Está en la página 1de 54

Chapter 8:

Routers and Routing


Protocol Hardening

CCNP ROUTE: Routers and Routing Protocol Hardening

ROUTE v7 Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Chapter 8 Objectives

Securing the Management Plane on Cisco Routers


Describing Routing Protocol Authentication
Configuring Authentication for EIGRP
Configuring Authentication for OSPFv2 and OSPFv3
Configuring Authentication for BGP peers
Configuring VRF-lite

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Routers and Routing Protocol Hardening


A routers operational architecture can be categorized into three
planes:
Management plane: This plane is concerned with traffic that is sent to the
Cisco IOS device and is used for device management. Securing this
plane involves using strong passwords, user authentication,
implementing role-based command-line interface (CLI), using Secure
Shell (SSH), enable logging, using Network Time Protocol (NTP),
securing Simple Network Management Protocol (SNMP), and securing
system files.
Control plane: This plane is concerned with packet forwarding decisions
such as routing protocol operations. Securing this plane involves using
routing protocol authentication.
Data plane: This plane is also known as the forwarding plane because it
is concerned with the forwarding of data through a router. Securing this
plane usually involves using access control lists (ACLs).

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers
Securing the network infrastructure is critical to overall
network security.
A compromised router can cause the network to be
compromised on a larger scale.
If an attacker gained access to a router, the security and management
of the entire network can be compromised, leaving servers and
endpoints at risk. For example, the attacker could cause a network
disruption by erasing the startup configuration and reloading the
router. When the router reboots, it will not have a startup configuration
and, therefore, will not boot properly.

Routers must be hardened so that any attempts to disable a


router, gain unauthorized access, or otherwise impair the
functionality of the router can be stopped.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers
Router Security Policy
The first step to protect a router is to create and maintain a router security
policy, which defines the security posture of routers.
The router security policy should help answer the following questions:

Password encryption and complexity settings: Do passwords appear in encrypted form


when viewed at the configuration file? According to policy, how often do router
passwords (Telnet, username, enable) have to be changed? Do the router passwords
meet the required complexity as defined by the policy?

Authentication settings: Is a message of the day (MOTD) banner defined? Is


authentication on the router done through locally configured usernames and
passwords, or through external AAA servers? Are login and logout tracking and
command accounting for the router administrators through the external AAA server
enabled?

Management access settings: Is Telnet access allowed for router management? Is the
HTTP or HTTPS server used for router management? Which version of SNMP is used
to manage the router? Is the SNMP process restricted to a certain range of IP
addresses only? How often is the SNMP community string changed?

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers
Router Security Policy
The router security policy should help answer the following questions:
Securing management access using SSH: Is management access secure? Do we
still have to support Telnet? Are we using SSH for management access? If Telnet
support is required, how are we securing it?
Unneeded services settings: Are the unneeded services and interfaces disabled?
Which services are unneeded?
Ingress/egress filtering settings: Is filtering of RFC 1918 IP addresses enabled?
Are anti-spoofing ACLs in place? Is Unicast RPF filtering enabled?
Routing protocol security settings: Is routing protocol message authentication
enabled?
Configuration maintenance: How often are the router configurations backed up? Is
the backup moved to an offsite (disaster recovery) site? Is there a documented
procedure for the backup of router configurations? Is TFTP used to transfer the
configuration or the files to and from the router? On the system where the
configuration files are stored, is the local operating systems security mechanism
used for restricting the access to the files?

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers
Router Security Policy
The router security policy should help answer the following questions:
Securing management access using SSH: Is management access secure? Do we
still have to support Telnet? Are we using SSH for management access? If Telnet
support is required, how are we securing it?
Unneeded services settings: Are the unneeded services and interfaces disabled?
Which services are unneeded?
Ingress/egress filtering settings: Is filtering of RFC 1918 IP addresses enabled?
Are anti-spoofing ACLs in place? Is Unicast RPF filtering enabled?
Routing protocol security settings: Is routing protocol message authentication
enabled?
Configuration maintenance: How often are the router configurations backed up? Is
the backup moved to an offsite (disaster recovery) site? Is there a documented
procedure for the backup of router configurations? Is TFTP used to transfer the
configuration or the files to and from the router? On the system where the
configuration files are stored, is the local operating systems security mechanism
used for restricting the access to the files?

