Configuring EIGRPObjectivesPurpose of this LessonRouter AuthenticationSimple Password vs. MD5 AuthenticationEIGRP MD5 AuthenticationMD5 AuthenticationConfiguring EIGRP MD5 AuthenticationConfiguring EIGRP MD5 Authentication (cont.)Slide 10Example MD5 Authentication ConfigurationR1 Configuration for MD5 AuthenticationR2 Configuration for MD5 AuthenticationVerifying MD5 AuthenticationTroubleshooting MD5 AuthenticationTroubleshooting MD5 Authentication ProblemSummaryActivitySelf CheckResourcesQ and ASlide 22© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 41Configuring EIGRPBSCI Module 2-4 – Configuring EIGRP Authentication© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 42ObjectivesUpon completing this lesson, you will be able to implement authentication in an EIGRP network. This ability includes being able to meet these objectives: Describe router authentication Describe the MD5 authentication used in EIGRP Configure MD5 authentication Troubleshoot MD5 authentication© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 43Purpose of this LessonCoverage of topics new to the “EIGRP” module of BSCI.What’s new in this module?EIGRP Message Digest 5 (MD5) authentication and how to configure and troubleshoot it.© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 44Router AuthenticationMany routing protocols support authentication such that a router authenticates the source of each routing update packet that it receives. Simple password authentication is supported by:IS-IS OSPFRIPv2  MD5 authentication is supported by:OSPFRIPv2BGPEIGRP© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 45Simple Password vs. MD5 AuthenticationSimple password authentication:Router sends packet and key.Neighbor checks if received key matches its key.Not secure.MD5 authenticationConfigure a “key” (password) and key-id; router generates a message digest, or hash, of the key, key-id and message.Message digest is sent with packet; key is not sent.Secure.© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 46EIGRP MD5 AuthenticationEIGRP supports MD5 authentication.Router generates and checks every EIGRP packet. Router authenticates the source of each routing update packet that it receives.Configure a “key” (password) and key-id; each participating neighbor must have same key configured.© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 47MD5 AuthenticationEIGRP MD5 authentication:Router generates a message digest, or hash, of the key, key-id, and message.EIGRP allows keys to be managed using key chains.Specify key-id (number, key, and lifetime of key).First valid activated key, in order of key numbers, is used.© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 48Configuring EIGRP MD5 Authenticationip authentication mode eigrp autonomous-system md5Router(config-if)#Specifies MD5 authentication for EIGRP packetsRouter(config-if)#ip authentication key-chain eigrp autonomous-system name-of-chain Enables authentication of EIGRP packets using key in the key-chain© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 49Configuring EIGRP MD5 Authentication (cont.)key chain name-of-chainRouter(config)#Enters configuration mode for the key-chainRouter(config-keychain)#key key-id Identifies key and enters configuration mode for the key-id© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 410Configuring EIGRP MD5 Authentication (cont.)Router(config-keychain-key)#key-string textIdentifies key string (password)Router(config-keychain-key)#accept-lifetime start-time {infinite | end-time | duration seconds} Optional: specifies when key will be accepted for received packetsRouter(config-keychain-key)#send-lifetime start-time {infinite | end-time | duration seconds} Optional: specifies when key can be used for sending packets© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 411Example MD5 Authentication Configuration© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 412R1 Configuration for MD5 Authentication<output omitted> key chain R1chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite<output omitted> interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0!interface Serial0/0/1 bandwidth 64 ip address 192.168.1.101 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R1chain!router eigrp 100 network 172.16.1.0 0.0.0.255 network 192.168.1.0 auto-summary© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 413R2 Configuration for MD5 Authentication<output omitted> key chain R2chain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite <output omitted> interface FastEthernet0/0 ip address 172.17.2.2 255.255.255.0 !interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 R2chain!router eigrp 100 network 172.17.2.0 0.0.0.255 network 192.168.1.0 auto-summary© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicBSCI 2 - 414Verifying MD5 AuthenticationR1#*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/1) is up: new adjacencyR1#show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14R1#show ip route<output omitted>Gateway of last resort is not setD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:31:31, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/1D 192.168.1.0/24 is a summary, 00:31:31, Null0R1#ping 172.17.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to