Table Of Contents
GLBP MD5 Authentication
Contents
Information About GLBP MD5 Authentication
How GLBP MD5 Authentication Works
Benefits of GLBP MD5 Authentication
How to Configure GLBP MD5 Authentication
Configuring GLBP MD5 Authentication Using a Key String
Configuring GLBP MD5 Authentication Using a Key Chain
Configuration Examples for GLBP MD5 Authentication
GLBP MD5 Authentication Using Key Strings: Example
GLBP MD5 Authentication Using Key Chains Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
glbp authentication
show glbp
Glossary
GLBP MD5 Authentication
Prior to the introduction of the GLBP MD5 Authentication feature, the Gateway Load Balancing Protocol (GLBP) authenticated protocol packets with a simple plain text string. The GLBP MD5 Authentication feature is an enhancement to generate a Message Digest 5 (MD5) digest for the GLBP portion of the multicast GLBP protocol packet. This feature provides added security and protects against the threat from GLBP-spoofing software.
History for the GLBP MD5 Authentication Feature
Release
|
Modification
|
12.3(2)T
|
This feature was introduced.
|
12.2(18)S
|
This feature was integrated into Cisco IOS Release 12.2(18)S.
|
12.2(27)SBC
|
This feature was integrated into Cisco IOS Release 12.2(27)SBC.
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Information About GLBP MD5 Authentication
•How to Configure GLBP MD5 Authentication
•Configuration Examples for GLBP MD5 Authentication
•Additional References
•Command Reference
•Glossary
Information About GLBP MD5 Authentication
Before you configure GLBP MD5 authentication, you should understand the following concepts:
•How GLBP MD5 Authentication Works
•Benefits of GLBP MD5 Authentication
How GLBP MD5 Authentication Works
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each GLBP group member to use a secret key to generate a keyed MD5 hash of the packet that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored.
The key for the MD5 hash can either be given directly in the configuration using a key string or supplied indirectly through a key chain.
A router will ignore incoming GLBP packets from other routers that do not have the same authentication configuration for a GLBP group. GLBP has three authentication schemes:
•No authentication
•Plain text authentication
•MD5 authentication
GLBP packets will be rejected in any of the following cases:
•The authentication schemes differ on the router and in the incoming packet.
•MD5 digests differ on the router and in the incoming packet.
•Text authentication strings differ on the router and in the incoming packet.
Benefits of GLBP MD5 Authentication
•Protects against spoofing software.
•Uses the industry-standard MD5 algorithm for improved reliability and security.
How to Configure GLBP MD5 Authentication
The following sections describe configuration tasks for GLBP MD5 authentication. The task you perform depends on whether you want to use a simple MD5 key string or MD5 key chains for authentication.
•Configuring GLBP MD5 Authentication Using a Key String
•Configuring GLBP MD5 Authentication Using a Key Chain
Configuring GLBP MD5 Authentication Using a Key String
This task describes how to configure GLBP MD5 authentication using a key string.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group-number ip [ip-address [secondary]]
6. glbp group-number authentication md5 key-string [0 | 7] key
7. Repeat Steps 1 through 6 on each router that will communicate.
8. end
9. show glbp
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type number
Example:
Router(config)# interface Ethernet0/1
|
Configures an interface type and enters interface configuration mode.
|
Step 4
|
ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
|
Specifies a primary or secondary IP address for an interface.
|
Step 5
|
glbp group-number ip [ip-address [secondary]]
Example:
Router(config-if)# glbp 1 ip 10.0.0.10
|
Enables GLBP on an interface and identifies the primary IP address of the virtual gateway.
|
Step 6
|
glbp group-number authentication md5 key-string [0 | 7]
key
Example:
Router(config-if)# glbp 1 authentication md5
key-string d00b4r987654321a
|
Configures an authentication key for GLBP MD5 authentication.
•The number of characters in the command plus the key string must not exceed 255 characters.
•No prefix to the key argument or specifying 0 means the key is unencrypted.
•Specifying 7 means the key is encrypted. The key-string authentication key will automatically be encrypted if the service password-encryption global configuration command is enabled.
|
Step 7
|
Repeat Steps 1 through 6 on each router that will communicate.
|
—
|
Step 8
|
end
Example:
Router(config-if)# end
|
Returns to privileged EXEC mode.
|
Step 9
|
show glbp
Example:
Router# show glbp
|
(Optional) Displays GLBP information.
