IP Enhanced IGRP Route Authentication

Description

This feature provides MD5 authentication of routing updates from the IP Enhanced IGRP routing protocol. The MD5 keyed digest in each IP Enhanced IGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Platforms

This feature is supported on these platforms:

Cisco 1003, Cisco 1004, Cisco 1005
Cisco 2500 series
Cisco 4000 series (Cisco 4000, 4000-M, 4500, 4500-M, 4700, 4700-M)
Cisco 5200 series
Cisco 7200 series
Cisco 7500 series

Prerequisites

Before you can enable Enhanced IGRP route authentication, you must enable IP Enhanced IGRP.

Configuration Tasks

To enable authentication of IP Enhanced IGRP packets, perform the following tasks beginning in interface configuration mode:

Task	Command
Step 1 Enable MD5 authentication in IP Enhanced IGRP packets.	ip authentication mode eigrp autonomous-system md5
Step 2 Enable authentication of IP Enhanced IGRP packets.	ip authentication key-chain eigrp autonomous-system key-chain
Step 3 Exit to global configuration mode.	exit
Step 4 Identify a key chain. (Match the name configured in Step 1).	key chain name-of-chain
Step 5 In key chain configuration mode, identify the key number.	key number
Step 6 In key chain key configuration mode, identify the key string.	key-string text
Step 7 Optionally specify the time period during which the key can be received.	accept-lifetime start-time {infinite \| end-time \| duration seconds}
Step 8 Optionally specify the time period during which the key can be sent.	send-lifetime start-time {infinite \| end-time \| duration seconds}

Each key has its own key identifier (specified with the key number command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use.

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters. Note that the router needs to know the time. Refer to the NTP and calendar commands in the "Managing the System" chapter of the Cisco IOS Release 11.2 Configuration Fundamentals Configuration Guide.

Configuration Example

The following example enables MD5 authentication on IP Enhanced IGRP packets in autonomous system 1. Figure 11 shows the scenario.

Figure 11: Enhanced IGRP Route Authentication Scenario

Router A:

 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 holly
key chain holly
 key 1
  key-string 0987654321
  accept-lifetime infinite
  send-lifetime 04:00:00 Dec 4 1996 04:48:00 Dec 4 1996
 exit
 key 2
  key-string 1234567890
  accept-lifetime infinite
  send-lifetime 04:45:00 Dec 4 1996 infinite

Router B:

 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 mikel
key chain mikel
 key 1
  key-string 0987654321
  accept-lifetime infinite
  send-lifetime 04:00:00 Dec 4 1996 infinite
 exit
 key 2
  key-string 1234567890
  accept-lifetime infinite
  send-lifetime 04:45:00 Dec 4 1996 infinite

Router A will accept and attempt to verify the MD5 digest of any Enhanced IGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all Enhanced IGRP packets with key 2.

Router B will accept key 1 or key 2, and will send key 1. In this scenario, MD5 will authenticate.

Command Reference

The commands used in the "Configuration Tasks" section that do not appear in this section were previously documented in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 1, in the "IP Routing Protocols Commands" chapter.

This section documents the following new commands:

ip authentication key-chain eigrp

To enable authentication of IP Enhanced IGRP packets, use the ip authentication key-chain eigrp interface configuration command. To disable such authentication, use the no form of this command.

ip authentication key-chain eigrp autonomous-system key-chain
no ip authentication key-chain eigrp autonomous-system key-chain

Syntax Description

autonomous-system	Autonomous system to which the authentication applies.
key-chain	Name of the authentication key chain.

Default

No authentication is provided for Enhanced IGRP packets.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

Example

The following example applies authentication to autonomous system 2 and identifies a key chain named sports:

ip authentication key-chain eigrp 2 sports

Related Commands

accept-lifetime
ip authentication mode eigrp
key
key chain
key-string
send-lifetime

ip authentication mode eigrp

To specify the type of authentication used in IP Enhanced IGRP packets, use the ip authentication mode eigrp interface configuration command. To disable that type of authentication, use the no form of this command.

ip authentication mode eigrp autonomous-system md5
no ip authentication mode eigrp autonomous-system md5

Syntax Description

autonomous-system	Autonomous system number.
md5	Keyed MD5 authentication.

Default

No authentication is provided for IP Enhanced IGRP packets.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

Configure authentication to prevent unapproved sources from introducing unauthorized or false routing messages. When authentication is configured, an MD5 keyed digest is added to each Enhanced IGRP packet in the specified autonomous system.

Example

The following example configures the interface to use MD5 authentication in Enhanced IGRP packets in autonomous system 10:

ip authentication mode eigrp 10 md5

Related Commands

accept-lifetime
ip authentication key-chain eigrp
key
key chain
key-string
send-lifetime

Table of Contents