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers Encrypted Passwords
Use Strong Passwords
Administrators should ensure that strong
passwords are used across the network.
To protect assets, such as routers and
switches, follow these common guidelines for choosing strong passwords.
These guidelines are designed to make passwords more difficult to
discover through the use of intelligent guessing and password-cracking
tools:
Use a password length of ten or more characters. A longer password is a
better password.
Make passwords complex. Include a mix of uppercase and lowercase
letters, numbers, symbols, and spaces.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco


Routers Encrypted Passwords
Use Strong Passwords

Avoid passwords based on repetition, dictionary words, letter or


number sequences, usernames, relative or pet names, biographical
information, such as birthdates, ID numbers, ancestor names, or other
easily identifiable pieces of information.
Deliberately misspell a password (for example, Smith = Smyth =
5mYth or Security = 5ecur1ty).
Change passwords often. If a password is unknowingly compromised,
the window of opportunity for the attacker to use the password is
limited.
Do not write passwords down and leave them in obvious places, such
as on the desk or monitor.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

Securing the Management Plane on Cisco Routers


- Authentication, Authorization, Accounting
Securing management access to the infrastructure network consists of
authenticating users before they access the network, identifying what they are
capable of doing and what restrictions apply to them, and logging the information
about user activities for accounting purposes.
Authentication, authorization, and accounting (AAA) is a standards-based framework
that can be implemented to control who is permitted to access a network
(authenticate), what they can do on that network (authorize), and to audit what they
did while accessing the network (accounting).
Implementation of the AAA model provides the following advantages:

Increased flexibility and control of access configuration: AAA offers additional authorization flexibility
on a per-command or per-interface level.

Scalability: Local authentication is appropriate for a small network with few administrative users.
However, it does not scale well beyond that. AAA provides a very scalable solution that is required
when managing large networks.

Multiple backup systems: Multiple AAA servers can be identified for redundancy reasons. If a AAA
server fails, the next server on the list would provide AAA services.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

10

Securing the Management Plane on Cisco Routers


- Authentication, Authorization, Accounting

Implementation of the AAA model provides the


following advantages contd:

Standardized authentication methods: AAA supports the RADIUS protocol open


standard to ensure interoperability and flexibility with other vendor devices.

Users must authenticate against an authentication database, which can be stored:

Locally: Users are authenticated against the local device database, which is
created using the username secret command (sometimes referred to selfcontained AAA).

Centrally: A client/server model where users are authenticated against AAA


servers. This provides improved scalability, manageability, and control.
Communication between the device and AAA servers is secured using either the
RADIUS or TACACS+ protocols.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Securing the Management Plane on Cisco


Routers
RADIUS and TACACS+ Overview
When users attempt to authenticate to a device, the device
communicates with a AAA server using either the

RADIUS protocol: An open standard protocol described in RFCs 2865


(authentication and authorization) and 2866 (accounting). It combines
authentication and authorization into one service using UDP port 1812 (or UDP
1645), and the accounting service uses UDP port 1813 (or UDP 1646). RADIUS
does not encrypt the entire message exchanged between device and server. Only
the password portion of the RADIUS packet header is encrypted, thereby
identifying the AAA server as an authoritative source to authenticate against.

TACACS+: A Cisco proprietary protocol that separates all three AAA services
using the more reliable TCP port 49. TACACS+ encrypts the entire message
exchanged therefore communication between the device and the TACACS+
server is completely secure.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

12

Securing the Management Plane on Cisco


Routers

RADIUS and TACACS+ Overview

The client attempts to authenticate to R1. The router is called a network access server (NAS) or remoteaccess server (RAS). Steps 1 through 4 illustrate how the client is queried by the NAS for their credentials. In
Step 5, the NAS sends the clients login request in the form of an Access-Request packet, which contains the
username, encrypted password, NAS IP address, and NAS port number.
To ensure that the NAS is authorized to communicate with, the server compares the shared secret key sent in
the request packet with the value configured on the server. If the shared secrets do not match, the server
drops the packet. If shared secrets match, the credentials in the packet are compared to the username and
password in the AAA server database.
If a match is found, the RADIUS server returns an Access-Accept packet with list of attributes to be used with
this session. If a match is not found, the RADIUS server returns Access-Reject packet.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Securing the Management Plane on Cisco


Routers
TACACS+

The client
attempts to
authenticate to
the NAS, R1. In
Step 1, the client
initiates a
connection to the
NAS, and the NAS
immediately establishes
a TCP connection with the AAA server.
In Steps 2 through 4, the NAS contacts the AAA server to obtain a username prompt, which is then
displayed to the client. In Steps 5 and 6, the username entered by the user is forwarded to the server,
In Steps 7 through 9, the NAS contacts the AAA server to obtain the password prompt, which is then
displayed to the client. Steps 10 and 11 forward the clients password to the AAA server to be validated
against the database.

