12-23-2014 04:06 AM - edited 03-07-2019 09:59 PM
Hi All,
is it ok to use key chain with eigrp named mode hmac or hmac-sha itself is strong enough to prevent replay attacks without key chain?
Solved! Go to Solution.
12-23-2014 04:40 AM
Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.
e.g.
Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html
hth.
Bilal
12-23-2014 04:40 AM
Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.
e.g.
Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html
hth.
Bilal
12-23-2014 04:40 AM
Thanks Bilal, why did you use 0 ? doesn't that mean disable encryption ? what I want to encrypt my password as well rather than in clear text
12-23-2014 06:30 AM
I specified 0 because i am entering the password as I know it, that does not disable the authentication, maybe encryption. If i was to enter 7 then i think the passwords are encrypted.
hth
Bilal
12-23-2014 06:30 AM
Router-A(config-router-af-interface)#authentication mode hmac-sha-256 ?
<0-7> Encryption type (0 to disable encryption, 7 for proprietary)
LINE password
can you explain this please ?
12-23-2014 09:08 AM
Sorry Bilal, we have had confusion here, I asked about the encryption and you mentioned authentication and I thought you said encryption lol, but its all clear now.
Beside, is it good practice to use authentication on loopback interfaces ?
12-24-2014 12:59 AM
Hello Muhammad, I have not seen this being implemented on loopback interfaces, more often we are trying to protect the adjacency, not a loopback that we are trying to advertise out. Unless our control plane got compromised somehow, then we have more worries than just the loopback :) So summary is no, it is not really necessary on loopback.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: