Professional Documents
Culture Documents
ROUTE v7 Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8 Objectives
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Management access settings: Is Telnet access allowed for router management? Is the
HTTP or HTTPS server used for router management? Which version of SNMP is used
to manage the router? Is the SNMP process restricted to a certain range of IP
addresses only? How often is the SNMP community string changed?
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
Cisco Public
Increased flexibility and control of access configuration: AAA offers additional authorization flexibility
on a per-command or per-interface level.
Scalability: Local authentication is appropriate for a small network with few administrative users.
However, it does not scale well beyond that. AAA provides a very scalable solution that is required
when managing large networks.
Multiple backup systems: Multiple AAA servers can be identified for redundancy reasons. If a AAA
server fails, the next server on the list would provide AAA services.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Locally: Users are authenticated against the local device database, which is
created using the username secret command (sometimes referred to selfcontained AAA).
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
11
TACACS+: A Cisco proprietary protocol that separates all three AAA services
using the more reliable TCP port 49. TACACS+ encrypts the entire message
exchanged therefore communication between the device and the TACACS+
server is completely secure.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
12
The client attempts to authenticate to R1. The router is called a network access server (NAS) or remoteaccess server (RAS). Steps 1 through 4 illustrate how the client is queried by the NAS for their credentials. In
Step 5, the NAS sends the clients login request in the form of an Access-Request packet, which contains the
username, encrypted password, NAS IP address, and NAS port number.
To ensure that the NAS is authorized to communicate with, the server compares the shared secret key sent in
the request packet with the value configured on the server. If the shared secrets do not match, the server
drops the packet. If shared secrets match, the credentials in the packet are compared to the username and
password in the AAA server database.
If a match is found, the RADIUS server returns an Access-Accept packet with list of attributes to be used with
this session. If a match is not found, the RADIUS server returns Access-Reject packet.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
13
The client
attempts to
authenticate to
the NAS, R1. In
Step 1, the client
initiates a
connection to the
NAS, and the NAS
immediately establishes
a TCP connection with the AAA server.
In Steps 2 through 4, the NAS contacts the AAA server to obtain a username prompt, which is then
displayed to the client. In Steps 5 and 6, the username entered by the user is forwarded to the server,
In Steps 7 through 9, the NAS contacts the AAA server to obtain the password prompt, which is then
displayed to the client. Steps 10 and 11 forward the clients password to the AAA server to be validated
against the database.
If a match is found, the server will send an Accept message to the client, and authorization
phase may begin (if configured on the NAS). If a match is not found, however, the server will
respond with the Reject message, and any further access will be denied.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Cisco Public
16
Cisco Public
17
Multiprotocol access environments: RADIUS does not support older protocols such as
ARA, NBFCP, NASI, and X.25 PAD connections.
Networks using multiple services: RADIUS authentication can be used for character
mode service or PPP mode service. Character mode is authenticating the user for
administrative access to the device using Telnet service. PPP mode is used to
authenticate the user to provide access to network resources behind the NAS. RADIUS
can bind a user to a single service model only.
Therefore, RADIUS cannot bind a user simultaneously to character and PPP mode.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Cisco Public
19
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
21
All the traffic to the IP addresses of the network infrastructure devices is dropped and
logged. This rule prevents the network users from sending the routing protocol or the
management traffic to network devices. Include the destination addresses that encompass
all the device IP addresses as a condition. Note that this approach does not prevent users
from sending malicious transit traffic that would require processing in the CPU-intensive
slow data plane paths on the network devices. Such transit traffic may include packets with
IP options or packets that require processing that is not supported in the efficient fast data
plane path.
All the other traffic is permitted and allows all the transit traffic over the network.
The first rule may need to be relaxed to permit some network signaling exceptions, such as
BGP sessions from trusted external peers, internal routing protocol sessions, and ICMP,
SSH, and SNMP traffic from management stations.
An infrastructure ACL is constructed and applied to specify connections from hosts or
networks that need to be allowed to the network devices. Common examples of these types
of connections are EBGP, SSH, and SNMP. After the required connections have been
permitted, all the other traffic to the infrastructure is explicitly denied. All the transit traffic
that crosses the network and is not destined to the infrastructure devices is then explicitly
permitted.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Cisco Public
23
Strict mode: The packet must be received on the interface that the router would use to forward the return packet.
uRPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the routers
choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are
present in the network.