If a match is found, the server will send an Accept message to the client, and authorization
phase may begin (if configured on the NAS). If a match is not found, however, the server will
respond with the Reject message, and any further access will be denied.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Securing the Management Plane on Cisco


Routers - Enabling AAA and Local Authentication
The following are the configuration steps required to enable AAA local authentication:
Step 1. Create local user accounts using the username name secret password global
configuration command.
Step 2. Enable AAA by using the aaa new-model global configuration command. This command
is required to enable all other AAA-related commands. Until this command is enabled, all other
AAA commands are hidden. The command also immediately applies local authentication to all
lines and interfaces except the console line.
Step 3. Configure the security protocol parameters including the server IP address and secret
key. The actual commands will vary depending on whether RADIUS or TACACS+ is used and
whether multiple servers are being implemented.
Step 4. Define the authentication method lists using the aaa authentication login {default | listname} method1 [...[method4]]. The default method list applies to any interface, line, or service
unless a list-name method list is defined. The default keyword is typically used in smaller
environments with a single shared AAA infrastructure. Alternatively, a list-name method list must
be explicitly applied to an interface, line, or service. The list-name

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

15

Securing the Management Plane on Cisco


Routers - Enabling AAA and Local Authentication
The following are the configuration steps required to enable AAA local authentication:
Multiple authentication methods can be defined for fault tolerance. The most
commonly used aaa authentication command methods include group radius, group
tacacs+, local, local-case. When multiple authentication methods are configured, the
additional methods of authentication are used only if the previous method returns an
error, not if it fails.
Step 5. If required, apply the method lists to the console, vty, or aux lines. If a default
authentication method was defined, the console, vty, and aux lines are automatically
configured for AAA authentication. If a list-name was configured, the lines require the
login list-name line configuration command.
Step 6. (Optional) Configure authorization using the aaa authorization global
configuration command.
Step 7. (Optional) Configure accounting using the aaa accounting global configuration
command.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

16

Securing the Management Plane on Cisco


Routers - Enabling AAA and Local Authentication

Enabling AAA RADIUS Authentication with Local User for Backup


RADIUS is commonly implemented to provide AAA authentication. For fallback purposes, it is a
good idea to configure a few local accounts on each device to serve as a backup, should
external servers fail.

R1(config)# username JR-ADMIN secret Str0ngPa55w0rd


R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)#
R1(config)# aaa new-model
R1(config)#
R1(config)# radius server RADIUS-1
R1(config-radius-server)# address ipv4 192.168.1.101
R1(config-radius-server)# key RADIUS-1-pa55w0rd
R1(config-radius-server)# exit
R1(config)#
A second AAA login authentication method is specified
R1(config)# radius server RADIUS-2
using a named method list called TELNET-LOGIN. This
R1(config-radius-server)# address ipv4 192.168.1.102
method authenticates like the default list, except that
R1(config-radius-server)# key RADIUS-2-pa55w0rd
R1(config-radius-server)# exit
the local-case keyword also makes the username case
R1(config)#
sensitive. The local keyword only makes the password
R1(config)# aaa group server radius RADIUS-GROUP
case sensitive.
R1(config-sg-radius)# server name RADIUS-1
R1(config-sg-radius)# server name RADIUS-2
R1(config-sg-radius)# exit
R1(config)#
R1(config)# aaa authentication login default group RADIUS-GROUP local
R1(config)# aaa authentication login TELNET-LOGIN group RADIUS-GROUP local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# exit
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Securing the Management Plane on Cisco


Routers - AAA Servers Limitations
Limitations of TACACS+ and RADIUS
RADIUS is not suitable to be used in the following situations:

Multiprotocol access environments: RADIUS does not support older protocols such as
ARA, NBFCP, NASI, and X.25 PAD connections.

Device-to-device situations: RADIUS operates in a client/server mode, where


authentication can only be initiated by a client and where the server always
authenticates the client.
RADIUS does not offer two-way authentication. Therefore, if two devices need mutual
authentication, RADIUS is not an appropriate solution.

Networks using multiple services: RADIUS authentication can be used for character
mode service or PPP mode service. Character mode is authenticating the user for
administrative access to the device using Telnet service. PPP mode is used to
authenticate the user to provide access to network resources behind the NAS. RADIUS
can bind a user to a single service model only.
Therefore, RADIUS cannot bind a user simultaneously to character and PPP mode.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

18

Securing the Management Plane on Cisco


Routers - AAA Servers Limitations
Limitations of TACACS+ and RADIUS
TACACS+ is not suitable to be used in the following situations:
Multivendor environment: TACACS+ is a Cisco proprietary protocol.
Some vendors may not support it although Cisco has published
TACACS+ specification in a form of a draft RFC.
When speed of response from the AAA services is of concern:
TACACS+ is a little slower at responding than RADIUS.
The reason is because RADIUS uses the UDP transport protocol, which
is faster than TACACS+, which uses the TCP transport protocol. TCP is a
connection-oriented protocol, which means that a connection between
two endpoints has to be established before the data can start to flow. This
mechanism consumes precious time, and therefore TACACS+ might not
be the best option if a fast response from the AAA services is required.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Use SSH Instead of Telnet


