Lessons Learned:
Supports MD5 authentication only
Uses key chains like RIPv2
- Whitespace couts as a character
-Supports automatic key rotation
Applied at interface level
-ip authentication
mode eigrp (as) MD5
-ip authentication key-chain eigrp (as) (ket-chain)
-------------------------------------------------------------
Use Authentication to secure the control plane. This is similar
to RIPv2 with the
key-chain auth.
Eigrp does not
support clear text auth. Also the Key # must match because it is exchanged in
the Hello packet.
Eigrp also support
auto rotation of key based on the "time of day" and the accept lifetime
and send lifetime values.
The advantage of EIGRP Auth over OSPF Auth. With OSPF auth you need to manually add a new key on all devices,
then wait for everyone to start using the new key before you removed the old
one.
With EIGRP we can
set up several passwords, so for a month we can use password one, then next
month start using password 2, etc.
You need to make sure the routers Clocks are in sync. this means the auth
could fail. The routers need to be syncing with NTP.
Basic Auth Config:
R3 --- R2
First we need to define the key-chain.
key chain EIGRP
key 10
key-string cisco
Then enable auth at the link level.
R3(config-if)#ip authentication
mode eigrp 10 md5
Then call out the specific key-chain on the interface:
R3(config-if)#ip authentication
key-chain eigrp
10 EIGRP
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
ip authentication
mode eigrp 10 md5
ip authentication key-chain eigrp 10 EIGRP
speed
100
full-duplex
end
Note: make sure the key chains are correct
White spaces do count - can use the show key chain to verify.
Key-chain test: key 1 -- text "cisco"
accept lifetime (always
valid) - (always valid) [valid now]
send lifetime (always valid) -
(always valid) [valid now]
R3#
Note: if you go have multiple key-chains defined - example:
Key chain test
key 1
key chain test2
key 2
The router will prefer the lowest key # first. It will send Key 1 first.
No comments:
Post a Comment