Loose mode: The source address must appear in the routing table. Administrators can change this behavior using
the allow-default option, which allows the use of the default route in the source verification process. In addition, a
packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An
access list may also be specified that permits or denies certain source addresses in uRPF loose mode.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Cisco Public
25
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Key ID: Configured using the key key-id key chain configuration mode command. Key IDs can range from 1 to 255. Entering this
command changes the prompt to key chain key configuration mode.
Key string (password): Configured using the key-string password key chain key configuration mode command.
Key lifetimes: (Optional) Configured using the send-lifetime and accept-lifetime key chain key configuration mode commands.
Key-based routing protocols store and use more than one key for a feature at the same time. The key used will vary
based on the send and accept lifetimes of a key. The device uses the lifetimes of keys to determine which keys in a key
chain are active.
Each key in a keychain has two lifetimes, as follows:
Accept lifetime: The time interval within which the device accepts the key during key exchange with another device
Send lifetime: The time interval within which the device sends the key during key exchange with another device
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Cisco Public
29
EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as follows:
Step 1. Configure the key chain:
The key chain global configuration command is used to define all the keys that are used
for EIGRP MD5 authentication. Once in key chain configuration mode, use the key
command to identify the key in the key chain. Each key is defined by the number, which
defines the key ID. When the key command is used, the configuration enters the key
chain key configuration mode, where the key-string authentication-key configuration
command must be used to specify the authentication string (or password). The key ID
and authentication string must be the same on all neighboring routers.
Step 2. Configure the authentication mode for EIGRP:
The only authentication type that is available in classic EIGRP configuration is MD5. The
newer named EIGRP configuration method also supports the more secure SHA hashing
algorithm.
Step 3. Enable authentication to use the key or keys in the key chain:
When an authentication type is selected and a key chain is configured, authentication of
EIGRP packets must be enabled on all interfaces that are participating in the EIGRP
domain as well. Authentication is enabled using the ip authentication key-chain eigrp
interface command.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
30
EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as
follows:
Step 1. Configure the key chain:
Step 3. Enable authentication to use the key or keys in the key chain:
R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
31
EIGRP Authentication
Configuring EIGRP for IPv6 Authentication
The only difference is ipv6 instead of ip & you can use SHA.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
32
OSPF Authentication
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a router, the router
authenticates the source of each routing update packet that it receives. It
performs this authentication by embedding an authentication data field in
each OSPF packet. The authentication data is computed based on the
authentication key, sometimes referred to as a password, which is known
to both the sending and the receiving router.
By default, OSPF does not authenticate routing updates. This means that
routing exchanges over a network are not authenticated. OSPFv2 supports
Plain-text authentication:
Simple password authentication. Least secure and not recommended for production
environments.
MD5 authentication:
Secure and simple to configure using two commands. Should only be implemented if SHA
authentication is not supported.
SHA authentication:
Most secure solution using key chains. Referred to as the OSPFv2 cryptographic authentication
feature and only available since IOS 15.4(1)T.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
33
OSPF Authentication
OSPF MD5 Authentication
There are two tasks to enable MD5 hashing authentication:
Step 1.
Configure a key ID and keyword (password) using the ip ospf messagedigest-key key-id md5 password interface configuration command. The
key ID and password are used to generate the hash value that is
appended to the OSPF update. The password maximum length is 16
characters. Cisco IOS Software will display a warning if a password
longer than 16 characters is entered.
Step 2.
Enable MD5 authentication using either the ip ospf authentication
message-digest interface configuration command or the area area-id
authentication message-digest OSPF router configuration command. The
first command only enables MD5 authentication on a specific interface,
and the second command enables authentication for all OSPFv2
interfaces.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
34
OSPF Authentication
OSPF MD5 Authentication
R1(config)# interface ethernet 0/2
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 1 md5 secret-1
OR in an area
R1(config)# interface ethernet 0/0
R1(config-if)# ip ospf message-digest-key 1 md5 secret-2
R1(config-if)# exit
R1(config)#
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
35
OSPF Authentication
OSPFv2 Cryptographic Authentication
After IOS 15.4(1)T, OSPFv2 supports SHA hashing authentication using
key chains.
The feature prevents unauthorized or invalid routing updates in a network
by authenticating OSPFv2 protocol packets using HMAC-SHA algorithms.
A similar 2 step process allows the configuration.
Step 1.
Configure a key chain using the key chain key-name global configuration
command. The key chain contains the key ID and key string and enables the
cryptographic authentication feature using the cryptographic-algorithm authalgo key chain key configuration mode command.
Step 2.
