When you earned your CCNA, you thought you learned everything there is to know about RIP. Close, but not quite! There are some additional details you need to know to pass the BSCI exam and get one step closer to the CCNP exam, and one of those involves RIP update packet authentication.
You're familiar with some advantages of using RIPv2 over RIPv1, support for VLSM chief among them. But one advantage that you're not introduced to in your CCNA studies is the ability to configure routing update packet authentication.
You have two options, clear text and MD5. Clear text is just that - a clear text password that is visible by anyone who can pick a packet off the wire. If you're going to go to the trouble of configuring update authentication, you should use MD5. The MD stands for "Message Digest", and this is the algorithm that produces the hash value for the password that will be contained in the update packets.
Not only must the routers agree on the password, they must agree on the authentication method. If one router sends an MD5-hashed password to another router that is configured for clear-text authentication, the update will not be accepted. debug ip rip is a great command for troubleshooting authenticated updates.
R1, R2, and R3 are running RIP over a frame relay cloud. Here is how RIP authentication would be configured on these three routers.
R1#conf t
R1(config)#key chain RIP
< The key chain can have any name. >
R1(config-keychain)#key 1
< Key chains can have multiple keys. Number them carefully when using multiples. >
R1(config-keychain-key)#key-string CISCO
< This is the text string the key will use for authentication. >
R1(config)#int s0
R1(config-if)#ip rip authentication mode text
< The interface will use clear-text mode. >
R1(config-if)#ip rip authentication key-chain RIP
< The interface is using key chain RIP, configured earlier. >
R2#conf t
R2(config)#key chain RIP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO
R2(config)#int s0.123
R2(config-subif)#ip rip authentication mode text
R2(config-subif)#ip rip authentication key-chain RIP
R3#conf t
R3(config)#key chain RIP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO
R3(config)#int s0.31
R3(config-subif)#ip rip authentication mode text
R3(config-subif)#ip rip authentication key-chain RIP
To use MD5 authentication rather than clear-text, simply replace the word "text" in the ip rip authentication mode command with md5.
Here's what a successfully authentication RIPv2 packet looks like, courtesy of debug ip rip. Clear-text authentication is in effect and the password is "cisco".
3d04h: RIP: received packet with text authentication cisco
3d04h: RIP: received v2 update from 150.1.1.3 on Ethernet0
3d04h: 100.0.0.0/8 via 0.0.0.0 in 1 hops
3d04h: 150.1.2.0/24 via 0.0.0.0 in 1 hops
Here's what it looks like when the remote device is set for MD5 authentication and the local router is set for clear-text. You'll also see this message if the password itself is incorrect.
3d04h: RIP: ignored v2 packet from 150.1.1.3 (invalid authentication)
"Debug ip rip" may be a simple command as compared to the debugs for other protocols. but it's also a very powerful debug. Start using debugs as early as possible in your Cisco studies to learn how router commands really work!
Showing posts with label authentication. Show all posts
Showing posts with label authentication. Show all posts
Thursday, December 25, 2008
Cisco CCNP / BSCI Certification Exam: Five OSPF Details You Must Know
Preparing for your BSCI exam on your way to the Cisco CCNP certification, you can quickly get overwhelmed by the details! Here are five commonly overlooked points you should keep in mind when it comes to your OSPF studies.
The virtual link command includes the area number of the transit area, and if authentication is being used on Area 0, the virtual link command must include the authentication statement. Since the virtual link is a logical extension of Area 0, it stands to reason that it has to be configured with the authentication type and password configured on Area 0.
OSPF requires no seed metric when routes are being redistributed into an OSPF domain. The default cost for such routes is 20, but you do need to use the "subnets" option if you want to redistribute subnets into OSPF.
There are two kinds of external OSPF routes. The default, E2, reflects the cost of the path from the ASBR to the external destination. The other option, E1, has a cost reflecting the entire path from the local router to the external destination.
When configuring stub areas, each router in the area must agree that the area is stub. For a total stub area, only the ABR needs to be configured with the "no-summary" option, but all routers in the area still must agree that the area is stub.
Routers in a stub area will have a default route to use to reach external destinations; routers in total stub areas will have a default route to use in order to reach both external and inter-area networks.
The BSCI exam and CCNP certification require a great deal of dedication and hard work. Keep studying and paying attention to the details, and you will get there!
