Implementing Cisco IP Routing (642-902 ROUTE) Tutorials
Advanced EIGRP / EIGRP Authentication
Visitors to VTC.com will be able to view all introductory videos for each training course.
Free Trial Members will gain access to first three chapters for each training course.
Full Access Members have full access to VTC.com�s entire library of video tutorials.
Learn More
Subtitles of the Movie (Implementing Cisco IP Routing (642-902 ROUTE) / Advanced EIGRP / EIGRP Authentication)
In this video, we're going to discuss EIGRP Authentication. We'll talk about what EIGRP Authentication is used for, the basics of how it works, some of the best practices and we'll also move onto a lab and we'll actually set it up in a very simple topology. I've got two routers set up and we'll, we'll set Authentication and, and see what happens when it's misconfigured and when the times are wrong and all kinds of neat stuff. And anyway, why would you want to use EIGRP Authentication? The same reason you'd use Authentication in any type of network environment and that's security. It's so random routers can't associate with your network and pull route table information and you may be thinking, well big deal, so a router comes up and gets plugged in under someone's desk and they pull my entire routing table into their routing table and now they can see all of the routes on my network. Well big deal. Well it might be a big deal, you might not want your average end users knowing about some of those subnets, say that some of those subnets are in a DMZ or they're your enterprise data warehouse or a development lab or something that you just don't want your end users to know about. Well if you let just any router pull in the route table then those little secret networks become visible for them to see. Also this router could pull what's called a man in the middle attack. It can inject a bogus route into your network and force all of the traffic to come through him so that he can then siphon it off and poke through it with a packet analyzer and pull out usernames and passwords if there transmitted in plain text or something like that. Now of course this isn't a security course and I'll leave it up to the reader to figure out how to secure their own network, but just suffice it to say, if you have a good secured network, then random routers just can't do things to your network. They could bring down the entire network by injecting a default route that goes nowhere and you know, that's propagated out through EIGRP and suddenly your entire WAN just stops working. That's kind of a bad thing, I found that from experience. So how does EIGRP Authentication work? Well EIGRP Authentication uses MD5 security. Each routing update is authenticated with the MD5 key, it's the key is basically stuck into the routing update packet. That authenticated packet is then sent out to the neighbors via Multicast or manual neighbor statements or however you've got it configured and unless this MD5 key matches, then the EIGRP adjacency will not establish. We'll see that in the lab when we've got one half of the network set up to send EIGRP authenticated updates. The second router will say well, he's sending authenticated updates, I don't have the update key, so I can't form a neighbor adjacency with him. So let's talk a little bit about these MD5 keys. On the router when you're setting up EIGRP Authentication you set up an MD5 keyring and this keyring is defined and it can contain multiple keys or it contain one key but it's better to have multiple keys to switch out every so often. Obviously it's best practices to let this key expire although you can set an individual key to say I want you to use this key now and use it forever, going forward. Now you can probably draw a logical conclusion here and say well if the key can have a defined lifetime is valid from November 1st to December 1st for example, then it's best to make sure that time is synchronized on all of your routers, via NTP or manual clock statements or however you've got it configured, NTP is the industry standard and it's probably the best. Now what happens if your time isn't synchronized on every router is that router one will say well here's my keyring, however, my time is set to the default time on Cisco Routers which is May 1st, 2001, I think it is at midnight. Well if you got this key set to authenticate November 21st, 2011 through December 25th, 2011, well it's not November 1st so I can't use this key yet. The other router has it's time set properly and so it's expecting you to use key in keyring one and so when you send this unauthenticated update, it says well you're not using the right key so I'm ignoring your update. Now not only do these keys have to match in expiration date and time and obviously the MD5 key in the keyring but they also have to match in position. In other words, if you have a MD5 keyring that has five keys in it, then key one has to be the same on all the routers, key two has to be the same on all the routers, so on and so forth. If you get your MD5 keys out of order, then it's just as if the key doesn't match because the keyrings don't match. Now I think that's kind of, of a silly limitation, you should be able to put the keys in whatever order you want but, hey I didn't write the Routing Protocol, Cisco did. So let's quickly talk about some of the best practices. Obviously the first and really only best practice was a line that was used by a very wise wizard, keep it secret, keep it safe. Obviously your MD5 security is not any good if a rogue attacker gets a hold of your MD5 key because then they just configure that same keyring on their router and they're able to authenticate just as well as if there wasn't a key at all. You know, if you print it out and put it on a sticky note and stick it on the wall for everybody to see, well what's the point? It's just like a password, which is essentially what this EIGRP Authentication is, it's a password for EIGRP. Obviously change the key out from time to time in case it does leak out because obviously any secret can be taken away from you under the right circumstances. You have a rogue employee that gets fired and says well I know the EIGRP keys are, I'm just going to, you know, post them out for everybody on the Internet to see. Hey who wants to see Bank of America's EIGRP Authentication information. Obviously there's legal ramifications to that and I really wouldn't recommend doing it, but it's happened. So really keeping the key secret and safe, changing it out from time to time just to keep people on their toes, is really the best practices. And that concludes our overview of EIGRP Authentication.
Tutorial Information
| Course: | Implementing Cisco IP Routing (642-902 ROUTE) |
| Author: | Greg Dickinson |
| SKU: | 34291 |
| ISBN: | 978-1-61866-028-2 |
| Release Date: | 2011-12-28 |
| Duration: | 10 hrs / 105 lessons |
| Work Files: |
Yes |
| Captions: | No |
| Compatibility: |
Vista/XP/2000, OS X, Linux QuickTime 7, Flash 8 |
VTC Sign up & Benefits
- Unlimited Access
- 81,350 Video Tutorials (14,200 free)
- Video Available as Flash or QuickTime
- Over 715 Courses
- $30 for One Month Access
- Multi-User Discounts Available