Assign the key chain to the interface using the ip ospf authentication key-chain
key-name interface configuration mode command. This also enables the feature.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
36
OSPF Authentication
OSPFv2 Cryptographic Authentication
R2(config)# key chain SHA-CHAIN
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string secret-1
R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R2(config-keychain-key)# exit
R2(config-keychain)# exit
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
37
OSPF Authentication
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
Crypto s are required to use authentication because only crypto
s include the IPsec application programming interfaces (APIs)
needed for use with OSPFv3.
In OSPFv3, authentication fields have been removed from
OSPFv3 packet headers.
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6
Authentication Header (AH) or IPv6 Encapsulating Security
Payload (ESP) header to ensure integrity, authentication, and
confidentiality of routing exchanges.
IPv6 AH and ESP extension headers can be used to provide
authentication and confidentiality to OSPFv3.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
38
OSPF Authentication
Configuring OSPFv3 Authentication
To deploy OSPFv3 authentication, first define the security policy
on each of the devices within the group. The security policy
consists of the combination of the key and the security
parameter index (SPI). The SPI is an identification tag added to
the IPsec header.
The authentication policy can be configured either on an
interface or in an area.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
39
OSPF Authentication
Configuring OSPFv3 Authentication
R1(config)# interface Ethernet0/1
R1(config-if)# ipv6 ospf authentication ipsec spi 300 sha1
1234567890123456789012345678901234567890
OR
R1(config)# router ospfv3 1
R1(config-router)# area 0 authentication ipsec spi 500 sha1 123456789012345678901234
5678901234567890
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
40
BGP Authentication
Configuring BGP Authentication
As enterprises increase their web presence and reliance on the Internet for
revenue, the need for reliable and geographically diverse Internet
connectivity has become more common. These needs are often met
through multihome configurations that require BGP for connectivity to a
service providers BGP-speaking routers.
However, introducing BGP routing into organizations introduces additional
risks that are present due to threats to BGP. One such threat is the
advertisement of false BGP routing updates that are sent from unauthorized
BGP peers. To prevent receiving of false routing updates, you can enable
BGP authentication, which prevents establishment of BGP session with
unauthorized BGP peers.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
41
BGP Authentication
BGP Authentication Configuration Checklist
BGP neighbor authentication can be configured on a router so that the
router authenticates the source of each routing update packet that it
receives.
This authentication is accomplished by the exchange of an authentication
key (password) that is shared between the source and destination routers.
Like EIGRP and OSPF, BGP also supports MD5 neighbor authentication.
To generate an MD5 hash value, BGP uses the shared secret key and
portions of the IP and TCP headers and the TCP payload. The MD5 hash is
then stored in TCP option 19, which is created specifically for this purpose
by RFC 2385.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
42
BGP Authentication
BGP Authentication
To enable MD5 authentication on a TCP connection between two BGP peers,
use the neighbor password router configuration command with IP address to
specify individual BGP peer, or use the peer group name to specify entire
group of peers, followed by the shared password.
R1(config)# router bgp 65100
R1(config-router)# neighbor 172.16.12.2 remote-as 65000
R1(config-router)# neighbor 172.16.12.2 password secret-1
The same config is used for ipv6 except the neighbor addresses are different.
R1(config)# router bgp 65100
R1(config-router)# neighbor 2001:db8:0:10::2 remote-as 65000
R1(config-router)# neighbor 2001:db8:0:10::2 password secret-2
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Implementing VRF-Lite
Virtual Routing and Forwarding (VRF) is a technology that allows
the device to have multiple but separate instances of routing
tables exist and work simultaneously.
A VRF instance is essentially a logical router and consists of an
IP routing table, a forwarding table, a set of interfaces that use
the forwarding table, and a set of rules and routing protocols that
determine what goes into the forwarding table.
A VRF increases:
Network functionality by allowing network paths to be completely
segmented without using multiple devices.
Network security because traffic is automatically segmented. VRF is
conceptually similar to creating Layer 2 VLANs but operates at Layer 3.
Cisco Public
44
Implementing VRF-Lite
VRF and VRF-Lite
VRF is usually associated with a service provider running Multiprotocol Label
Switching (MPLS) because the two work well together. In a provider network, MPLS
isolates each customers network traffic, and a VRF is maintained for each customer.
However, VRF can be used in other deployments without using MPLS.
VRF-lite is the deployment of VRF without MPLS. With the VRF-lite feature, the
Catalyst switch supports multiple VPN routing/forwarding instances in customeredge devices.
VRF-lite allows an SP to support two or more VPNs with overlapping IP addresses
using one interface. VRF-lite uses input interfaces to distinguish routes for different
VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3
interfaces with each VRF.