The virtual link command includes the area number of the transit area, and if authentication is being used on Area 0, the virtual link command must include the authentication statement. Since the virtual link is a logical extension of Area 0, it stands to reason that it has to be configured with the authentication type and password configured on Area 0.
OSPF requires no seed metric when routes are being redistributed into an OSPF domain. The default cost for such routes is 20, but you do need to use the "subnets" option if you want to redistribute subnets into OSPF.
There are two kinds of external OSPF routes. The default, E2, reflects the cost of the path from the ASBR to the external destination. The other option, E1, has a cost reflecting the entire path from the local router to the external destination.
When configuring stub areas, each router in the area must agree that the area is stub. For a total stub area, only the ABR needs to be configured with the "no-summary" option, but all routers in the area still must agree that the area is stub.
Routers in a stub area will have a default route to use to reach external destinations; routers in total stub areas will have a default route to use in order to reach both external and inter-area networks.
The BSCI exam and CCNP certification require a great deal of dedication and hard work. Keep studying and paying attention to the details, and you will get there!
Cisco CCNP / BCSI Exam Tutorial: Configuring EIGRP Packet
Configuring RIPv2 and EIGRP authentication with key chains can be tricky at first, and the syntax isn't exactly easy to remember. But for BSCI and CCNP exam success, we've got to be able to perform this task.
In a previous tutorial, we saw how to configure RIPv2 packet authentication, with both clear-text and MD5 authentication schemes. EIGRP authentication is much the same, and has the text and MD5 authentication options as well. But EIGRP being EIGRP, the command just has to be a little more detailed!
As with RIPv2, the authentication mode must be agreed upon by the EIGRP neighbors. If one router's interface is configured for MD5 authentication and the remote router's interface is configured for text authentication, the adjacency will fail even if the two interfaces in question are configured to use the same password.
We'll now configure link authentication on the adjacency over an Ethernet segment. Below, you'll see how to configure a key chain called EIGRP on both routers, use key number 1, and use the key-string BSCI. Run show key chain on a router to see all key chains.
R2(config)#key chain EIGRP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string BSCI
R2#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3(config)#key chain EIGRP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string BSCI
R3#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
The EIGRP command to apply the key chain is a bit of a pain to remember, because the protocol and AS number is identified in the middle of the command, not the beginning. Also note that two commands are needed - one to name the key chain, another to define the authentication mode in use.
R2(config)#interface ethernet0
R2(config-if)#ip authentication key-chain eigrp 100 EIGRP
R2(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.3 (Ethernet0) is down: keychain changed
R3(config)#interface ethernet0
R3(config-if)#ip authentication key-chain eigrp 100 EIGRP
R3(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.2 (Ethernet0) is up:
As with RIPv2, the existing adjacency was torn down when one side was configured with authentication. If the key chain is correctly defined and applied on both sides, the adjacency will come back up. Always run show ip eigrp neighbor to make sure the adjacency is present. Learn the details of EIGRP key chains by configuring them on your home lab equipment, and you'll be more than ready for BSCI exam success!
In a previous tutorial, we saw how to configure RIPv2 packet authentication, with both clear-text and MD5 authentication schemes. EIGRP authentication is much the same, and has the text and MD5 authentication options as well. But EIGRP being EIGRP, the command just has to be a little more detailed!
As with RIPv2, the authentication mode must be agreed upon by the EIGRP neighbors. If one router's interface is configured for MD5 authentication and the remote router's interface is configured for text authentication, the adjacency will fail even if the two interfaces in question are configured to use the same password.
We'll now configure link authentication on the adjacency over an Ethernet segment. Below, you'll see how to configure a key chain called EIGRP on both routers, use key number 1, and use the key-string BSCI. Run show key chain on a router to see all key chains.
R2(config)#key chain EIGRP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string BSCI
R2#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R3(config)#key chain EIGRP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string BSCI
R3#show key chain
Key-chain EIGRP:
key 1 -- text "BSCI"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
The EIGRP command to apply the key chain is a bit of a pain to remember, because the protocol and AS number is identified in the middle of the command, not the beginning. Also note that two commands are needed - one to name the key chain, another to define the authentication mode in use.
