Scribd
Upload
10 views19 pages

2.autentificare EIGRP

The document discusses EIGRP (Enhanced Interior Gateway Routing Protocol) packet authentication, focusing on MD5 authentication methods. It outlines the configuration steps for setting up MD5 authentication on routers, including defining key chains and keys, and troubleshooting common issues. Additionally, it emphasizes the importance of verifying connectivity between routers before configuring authentication.

Uploaded by

dj65crs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views19 pages

2.autentificare EIGRP

The document discusses EIGRP (Enhanced Interior Gateway Routing Protocol) packet authentication, focusing on MD5 authentication methods. It outlines the configuration steps for setting up MD5 authentication on routers, including defining key chains and keys, and troubleshooting common issues. Additionally, it emphasizes the importance of verifying connectivity between routers before configuring authentication.

Uploaded by

dj65crs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

EIGRP si autentificarea

pachetelor

CCNA2 – Routing Protocols and Concepts

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Continut
 1. Router authentication - Generalitati
 2. Modalitati de autentificare a pachetelor EIGRP
 3. Configurare autentificare MD5 EIGRP
 4. Troubleshooting autentificare EIGRP

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Router Authentication - Generalitati
Majoritatea protocoalelor de rutare suporta autentificarea pachetelor
astfel incat routerele sa verifice sursa mesajelor pe care le primesc.
 Autentificarea 'clear text' (simple password authentication) este
suportata de:
IS-IS
OSPF
RIPv2

 Autentificarea MD5 este suportata de:


OSPF
RIPv2
BGP
EIGRP

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Simple Password vs. MD5 Authentication
 Autentificarea in clar (simple password autentication):
Router trimite pachetul si parola (cheia).
Routerul vecin verifica daca parola primita in pachet este corecta.
Parola (cheia) este transmisa in clar.

 Autentificarea MD5
Presupune ca pe routere sa se configureze o cheie (parola) si un key-id;
routerul genereaza un hash (message digest) per pachet format din
cheie, key-id si mesaj (pachet). (HMAC)
Fiecare pachet este trimis cu propriul hash, insa fara cheie!
Metoda sigura!

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Autentificare EIGRP
 EIGRP supporta autentificarea MD5.
 Fiecare router genereaza un hash pentru fiecare pachet
trimis si verifica fiecare pachet pe care il primeste.
 Pe toate routerele se configureaza o cheie (parola) si un
key-id; fiecare router trebuie sa aiba configurata aceeasi
cheie.
 Daca pachetele EIGRP primite nu pot fi validate, routerul
nu introduce vecinul in neighbor table si nu va procesa
informatiile primite.

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Autentificare EIGRP MD5

 EIGRP foloseste key-chains pentru managementul


cheilor.
 Intr-un key-chain se pot defini mai multe parole, fiecare
identificata printr-un key-id.
 Prima cheie valida, activa, in ordine crescatoare, va fi
folosita.

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Configurare
 Se defineste un key-chain si se intra in submodul key-
chain
Router(config)#

key chain NUME

 Se defineste un key-id si se intra in submodul key-id

Router(config-keychain)#
key <0-2147483647>

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Configurare
 Se configureaza cheia (parola)
Router(config-keychain-key)#

key-string parola

 Optional se specifica intervalul de timp in care cheia va fi


folosita pentru pachetele primite/trimise

Router(config-keychain-key)#

accept-lifetime start-time {infinite | end-time |


duration seconds}

send-lifetime start-time {infinite | end-time |


duration seconds}
BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Configurare
 Se seteaza autentificarea pe interfata.
Router(config-if)#

ip authentication mode eigrp NR-AS md5

 Se specifica un key-chain care sa fie folosit.

Router(config-if)#

ip authentication key-chain eigrp NR-AS nume-key-


chain

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Exemplu

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Configuratia de pe R1
<output omitted>
key chain chainR1
key 1
key-string primacheie
accept-lifetime 18:00:00 Mar 22 2011 infinite
send-lifetime 18:00:00 Mar 22 2011 18:01:00 Mar 22 2011
key 2
key-string adouacheie
accept-lifetime 18:00:00 Mar 22 2011 infinite
send-lifetime 18:00:00 Mar 22 2011 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 chainR1
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Configuratia de pe R2
<output omitted>
key chain chainR2
key 1
key-string primacheie
accept-lifetime 18:00:00 Mar 22 2011 infinite
send-lifetime 18:00:00 Mar 22 2011 infinite
key 2
key-string adouacheie
accept-lifetime 18:00:00 Mar 22 2011 infinite
send-lifetime 18:00:00 Mar 22 2011 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 chainR2
!
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
auto-summary

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Verificare conectivitate
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
192.168.1.102 (Serial0/0/1) is up: new adjacency

R1#show ip eigrp neighbors


IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14

R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Troubleshooting
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
*Mar 22 18:18:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Mar 22 18:18:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Mar 22 18:18:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

R2#debug eigrp packets


EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Mar 22 18:18:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Mar 22 18:18:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Mar 22 18:18:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Troubleshooting
Autentificarea MD5 functioneaza intre R1 si R2, pana in momentul in care key2
de pe R1 s-a schimbat.
R1(config-if)#key chain chainR1
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string altacheie

R2#debug eigrp packets


EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Mar 22 18:20:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Mar 22 18:20:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Mar 22 18:20:18.749: EIGRP: Dropping peer, invalid authentication
*Mar 22 18:20:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Mar 22 18:20:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 22 18:20:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2#show ip eigrp neighbors


IP-EIGRP neighbors for process 100
R2#
BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Laborator

 Intotdeauna, inaintea configurarii autentificarii MD5


EIGRP, se verifica conectivitatea dintre routere!

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Resurse
 http://www.cisco.com/en/US/tech/tk365/technologies_tech_no
 http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/pro
 http://www.cisco.com/en/US/tech/tk365/technologies_tech_no

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Intrebari?

BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 18
BSCI 2 - 4 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19

You might also like