《Configuring EIGRP Authentication》由会员分享,可在线阅读,更多相关《Configuring EIGRP Authentication(32页珍藏版)》请在金锄头文库上搜索。
1、Configuring EIGRP,Configuring EIGRP Authentication,Router Authentication,Many routing protocols support authentication such that a router authenticates the source of each routing update packet that it receives.Simple password authentication is supported by:IS-IS OSPF RIPv2 MD5 authentication is supp
2、orted by:OSPF RIPv2BGPEIGRP,Simple Password vs. MD5 Authentication,Simple password authentication:Router sends packet and key.Neighbor checks whether key matches its key.Process not secure.MD5 authentication: Configure a key (password) and key ID; router generates a message digest, or hash, of the k
3、ey, key ID and message.Message digest is sent with packet; key is not sent.Process OS secure.,EIGRP MD5 Authentication,EIGRP supports MD5 authentication.Router generates and checks every EIGRP packet. Router authenticates the source of each routing update packet that it receives.Configure a key (pas
4、sword) and key ID; each participating neighbor must have same key configured.,MD5 Authentication,EIGRP MD5 authentication: Router generates a message digest, or hash, of the key, key ID, and message.EIGRP allows keys to be managed using key chains.Specify key ID (number), key, and lifetime of key.Fi
5、rst valid activated key, in order of key numbers, is used.,Configuring EIGRP MD5 Authentication,ip authentication mode eigrp autonomous-system md5,Router(config-if)#,Specifies MD5 authentication for EIGRP packets,Router(config-if)#,ip authentication key-chain eigrp autonomous-system name-of-chain,En
6、ables authentication of EIGRP packets using key in the keychain,Configuring EIGRP MD5 Authentication (Cont.),key chain name-of-chain,Router(config)#,Enters configuration mode for the keychain,Router(config-keychain)#,key key-id,Identifies key and enters configuration mode for the keyid,Configuring E
7、IGRP MD5 Authentication (Cont.),Router(config-keychain-key)#,key-string text,Identifies key string (password),Router(config-keychain-key)#,accept-lifetime start-time infinite | end-time | duration seconds,Optional: Specifies when key will be accepted for received packets,Router(config-keychain-key)#
8、,send-lifetime start-time infinite | end-time | duration seconds,Optional: Specifies when key can be used for sending packets,Example MD5 Authentication Configuration,R1 Configuration for MD5 Authentication, key chain R1chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite sen
9、d-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0!interface Serial0/0/1 bandwidth 64 ip address 192.168.1.101 255.255.255.
10、224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R1chain!router eigrp 100 network 172.16.1.0 0.0.0.255 network 192.168.1.0 auto-summary,R2 Configuration for MD5 Authentication, key chain R2chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send
11、-lifetime 04:00:00 Jan 1 2006 infinite key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite interface FastEthernet0/0 ip address 172.17.2.2 255.255.255.0 !interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224 ip auth
12、entication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R2chain!router eigrp 100 network 172.17.2.0 0.0.0.255 network 192.168.1.0 auto-summary,Verifying MD5 Authentication,R1#*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/1) is up: new adjacen
13、cyR1#show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14R1#show ip routeGateway of last resort is not setD 172.17.0.0/16 90/40514560 via 192.168.1.102, 00:02:22, Serial0/0/1 172.16.
14、0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:31:31, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/1D 192.168.1.0/24 is a summary, 00:31:31, Nul
15、l0R1#ping 172.17.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms,Troubleshooting MD5 Authentication,R1#debug eigrp packetsEIGRP Packets debugging is on (UPDATE, REQUEST, QUERY
16、, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ u
17、n/rely 0/0R2#debug eigrp packetsEIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)R2#*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0,
