Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2413
Views
8
Helpful
6
Replies

Key chain in EIGRP Named mode with HMAC-SHA

Go to solution
Muhammad Rafi
Level 1
Level 1

‎12-23-2014 04:06 AM - edited ‎03-07-2019 09:59 PM

Hi All, 

 

is it ok to use key chain with eigrp named mode hmac or hmac-sha itself is strong enough to prevent replay attacks without key chain? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-23-2014 04:40 AM

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-23-2014 04:40 AM

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Bilal Nawaz

‎12-23-2014 04:40 AM

Thanks Bilal, why did you use 0 ? doesn't that mean disable encryption ? what I want to encrypt my password as well rather than in clear text 

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Muhammad Rafi

‎12-23-2014 06:30 AM

I specified 0 because i am entering the password as I know it, that does not disable the authentication, maybe encryption. If i was to enter 7 then i think the passwords are encrypted.

hth

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Bilal Nawaz

‎12-23-2014 06:30 AM

Router-A(config-router-af-interface)#authentication mode hmac-sha-256 ?
  <0-7>  Encryption type (0 to disable encryption, 7 for proprietary)
  LINE   password

 

can you explain this please ?

 

0 Helpful

Go to solution
Muhammad Rafi
Level 1
Level 1
In response to Muhammad Rafi

‎12-23-2014 09:08 AM

Sorry Bilal, we have had confusion here, I asked about the encryption and you  mentioned authentication and I thought you said encryption lol, but its all clear now. 

 

Beside, is it good practice to use authentication on loopback interfaces ? 

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Muhammad Rafi

‎12-24-2014 12:59 AM

Hello Muhammad, I have not seen this being implemented on loopback interfaces, more often we are trying to protect the adjacency, not a loopback that we are trying to advertise out. Unless our control plane got compromised somehow, then we have more worries than just the loopback :) So summary is no, it is not really necessary on loopback.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card