cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2455
Views
8
Helpful
6
Replies

Key chain in EIGRP Named mode with HMAC-SHA

Muhammad Rafi
Level 1
Level 1

Hi All, 

 

is it ok to use key chain with eigrp named mode hmac or hmac-sha itself is strong enough to prevent replay attacks without key chain? 

1 Accepted Solution

Accepted Solutions

Bilal Nawaz
VIP Alumni
VIP Alumni

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

6 Replies 6

Bilal Nawaz
VIP Alumni
VIP Alumni

Yes, this is correct. You do not need the extra key chain. Just use HMAC under eigrp named mode >> under interface >> enable hmac with key.

e.g.

Router-A(config)# router eigrp CISCO
Router-A(config-router)# address-family ipv4 autonomous-system 1
Router-A(config-router-af)# af-interface ethernet 0/0
Router-A(config-router-af-interface)# authentication mode hmac-sha-256 password
Router-A(config-router-af-interface)# end

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-sy/ire-15-sy-book/ire-sha-256.html

hth.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thanks Bilal, why did you use 0 ? doesn't that mean disable encryption ? what I want to encrypt my password as well rather than in clear text 

I specified 0 because i am entering the password as I know it, that does not disable the authentication, maybe encryption. If i was to enter 7 then i think the passwords are encrypted.

hth

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Router-A(config-router-af-interface)#authentication mode hmac-sha-256 ?
  <0-7>  Encryption type (0 to disable encryption, 7 for proprietary)
  LINE   password

 

can you explain this please ?

 

Sorry Bilal, we have had confusion here, I asked about the encryption and you  mentioned authentication and I thought you said encryption lol, but its all clear now. 

 

Beside, is it good practice to use authentication on loopback interfaces ? 

Hello Muhammad, I have not seen this being implemented on loopback interfaces, more often we are trying to protect the adjacency, not a loopback that we are trying to advertise out. Unless our control plane got compromised somehow, then we have more worries than just the loopback :) So summary is no, it is not really necessary on loopback.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Review Cisco Networking for a $25 gift card