Routing Protocol Authentication – RIP, OSPF, EIGRP and BGP (CCIE Notes)


RIPv2:

  • Define a key chain > key > key-string.
  • Reference the key-chain under the interface configuration.

Configuration:

key chain RIPkey
 key 0
 key-string cisco123
!
interface fa0/0
 ip rip authentication key-string
 ip rip authentication mode [md5 | text]

Verification:

show ip route rip
debug ip rip

Cisco Doc Link: Technology > IP > IP Routing > Routing Information Protocol (RIP) > Sample Configuration for Authentication in RIPv2 > Configurations

OSPF:

  • Key chains aren’t used in OSPF authentication.
  • Interface level configuration – you have more control as to which neighbor needs to be authenticated and by which type of authentication.
  • Router level configuration – all the neighbors in an area will require to be authenticated by the specified type of authentication.
  • ip ospf authentication-key – truncates the key to 8 characters.
  • If there are multiple neighbors in the same subnet being authenticated by MD5, you have to use different key IDs for each of the neighbor on the router which has adjacency to multiple neighbors.
  • Interface-level authentication type is preferred over router-level authentication type, if both are specified.
  • Following are the authentication types as seen in the debug output

aut0 – no authentication
aut1 – plain-text
aut2 – md5

Configuration:

interface fa0/0
 ip ospf authentication [message-digest | null]
 ip ospf authentication-key cisco123
 ip ospf message-digest 1 md5 cisco123strong (use for md5 auth)

OR

router ospf 1
 area 0 authentication [message-digest]
!
interface fa0/0
 ip ospf authentication-key cisco123
 ip ospf message-digest 1 md5 cisco123strong (use for md5 auth)

Verification:

show ip route ospf
debug ip ospf packet

Cisco Doc Link: Technology > IP > IP Routing > Sample Configuration for Authentication in OSPF > Configure

EIGRP:

  • EIGRP uses key chains.
  • Interface level configuration only.
  • You can configure two key chains with different validity so that when one expires the other one takes over.
  • Make sure the time is synchronized between the neighbors.

Configuration:

key chain KEY1
 key 1
 key-string cisco123key
 accept-lifetime 18:00:00 Jan 1 2014 18:00:00 Jan 30 2014
 send-lifetime 18:00:00 Jan 1 2014 18:00:00 Jan 30 2014
 key 2
 key-string cisco321key
 accept-lifetime 17:00:00 Jan 30 2014 infinite
 send-lifetime 17:00:00 Jan 30 2014 infinite
!
interface FastEthernet0/0
 ip address 136.1.13.3 255.255.255.0
 ip authentication mode eigrp 10 md5
 ip authentication key-chain eigrp 10 KEY1

Verification:

show ip eigrp neighbors
debug ip eigrp packets

Cisco Doc Link: Technology > IP > IP Routing > Enhanced Interior Gateway Routing Protocol (EIGRP) > EIGRP Message Authentication Configuration Example > Configure EIGRP Message Authentication

BGPv4:

  • Only a password needs to be set for the ‘neighbor’.
 neighbor 150.1.1.1 password ciscoBGPpass

Cisco Doc Link:

Technology > IP > IP Routing > Border Gateway Protocol (BGP) > MD5 Authentication Between BGP Peers Configuration Example > Configurations

 Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s