal, we have had confusion here, I asked about the encryption and you  mentioned authentication and I thought you said encryption lol, but its all clear now. 

 

Beside, is it good practice to use authentication on loopback interfaces ? 

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Muhammad Rafi

‎12-24-2014 12:59 AM

Hello Muhammad, I have not seen this being implemented on loopback interfaces, more often we are trying to protect the adjacency, not a loopback that we are trying to advertise out. Unless our control plane got compromised somehow, then we have more worries than just the loopback :) So summary is no, it is not really necessary on loopback.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card