When enabling remote administrative access, consider the security implications of
sending information across the network.
Traditionally, remote access on routers was configured using Telnet on TCP port 23.
However, Telnet was developed in the days when security was not an issue;
therefore, all Telnet traffic is forwarded in plain text.
An attacker could capture Telnet frames originating from an administrators computer
using a protocol analyzer such as Wireshark to discover administrative password or
device configuration.
Secure Shell (SSH) provides an encrypted mechanism for accessing a router. It has
replaced Telnet as the recommended practice for providing remote router
administration with connections that support confidentiality and session integrity. It
provides functionality that is similar to an outbound Telnet connection, except that the
connection is encrypted and operates on port 22. With authentication and encryption,
SSH allows for secure communication over a non-secure network. Therefore, it is
advisable to set up SSH access on a router and then disable Telnet access to it.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Use SSH Instead of Telnet


Complete the following steps to enable the SSH access instead of Telnet:
Step 1. Enable the use of SSH protocol: Ensure that the target routers are running a Cisco
IOS release that supports SSH.
Step 2. Enable local authentication for SSH access: This is because SSH access requires
login using username and password.
Step 3. Allows SSH from authorized hosts: Optionally allow SSH access only from
authorized hosts by specifying an ACL.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Securing Access to the Infrastructure Using


Router ACLs
Infrastructure ACLs are typically applied in the input direction on the interface that
connects to the network users or external networks with the following policies:

All the traffic to the IP addresses of the network infrastructure devices is dropped and
logged. This rule prevents the network users from sending the routing protocol or the
management traffic to network devices. Include the destination addresses that encompass
all the device IP addresses as a condition. Note that this approach does not prevent users
from sending malicious transit traffic that would require processing in the CPU-intensive
slow data plane paths on the network devices. Such transit traffic may include packets with
IP options or packets that require processing that is not supported in the efficient fast data
plane path.

All the other traffic is permitted and allows all the transit traffic over the network.

The first rule may need to be relaxed to permit some network signaling exceptions, such as
BGP sessions from trusted external peers, internal routing protocol sessions, and ICMP,
SSH, and SNMP traffic from management stations.
An infrastructure ACL is constructed and applied to specify connections from hosts or
networks that need to be allowed to the network devices. Common examples of these types
of connections are EBGP, SSH, and SNMP. After the required connections have been
permitted, all the other traffic to the infrastructure is explicitly denied. All the transit traffic
that crosses the network and is not destined to the infrastructure devices is then explicitly
permitted.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

22

Securing Access to the Infrastructure Using


Router ACLs - example

R1(config)# ip access-list extended ACL-INFRASTRUCTURE-IN


R1(config-ext-nacl)# remark Deny IP fragments
R1(config-ext-nacl)# deny tcp any any fragments
R1(config-ext-nacl)# deny udp any any fragments
R1(config-ext-nacl)# deny icmp any any fragments
R1(config-ext-nacl)# deny ip any any fragments
R1(config-ext-nacl)# remark permit required connections for management traffic
R1(config-ext-nacl)# permit tcp host 10.10.12.2 host 10.10.12.1 eq 179
R1(config-ext-nacl)# permit tcp host 10.10.12.2 eq 179 host 10.10.12.1
R1(config-ext-nacl)# permit tcp host 10.0.0.10 any eq 22
R1(config-ext-nacl)# remark Permit ICMP Echo from management station
R1(config-ext-nacl)# permit icmp host 10.0.0.10 any echo
R1(config-ext-nacl)# remark Deny all other IP traffic to any network device
R1(config-ext-nacl)# deny ip any 10.0.0.0 0.0.0.255
R1(config-ext-nacl)# remark permit transit traffic
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)# interface ethernet 0/0
R1(config-if)# ip access-group ACL-INFRASTRUCTURE-IN in
R1(config-if)#^Z
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

23

Implement Unicast Reverse Path Forwarding


Network administrators can use Unicast Reverse Path Forwarding (uRPF) to help limit the malicious traffic on
an enterprise network. This security feature works with Cisco Express Forwarding (CEF) by enabling the router
to verify that the source of any IP packets received is in the CEF table and reachable via the routing table. If the
source IP address is not valid, the packet is discarded.
The uRPF feature is commonly used to prevent common spoofing attacks and follows RFC 2827 for ingress
filtering to defeat denial-of-service (DoS) attacks, which employ IP source address spoofing. RFC 2827
recommends that service providers filter their customers traffic and drop any traffic entering their networks that
is coming from an illegitimate source address.
The uRPF feature works in one of two modes:

Strict mode: The packet must be received on the interface that the router would use to forward the return packet.
uRPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the routers
choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are
present in the network.