Interfaces in a VRF can be either physical, such as Ethernet or serial ports, or
logical, such as VLAN SVIs. However, a Layer 3 interface cannot belong to more than
one VRF at any time.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
45
Implementing VRF-Lite
Note:
The VRF instance must be configured on an interface first; otherwise, an
error message will appear
Central(config-vrf)# exit
Central(config-vrf)# exit
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Central(config-if)# no shut
Central(config-if)# exit
Central(config)#
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
46
Implementing VRF-Lite
Central# show ip route | begin Gateway
Gateway of last resort is not set
Central#
Central# show ip route vrf VRF-A | begin Gateway
Gateway of last resort is not set
C
L
C
L
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
47
Implementing VRF-Lite
Now configure EIGRP to run on VRF-A
Central(config)# router eigrp 1
Central(config-router)# address-family ipv4 vrf VRF-A
Central(config-router-af)# network 10.10.1.0 0.0.0.3
Central(config-router-af)# network 10.20.2.0 0.0.0.3
Central(config-router-af)# autonomous-system 1
Central(config-router-af)# no auto-summary
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
48
For true path isolation, Cisco Easy Virtual Network (EVN) provides the simplicity of Layer 2
with the controls of Layer 3. EVN provides traffic separation and path isolation capabilities
on a shared network infrastructure.
EVN is an IP-based network virtualization solution that takes advantage of existing VRFlite technology to:
EVN reduces network virtualization configuration significantly across the entire network
infrastructure by creating a virtual network trunk. The traditional VRF-lite solution requires
creating one sub-interface per VRF on all switches and routers involved in the data path,
creating a lot of burden in configuration management.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
49
EVN improves shared services support with route replication. Multiple EVN users may
require common sets of services such as Internet connectivity, e-mail, video, Dynamic
Host Configuration Protocol (DHCP), or Domain Name System (DNS). Traditionally,
sharing common services can be achieved through importing and exporting routes
between virtual networks using Border Gateway Protocol (BGP), which is complex.
EVNs route replication feature allows each virtual network to have direct access to the
Routing Information Base (RIB) in each VRF, allowing the ability to
Link routes from a Shared VRF to several segmented VRFs but still maintain
separation where it is required
Remove dependency on the BGP route target and route distinguisher, simplifying
both configuration and complexity of importing and exporting routes
Remove duplicate routing tables or routes, saving memory and CPU
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
50
Chapter 8 Summary
The chapter focused on the following topics:
Write and follow a security policy before securing a device.
Passwords are stored in the configuration and should be protected from
eavesdropping.
Use SSH instead of Telnet, especially when using it over an unsecure network.
Create router ALCs to protect the infrastructure by filtering traffic on the network
edge.
Secure SNMP if it is used on the network.
Periodically save the configuration in case it gets corrupted or changed.
Implement logging to an external destination to have insight into what is going
on in a network.
Disable unused services.
Unauthorized routers might launch a fictitious routing update to convince a
router to send traffic to an incorrect destination. Routers authenticate the source
of each routing update that is received when routing authentication is enabled.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Chapter 8 Summary
The chapter focused on the following topics:
There are two types of routing authentication: plain-text and hashing
authentication.
Avoid using plain-text authentication.
A key chain is a set of keys that can be used with routing protocol
authentications.
Different routing protocols support different authentication options.
When EIGRP authentication is configured, the router verifies every EIGRP
packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and named
EIGRP supports SHA authentication.
To configure classic MD5 authentication, define a key, enable EIGRP
authentication mode on the interface, and associate the configured key with the
interface.
To configure SHA authentication, you need to use EIGRP named configuration
mode.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
52
Chapter 8 Summary
The chapter focused on the following topics:
Verify the EIGRP authentication by verifying neighborship.
When authentication is configured, the router generates and checks every
OSPF packet and authenticates the source of each update packet that it
receives.
In OSPFv2 simple password authentication the routers send the key that is
embedded in the OSPF packets.
In OSPFv2 MD5 authentication the routers generate a hash of the key, key ID,
and message. The message digest is sent with the packet.
OSPFv3 uses native functionality offered by IPv6. All that is required for
OSPFv3 authentication is IPsec AH. AH provides authentication and integrity
check. IPsec ESP provides encryption for payloads, which is not required for
authentication.
BGP authentication uses MD5 authentication.
Router generates and verifies MD5 digest of every segment sent over the BGP
connection.
Verify BGP authentication by verifying if BGP sessions are up.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
53
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
54