Beruflich Dokumente
Kultur Dokumente
Topology.
Objectives
Secure EIGRP routing protocol using SHA authentication.
Secure OSPF routing protocol using SHA authentication.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Background
The
In this lab, you build a multi-router network and secure the routing protocols used between R1, R2, and R3.
Note: This lab uses Cisco 1941 routers with Cisco IOS Release 15.2 with IP Base. Depending on the router
or switch model and Cisco IOS Software version, the commands available and output produced might vary
from what is shown in this lab.
Required Resources
3 routers (Cisco IOS Release 15.2 or comparable)
Serial and Ethernet cables
De acuerdo con la solicitud de recursos del ejercicio, lo primero que se hara es actualizar el
IOS de los equipos a 15.5:
IOS ACTUAL:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Se configura router para realizar boot con el nuevo IOS y se reinicia, se comprueba que
arranque con la nueva versión de IOS:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Note: Depending on the router model, interfaces might be numbered differently than those listed. You
might need to alter the designations accordingly.
R1
hostname R1
interface Loopback 0
description R1 LAN
ip address 192.168.1.1 255.255.255.0
exit
!
interface Serial0/0/0
description R1 --> R2
ip address 10.1.1.1 255.255.255.252
clock rate 128000
no shutdown
exit
!
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
R2
hostname R2
!
interface Serial0/0/0
description R2 --> R1
ip address 10.1.1.2 255.255.255.252
no shutdown
exit
interface Serial0/0/1
description R2 --> R3
ip address 10.2.2.1 255.255.255.252
clock rate 128000
no shutdown
exit
!
end
R3
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
hostname R3
!
interface Loopback0
description R3 LAN
ip address 192.168.3.1 255.255.255.0
exit
interface Serial0/0/1
description R3 --> R2
ip address 10.2.2.2 255.255.255.252
no shutdown
exit
!
end
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
e. From the R1 router, run the following Tcl script to verify connectivity.
foreach address {
192.168.1.1
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.3.1
} { ping $address }
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Type escape sequence to abort.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Como se puede ver en este punto ya no es posible asociar la autenticación creada al EIGRP
sobre la interface indicada, tal y como se hace la referencia en el paso 2, la autenticación SHA
de EIGRP solamente se puede configurar utilizando el método de nombrado en el protocolo,
como el simulador no soporta estos comandos NO se puede continuar con el resto del
ejercicio de cifrado en EIGRP.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
d. Next, enable authentication on the serial 0/0/0 and serial 0/0/1 interfaces of R2.
R2(config)# router eigrp ROUTE
R2(config-router)# address-family ipv4 autonomous-system 1
R2(config-router-af)# af-interface S0/0/0
R2(config-router-af-interface)# authentication key-chain NAMED-R2-Chain
R2(config-router-af-interface)# authentication mode hmac-sha-256 secret-2
R2(config-router-af-interface)# exit
R2(config-router-af)# af-interface S0/0/1
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Notice how the first informational message is saying that the adjacency with R3 has changed to down.
This is because R2 no longer accepts the updates from R3 because they are not authenticated.
However, the second information message is saying that the adjacency with R1 has been restored
because they are now authenticating each other’s routing updates.
g. From the R1 router, run the following Tcl script to verify connectivity.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
foreach address {
192.168.1.1
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.3.1
} { ping $address }
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1(tcl)#
Are the pings now successful?
_______________________________________________________________________________
_______________________________________________________________________________
h. Next we will configure OSPF routing protocol authentication. Therefore, remove EIGRP from R1, R2, and
R3 using the no router eigrp ROUTE command on all three routers.
R1(config)# no router eigrp ROUTE
R1(config)
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
d. From the R1 router, run the following Tcl script to verify connectivity.
foreach address {
192.168.1.1
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.3.1
} { ping $address }
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1(tcl)#
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
d. Next, enable authentication on the serial 0/0/0 and serial 0/0/1 interfaces of R2.
R2(config)# interface s0/0/0
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
R2(config-if)# exit
R2(config)#
R2(config)# interface s0/0/1
R2(config-if)# ip ospf authentication key-chain SHA-CHAIN
R2(config-if)#
Jan 10 11:08:42.523: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on Serial0/0/0
from LOADING to FULL, Loading Done
R2(config-if)#
Jan 10 11:09:14.487: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial0/0/1
from FULL to DOWN, Neighbor Down: Dead timer expired
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
Notice how the first informational message is saying that the adjacency with R1 has been restored
because they are now authenticating each other’s routing updates.
However, the second information message is saying that the adjacency with R3 has changed to down.
This is because R2 no longer accepts the updates from R3 because they are not authenticated.
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
g. From the R1 router, run the following Tcl script to verify connectivity.
foreach address {
192.168.1.1
10.1.1.1
10.1.1.2
10.2.2.1
10.2.2.2
192.168.3.1
} { ping $address }
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 28
CCNPv7 ROUTE Lab 8-2, Routing Protocol Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 28