Loose mode: The source address must appear in the routing table. Administrators can change this behavior using
the allow-default option, which allows the use of the default route in the source verification process. In addition, a
packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An
access list may also be specified that permits or denies certain source addresses in uRPF loose mode.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Routing Protocol Authentication Options


The routing protocol is also susceptible to an attack. For example, a
router could be receiving false route updates from an attacker to
nefarious destinations. The solution is to enable routing protocol
authentication.
The Purpose of Routing Protocol Authentication
The falsification of routing information is a more subtle class of attack
that targets the information carried within the routing protocol. The
consequences of falsifying routing information are as follows:
Redirect traffic to create routing loops
Redirect traffic to monitor on an insecure line
Redirect traffic to discard it
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Routing Protocol Authentication Options


Two types of neighbor authentication can be used:
Plain-text authentication (also referred to as simple password
authentication)
Hashing authentication

Each method requires the use of a key to be used in the


authentication process.
Routing protocols that support plain-text authentication include
RIPv2, OSPFv2, and IS-IS.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

26

Routing Protocol Authentication Options


Hashing Authentication
With hashing authentication, the routing protocol update does not contain
the plain-text key. Instead, it contains a hash value that is used by the
receiving router to validate the authenticity of the routing update. The hash
value is often referred to as a signature.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Routing Protocol Authentication Options


Time-Based Key Chains
The security of routing protocol authentication can be increased by changing the secret keys often. However, routing
between neighbors can be interrupted during the key rollover process. For instance, when a router is reconfigured with
a new key, it will lose its neighbor adjacency until the other neighbors are configured with the same new key.
Some routing protocols support a time-based key chain management feature that provides a secure mechanism to
maintain stable communications while handling this key rollover period. These routing protocols can use more than one
key at a time to authenticate the update. Transitioning between the keys using timed-based key chains provides a nondisruptive exchange of routing updates.
Key Chain Specifics
A key chain is created using the key chain key-name global configuration command. Entering this command changes
the prompt to key chain configuration mode. The key chain contains sets of keys (sometimes called shared secrets)
that include

Key ID: Configured using the key key-id key chain configuration mode command. Key IDs can range from 1 to 255. Entering this
command changes the prompt to key chain key configuration mode.
Key string (password): Configured using the key-string password key chain key configuration mode command.
Key lifetimes: (Optional) Configured using the send-lifetime and accept-lifetime key chain key configuration mode commands.

Key-based routing protocols store and use more than one key for a feature at the same time. The key used will vary
based on the send and accept lifetimes of a key. The device uses the lifetimes of keys to determine which keys in a key
chain are active.
Each key in a keychain has two lifetimes, as follows:

Accept lifetime: The time interval within which the device accepts the key during key exchange with another device
Send lifetime: The time interval within which the device sends the key during key exchange with another device

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

28

Routing Protocol Authentication Options


Authentication Options with Different Routing Protocols
The table below summarizes the different routing protocol
authentication options.

Note : EIGRP SHA does not support key chains.


Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

29

EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as follows:
Step 1. Configure the key chain:
The key chain global configuration command is used to define all the keys that are used
for EIGRP MD5 authentication. Once in key chain configuration mode, use the key
command to identify the key in the key chain. Each key is defined by the number, which
defines the key ID. When the key command is used, the configuration enters the key
chain key configuration mode, where the key-string authentication-key configuration
command must be used to specify the authentication string (or password). The key ID
and authentication string must be the same on all neighboring routers.
Step 2. Configure the authentication mode for EIGRP:
The only authentication type that is available in classic EIGRP configuration is MD5. The
newer named EIGRP configuration method also supports the more secure SHA hashing
algorithm.
Step 3. Enable authentication to use the key or keys in the key chain:
When an authentication type is selected and a key chain is configured, authentication of
EIGRP packets must be enabled on all interfaces that are participating in the EIGRP
domain as well. Authentication is enabled using the ip authentication key-chain eigrp
interface command.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

30

EIGRP Authentication
The EIGRP MD5 authentication configuration steps are as
follows:
Step 1. Configure the key chain:

R1(config)# key chain EIGRP-KEYS


R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# end

Step 2. Configure the authentication mode for EIGRP:


R1(config)# interface Ethernet 0/0
R1(config-if)# ip authentication mode eigrp 100 md5

Step 3. Enable authentication to use the key or keys in the key chain:
R1(config-if)# ip authentication key-chain eigrp 100 EIGRP-KEYS
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

31

EIGRP Authentication
Configuring EIGRP for IPv6 Authentication
The only difference is ipv6 instead of ip & you can use SHA.

