CCIE Security V4 Technology Labs Section 1: System Hardening and Availability Routing Protocol Authentication with
Views 107 Downloads 2 File size 99KB
CCIE Security V4 Technology Labs Section 1: System Hardening and Availability
Routing Protocol Authentication with RIPv2 Last updated: May 3, 2013
Task RIPv2 is currently configured in your lab topology. Ensure that the routing protocol is authenticated using clear-text authentication between R1 and R3. Configure Strong Authentication for RIPv2 between R3 and R2.
Explanation and Verification To enable authentication for RIPv2 in Cisco IOS, you must first configure a key chain that defines the key for use. The key is applied on a per-interface basis in which the mode of authentication (clear text vs. MD5 authentication) is defined.
R1 Clear Text Authentication Configuration key chain RIPkey key 1 key-string cisco123 interface GigabitEthernet0/0 ip address 136.1.13.1 255.255.255.0 ip rip authentication key-chain RIPkey duplex auto speed aut
R3 Clear Text Authentication Configuration
key chain RIPkey key 1 key-string cisco123 ! interface FastEthernet0/0.13 encapsulation dot1Q 13 ip address 136.1.13.3 255.255.255.0 ip rip authentication key-chain RIPkey !
Verification To verify, use the debug ip rip command to see the updates being received with authentication applied. Use the show ip route command to verify that expected routes are appearing in the routing table.
R1 Cleartext Authentication Jan 8 18:09:44.984: RIP: received packet with text authentication cisco123 Jan 8 18:09:44.984: RIP: received v2 update from 136.1.13.3 on GigabitEthernet0/ 0 Jan 8 18:09:44.984:
10.0.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984:
10.1.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984:
136.1.23.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984:
150.1.2.0/24 via 0.0.0.0 in 2 hops
R2 MD5 Authentication Configuration R2# R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#key chain RIPkey R2(config-keychain)# key 1 R2(config-keychain-key)# key-string cisco123 R2(config-keychain-key)#int g0/0 R2(config-if)#ip rip authentication mode md5 R2(config-if)#ip rip authentication key-chain RIPkey R2(config-if)#end
R3 MD5 Authentication Configuration
Recall that the key chain was already configured for the clear-text authentication. It is recommended that you use a different key chain when configuring both authentication methods. In this case, we use the same key for the sake of simplicity. In the CCIE lab exam, you do exactly what you are told, whether or not is is the best practice.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int f0/0.23 R3(config-subif)#ip rip authentication mode md5 R3(config-subif)#ip rip authentication key-chain RIPkey R3(config-subif)#end
R2 MD5 Authentication Verification
R2#debug ip rip RIP protocol debugging is on R2# Jan 8 18:54:31.388: RIP: received packet with MD5 authentication Jan 8 18:54:31.388: RIP: received v2 update from 136.1.23.3 on GigabitEthernet0/ 0 Jan 8 18:54:31.388:
10.0.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:
10.1.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:
136.1.13.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:
150.1.1.0/24 via 0.0.0.0 in 2 hops
R2#sh ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 2 subnets R
10.0.0.0 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0
R
10.1.0.0 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0 136.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R
136.1.13.0/24 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0
C
136.1.23.0/24 is directly connected, GigabitEthernet0/0
L
136.1.23.2/32 is directly connected, GigabitEthernet0/0 150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R
150.1.1.0/24 [120/2] via 136.1.23.3, 00:00:10, GigabitEthernet0/0
C
150.1.2.0/24 is directly connected, Loopback0
L
150.1.2.2/32 is directly connected, Loopback0
R2#