R2(config)#interface ethernet0
R2(config-if)#ip authentication key-chain eigrp 100 EIGRP
R2(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.3 (Ethernet0) is down: keychain changed
R3(config)#interface ethernet0
R3(config-if)#ip authentication key-chain eigrp 100 EIGRP
R3(config-if)#ip authentication mode eigrp 100 md5
5d07h: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.23.2 (Ethernet0) is up:
As with RIPv2, the existing adjacency was torn down when one side was configured with authentication. If the key chain is correctly defined and applied on both sides, the adjacency will come back up. Always run show ip eigrp neighbor to make sure the adjacency is present. Learn the details of EIGRP key chains by configuring them on your home lab equipment, and you'll be more than ready for BSCI exam success!
Wednesday, December 24, 2008
Cisco CCNA Certification Exam Tutorial: Port-Based Authentication
To pass your CCNA exam and earn this coveted certification, you must understand the details of port-based authentication. This knowledge has a great deal of value in production networks as well, since this authentication scheme is regularly implemented. Let's take a look at this particular CCNA skill.
Consider a situation where you have a server that will be connected to your switch, and you want the port to shut down if a device with a different MAC address that that of the switch attempts to connect to that port. You could also have a situation where you have someone who has a connection to a switch port in his office, and he wants to make sure that only his laptop can use that port.
Both of these examples are real-world situations, and there are two solutions for each. First, we could create a static MAC entry for that particular switch port. I don't recommend this, mainly because both you and I have better things to do than manage static MAC entries. The better solution is to configure port-based authentication on the switch.
The Cisco switch uses MAC addresses to enforce port security. With port security, only devices with certain MAC addresses can connect to the port successfully. This is another reason source MACs are looked at before the destination MAC is examined. If the source MAC is non-secure and port-based authentication is in effect, the destination does not matter, as the frame will not be forwarded. In essence, the source MAC address serves as the password.
MAC addresses that are allowed to successfully communicate with the switch port are secure MAC addresses. The default number of secure MAC addresses is 1, but a maximum of 132 secure MACs can be configured.
When a non-secure MAC address attempts to communicate with the switch port, one of three actions will occur, depending on the port security mode. In Protect mode, frames with non-secure MAC addresses are dropped. There is no notification that a violation has occurred. The port will continue to switch frames for the secure MAC address.
In Restrict mode, the same action is taken, but a syslog message is logged via SNMP, which is a messaging protocol used by Cisco routers.
In Shutdown mode, the interface goes into error-disabled state, the port LED will go out, and a syslog message is logged. The port has to be manually reopened. Shutdown mode is the default port-security mode.
Port-based authentication is just one of the many switching skills you'll have to demonstrate to earn your CCNA certification. Make sure you know the basics shown here, including the action of each particular mode, and you're on your way to CCNA exam success!
Consider a situation where you have a server that will be connected to your switch, and you want the port to shut down if a device with a different MAC address that that of the switch attempts to connect to that port. You could also have a situation where you have someone who has a connection to a switch port in his office, and he wants to make sure that only his laptop can use that port.
Both of these examples are real-world situations, and there are two solutions for each. First, we could create a static MAC entry for that particular switch port. I don't recommend this, mainly because both you and I have better things to do than manage static MAC entries. The better solution is to configure port-based authentication on the switch.
The Cisco switch uses MAC addresses to enforce port security. With port security, only devices with certain MAC addresses can connect to the port successfully. This is another reason source MACs are looked at before the destination MAC is examined. If the source MAC is non-secure and port-based authentication is in effect, the destination does not matter, as the frame will not be forwarded. In essence, the source MAC address serves as the password.
MAC addresses that are allowed to successfully communicate with the switch port are secure MAC addresses. The default number of secure MAC addresses is 1, but a maximum of 132 secure MACs can be configured.
When a non-secure MAC address attempts to communicate with the switch port, one of three actions will occur, depending on the port security mode. In Protect mode, frames with non-secure MAC addresses are dropped. There is no notification that a violation has occurred. The port will continue to switch frames for the secure MAC address.
In Restrict mode, the same action is taken, but a syslog message is logged via SNMP, which is a messaging protocol used by Cisco routers.
In Shutdown mode, the interface goes into error-disabled state, the port LED will go out, and a syslog message is logged. The port has to be manually reopened. Shutdown mode is the default port-security mode.
Port-based authentication is just one of the many switching skills you'll have to demonstrate to earn your CCNA certification. Make sure you know the basics shown here, including the action of each particular mode, and you're on your way to CCNA exam success!
Subscribe to:
Posts (Atom)