Configuring Named EIGRP Authentication

R1(config)# key chain NAMED-R1-Chain


R1(config-keychain)# key 1
R1(config-keychain-key)# key-string secret-1
R1(config-keychain-key)# exit
R1(config-keychain)# exit
R1(config)# router eigrp ROUTE
R1(config-router)# address-family ipv4 autonomous-system 110
R1(config-router-af)# network 10.10.0.0 0.0.255.255
R1(config-router-af)# af-interface ethernet 0/0
R1(config-router-af-interface)# authentication key-chain NAMED-R1-Chain
R1(config-router-af-interface)# authentication mode md5
R1(config-router-af-interface)# end

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

32

OSPF Authentication
OSPF Authentication
When OSPFv2 neighbor authentication is enabled on a router, the router
authenticates the source of each routing update packet that it receives. It
performs this authentication by embedding an authentication data field in
each OSPF packet. The authentication data is computed based on the
authentication key, sometimes referred to as a password, which is known
to both the sending and the receiving router.
By default, OSPF does not authenticate routing updates. This means that
routing exchanges over a network are not authenticated. OSPFv2 supports

Plain-text authentication:
Simple password authentication. Least secure and not recommended for production
environments.

MD5 authentication:
Secure and simple to configure using two commands. Should only be implemented if SHA
authentication is not supported.

SHA authentication:
Most secure solution using key chains. Referred to as the OSPFv2 cryptographic authentication
feature and only available since IOS 15.4(1)T.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

33

OSPF Authentication
OSPF MD5 Authentication
There are two tasks to enable MD5 hashing authentication:
Step 1.
Configure a key ID and keyword (password) using the ip ospf messagedigest-key key-id md5 password interface configuration command. The
key ID and password are used to generate the hash value that is
appended to the OSPF update. The password maximum length is 16
characters. Cisco IOS Software will display a warning if a password
longer than 16 characters is entered.
Step 2.
Enable MD5 authentication using either the ip ospf authentication
message-digest interface configuration command or the area area-id
authentication message-digest OSPF router configuration command. The
first command only enables MD5 authentication on a specific interface,
and the second command enables authentication for all OSPFv2
interfaces.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

34

OSPF Authentication
OSPF MD5 Authentication
R1(config)# interface ethernet 0/2
R1(config-if)# ip ospf authentication message-digest
R1(config-if)# ip ospf message-digest-key 1 md5 secret-1

OR in an area
R1(config)# interface ethernet 0/0
R1(config-if)# ip ospf message-digest-key 1 md5 secret-2
R1(config-if)# exit
R1(config)#
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

35

OSPF Authentication
OSPFv2 Cryptographic Authentication
After IOS 15.4(1)T, OSPFv2 supports SHA hashing authentication using
key chains.
The feature prevents unauthorized or invalid routing updates in a network
by authenticating OSPFv2 protocol packets using HMAC-SHA algorithms.
A similar 2 step process allows the configuration.
Step 1.
Configure a key chain using the key chain key-name global configuration
command. The key chain contains the key ID and key string and enables the
cryptographic authentication feature using the cryptographic-algorithm authalgo key chain key configuration mode command.
Step 2.
Assign the key chain to the interface using the ip ospf authentication key-chain
key-name interface configuration mode command. This also enables the feature.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

36

OSPF Authentication
OSPFv2 Cryptographic Authentication
R2(config)# key chain SHA-CHAIN
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string secret-1
R2(config-keychain-key)# cryptographic-algorithm hmac-sha-256
R2(config-keychain-key)# exit
R2(config-keychain)# exit
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

37

OSPF Authentication
OSPFv3 Authentication
OSPFv3 requires the use of IPsec to enable authentication.
Crypto s are required to use authentication because only crypto
s include the IPsec application programming interfaces (APIs)
needed for use with OSPFv3.
In OSPFv3, authentication fields have been removed from
OSPFv3 packet headers.
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6
Authentication Header (AH) or IPv6 Encapsulating Security
Payload (ESP) header to ensure integrity, authentication, and
confidentiality of routing exchanges.
IPv6 AH and ESP extension headers can be used to provide
authentication and confidentiality to OSPFv3.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

38

OSPF Authentication
Configuring OSPFv3 Authentication
To deploy OSPFv3 authentication, first define the security policy
on each of the devices within the group. The security policy
consists of the combination of the key and the security
parameter index (SPI). The SPI is an identification tag added to
the IPsec header.
The authentication policy can be configured either on an
interface or in an area.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

39

OSPF Authentication
Configuring OSPFv3 Authentication
R1(config)# interface Ethernet0/1
R1(config-if)# ipv6 ospf authentication ipsec spi 300 sha1
1234567890123456789012345678901234567890

OR
R1(config)# router ospfv3 1
R1(config-router)# area 0 authentication ipsec spi 500 sha1 123456789012345678901234
5678901234567890

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

40

BGP Authentication
Configuring BGP Authentication
As enterprises increase their web presence and reliance on the Internet for
revenue, the need for reliable and geographically diverse Internet
connectivity has become more common. These needs are often met
through multihome configurations that require BGP for connectivity to a
service providers BGP-speaking routers.
However, introducing BGP routing into organizations introduces additional
risks that are present due to threats to BGP. One such threat is the
advertisement of false BGP routing updates that are sent from unauthorized
BGP peers. To prevent receiving of false routing updates, you can enable
BGP authentication, which prevents establishment of BGP session with
unauthorized BGP peers.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

41

BGP Authentication
BGP Authentication Configuration Checklist
BGP neighbor authentication can be configured on a router so that the
router authenticates the source of each routing update packet that it
receives.
This authentication is accomplished by the exchange of an authentication
key (password) that is shared between the source and destination routers.
Like EIGRP and OSPF, BGP also supports MD5 neighbor authentication.
To generate an MD5 hash value, BGP uses the shared secret key and
portions of the IP and TCP headers and the TCP payload. The MD5 hash is
then stored in TCP option 19, which is created specifically for this purpose
by RFC 2385.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

42

BGP Authentication

BGP Authentication
To enable MD5 authentication on a TCP connection between two BGP peers,
use the neighbor password router configuration command with IP address to
specify individual BGP peer, or use the peer group name to specify entire
group of peers, followed by the shared password.
R1(config)# router bgp 65100
R1(config-router)# neighbor 172.16.12.2 remote-as 65000
R1(config-router)# neighbor 172.16.12.2 password secret-1

The same config is used for ipv6 except the neighbor addresses are different.
R1(config)# router bgp 65100
R1(config-router)# neighbor 2001:db8:0:10::2 remote-as 65000
R1(config-router)# neighbor 2001:db8:0:10::2 password secret-2
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Implementing VRF-Lite
Virtual Routing and Forwarding (VRF) is a technology that allows
the device to have multiple but separate instances of routing
tables exist and work simultaneously.
A VRF instance is essentially a logical router and consists of an
IP routing table, a forwarding table, a set of interfaces that use
the forwarding table, and a set of rules and routing protocols that
determine what goes into the forwarding table.
A VRF increases:
Network functionality by allowing network paths to be completely
segmented without using multiple devices.
Network security because traffic is automatically segmented. VRF is
conceptually similar to creating Layer 2 VLANs but operates at Layer 3.

Service providers (SPs) often take advantage of VRF to create


separate virtual private networks (VPNs) for customers.
Therefore, VRF is often referred to as VPN routing and
forwarding.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

44

Implementing VRF-Lite
VRF and VRF-Lite
VRF is usually associated with a service provider running Multiprotocol Label
Switching (MPLS) because the two work well together. In a provider network, MPLS
isolates each customers network traffic, and a VRF is maintained for each customer.
However, VRF can be used in other deployments without using MPLS.
VRF-lite is the deployment of VRF without MPLS. With the VRF-lite feature, the
Catalyst switch supports multiple VPN routing/forwarding instances in customeredge devices.
VRF-lite allows an SP to support two or more VPNs with overlapping IP addresses
using one interface. VRF-lite uses input interfaces to distinguish routes for different
VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3
interfaces with each VRF.
Interfaces in a VRF can be either physical, such as Ethernet or serial ports, or
logical, such as VLAN SVIs. However, a Layer 3 interface cannot belong to more than
one VRF at any time.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Implementing VRF-Lite
Note:
The VRF instance must be configured on an interface first; otherwise, an
error message will appear

Central(config)# ip vrf VRF-A

Central(config-vrf)# exit

Central(config)# ip vrf VRF-B

Central(config-vrf)# exit

Central(config)# interface Serial0/0/0

Central(config-if)# ip vrf forwarding VRF-A

Central(config-if)# ip address 10.10.1.1 255.255.255.252

Central(config-if)# clock rate 2000000

Central(config-if)# no shut

Central(config-if)# exit

Central(config)#

Central(config-if)# interface Serial0/0/1

Central(config-if)# ip vrf forwarding VRF-A

Central(config-if)# ip address 10.20.2.1 255.255.255.252

Central(config-if)# no shut

Central(config-if)# exit

Central(config)#

Central(config-if)# interface Serial0/1/0

Central(config-if)# ip vrf forwarding VRF-B

Central(config-if)# ip address 10.30.3.1 255.255.255.252

Central(config-if)# clock rate 2000000

Central(config-if)# no shut

Central(config-if)# exit

Central(config)#

Central(config-if)# interface Serial0/1/1

Central(config-if)# ip vrf forwarding VRF-B

Central(config-if)# ip address 10.40.4.1 255.255.255.252

Central(config-if)# no shut

Central(config-if)# exit

Central(config)#

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

46

Implementing VRF-Lite
Central# show ip route | begin Gateway
Gateway of last resort is not set
Central#
Central# show ip route vrf VRF-A | begin Gateway
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks


C
10.10.1.0/30 is directly connected, Serial0/0/0
L
10.10.1.1/32 is directly connected, Serial0/0/0
C
10.20.2.0/30 is directly connected, Serial0/0/1
L
10.20.2.1/32 is directly connected, Serial0/0/1
Central#
Central# show ip route vrf VRF-B | begin Gateway
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks


10.30.3.0/30 is directly connected, Serial0/1/0
10.30.3.1/32 is directly connected, Serial0/1/0
10.40.4.0/30 is directly connected, Serial0/1/1
10.40.4.1/32 is directly connected, Serial0/1/1

C
L
C
L

Notice how the first IP routing table is empty.


Thats because the directly connected
interfaces now belong to the respective VRFs.
The next two routing tables displayed in the
example verify the content of each VRF.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Implementing VRF-Lite
Now configure EIGRP to run on VRF-A
Central(config)# router eigrp 1
Central(config-router)# address-family ipv4 vrf VRF-A
Central(config-router-af)# network 10.10.1.0 0.0.0.3
Central(config-router-af)# network 10.20.2.0 0.0.0.3
Central(config-router-af)# autonomous-system 1
Central(config-router-af)# no auto-summary

Now configure OSPF to run on VRF-B


Central(config)# router ospf 1 vrf VRF-B
Central(config-router)# router-id 5.5.5.5
Central(config-router)# network 10.30.3.0 0.0.0.3 area 0
Central(config-router)# network 10.40.4.0 0.0.0.3 area 0

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

48

Easy Virtual Network

For true path isolation, Cisco Easy Virtual Network (EVN) provides the simplicity of Layer 2
with the controls of Layer 3. EVN provides traffic separation and path isolation capabilities
on a shared network infrastructure.

EVN is an IP-based network virtualization solution that takes advantage of existing VRFlite technology to:

Simplify Layer 3 network virtualization

Improve support for shared services

Enhance management and troubleshooting

EVN reduces network virtualization configuration significantly across the entire network
infrastructure by creating a virtual network trunk. The traditional VRF-lite solution requires
creating one sub-interface per VRF on all switches and routers involved in the data path,
creating a lot of burden in configuration management.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Easy Virtual Network

EVN improves shared services support with route replication. Multiple EVN users may
require common sets of services such as Internet connectivity, e-mail, video, Dynamic
Host Configuration Protocol (DHCP), or Domain Name System (DNS). Traditionally,
sharing common services can be achieved through importing and exporting routes
between virtual networks using Border Gateway Protocol (BGP), which is complex.

EVNs route replication feature allows each virtual network to have direct access to the
Routing Information Base (RIB) in each VRF, allowing the ability to

Link routes from a Shared VRF to several segmented VRFs but still maintain
separation where it is required
Remove dependency on the BGP route target and route distinguisher, simplifying
both configuration and complexity of importing and exporting routes
Remove duplicate routing tables or routes, saving memory and CPU

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

50

Chapter 8 Summary
The chapter focused on the following topics:
Write and follow a security policy before securing a device.
Passwords are stored in the configuration and should be protected from
eavesdropping.
Use SSH instead of Telnet, especially when using it over an unsecure network.
Create router ALCs to protect the infrastructure by filtering traffic on the network
edge.
Secure SNMP if it is used on the network.
Periodically save the configuration in case it gets corrupted or changed.
Implement logging to an external destination to have insight into what is going
on in a network.
Disable unused services.
Unauthorized routers might launch a fictitious routing update to convince a
router to send traffic to an incorrect destination. Routers authenticate the source
of each routing update that is received when routing authentication is enabled.

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Chapter 8 Summary
The chapter focused on the following topics:
There are two types of routing authentication: plain-text and hashing
authentication.
Avoid using plain-text authentication.
A key chain is a set of keys that can be used with routing protocol
authentications.
Different routing protocols support different authentication options.
When EIGRP authentication is configured, the router verifies every EIGRP
packet.
Classic EIGRP for IPv4 and IPv6 supports MD5 authentication, and named
EIGRP supports SHA authentication.
To configure classic MD5 authentication, define a key, enable EIGRP
authentication mode on the interface, and associate the configured key with the
interface.
To configure SHA authentication, you need to use EIGRP named configuration
mode.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

52

Chapter 8 Summary
The chapter focused on the following topics:
Verify the EIGRP authentication by verifying neighborship.
When authentication is configured, the router generates and checks every
OSPF packet and authenticates the source of each update packet that it
receives.
In OSPFv2 simple password authentication the routers send the key that is
embedded in the OSPF packets.
In OSPFv2 MD5 authentication the routers generate a hash of the key, key ID,
and message. The message digest is sent with the packet.
OSPFv3 uses native functionality offered by IPv6. All that is required for
OSPFv3 authentication is IPsec AH. AH provides authentication and integrity
check. IPsec ESP provides encryption for payloads, which is not required for
authentication.
BGP authentication uses MD5 authentication.
Router generates and verifies MD5 digest of every segment sent over the BGP
connection.
Verify BGP authentication by verifying if BGP sessions are up.
Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Chapter 8
2007 2010, Cisco Systems, Inc. All rights reserved.

Cisco Public

54