•Use this command to verify your configuration. The key string and authentication type will be displayed if configured.
|
Configuring GLBP MD5 Authentication Using a Key Chain
This task describes how to configure GLBP MD5 authentication using a key chain. Key chains allow a different key string to be used at different times according to the key chain configuration. GLBP will query the appropriate key chain to obtain the current live key and key ID for the specified key chain.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string string
6. exit
7. interface type number
8. ip address ip-address mask [secondary]
9. glbp group-number ip [ip-address [secondary]]
10. glbp group-number authentication md5 key-chain name-of-chain
11. Repeat Steps 1 through 10 on each router that will communicate.
12. end
13. show glbp
14. show key chain
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables higher privilege levels, such as privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
key chain name-of-chain
Example:
Router(config)# key chain glbp2
|
Enables authentication for routing protocols and identifies a group of authentication keys.
|
Step 4
|
key key-id
Example:
Router(config-keychain)# key 100
|
Identifies an authentication key on a key chain.
•The key-id must be a number.
|
Step 5
|
key-string string
Example:
Router(config-keychain-key)# key-string xmen382
|
Specifies the authentication string for a key.
•The string can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a numeral.
|
Step 6
|
exit
Example:
Router(config-keychain-key)# exit
|
Returns to global configuration mode.
|
Step 7
|
interface type number
Example:
Router(config)# interface Ethernet0/1
|
Configures an interface type and enters interface configuration mode.
|
Step 8
|
ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 10.21.0.1 255.255.255.0
|
Specifies a primary or secondary IP address for an interface.
|
Step 9
|
glbp group-number ip [ip-address [secondary]]
Example:
Router(config-if)# glbp 1 ip 10.21.0.12
|
Enables GLBP on an interface and identifies the primary IP address of the virtual gateway.
|
Step 10
|
glbp group-number authentication md5 key-chain
name-of-chain
Example:
Router(config-if)# glbp 1 authentication md5 key-chain
glbp2
|
Configures an authentication MD5 key chain for GLBP MD5 authentication.
•The key chain name must match the name specified in Step 3.
|
Step 11
|
Repeat Steps 1 through 10 on each router that will communicate.
|
—
|
Step 12
|
end
Example:
Router(config-if)# end
|
Returns to privileged EXEC mode.
|
Step 13
|
show glbp
Example:
Router# show glbp
|
(Optional) Displays GLBP information.
•Use this command to verify your configuration. The key chain and authentication type will be displayed if configured.
|
Step 14
|
show key chain
Example:
Router# show key chain
|
(Optional) Displays authentication key information.
|
Configuration Examples for GLBP MD5 Authentication
This section provides the following configuration examples:
•GLBP MD5 Authentication Using Key Strings: Example
•GLBP MD5 Authentication Using Key Chains Example
GLBP MD5 Authentication Using Key Strings: Example
The following example configures GLBP MD5 authentication using a key string:
ip address 10.0.0.1 10.255.255.0
glbp 2 authentication md5 key-string ThisStringIsTheSecretKey
GLBP MD5 Authentication Using Key Chains Example
In the following example, GLBP queries the key chain "AuthenticateGLBP" to obtain the current live key and key ID for the specified key chain:
key chain AuthenticateGLBP
key-string ThisIsASecretKey
ip address 10.0.0.1 10.255.255.0
glbp 2 authentication md5 key-chain AuthenticateGLBP
Additional References
The following section provides information related to GLBP MD5 authentication.
Related Documents
Related Topic
|
Document Title
|
GLBP: complete command syntax, command mode, defaults, usage guidelines, and examples
|
Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3
|
Key chains and key management: complete command syntax, command mode, defaults, usage guidelines, and examples
|
Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3
|
GLBP configuration tasks
|
Gateway Load Balancing Protocol feature document, Release 12.2(15)T
|
Key chain and key management configuration tasks
|
Cisco IOS IP Configuration Guide
|
Standards
Standards
|
Title
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
|
—
|
MIBs
MIBs
|
MIBs Link
|
No new MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
RFCs
RFCs
|
Title
|
RFC 1828
|
IP Authentication Using Keyed MD5
|
Technical Assistance
Description
|
Link
|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
|
http://www.cisco.com/techsupport
|
Command Reference
This section documents modified commands only.
•glbp authentication
•show glbp
glbp authentication
To configure an authentication string for the Gateway Load Balancing Protocol (GLBP), use the glbp authentication command in interface configuration mode. To disable authentication, use the no form of this command.
glbp group-number authentication {text string | md5 {key-string [0 | 7] key | key-chain
name-of-chain}}
no glbp group-number authentication {text string | md5 {key-string [0 | 7] key | key-chain
name-of-chain}}
Syntax Description
group-number
|
GLBP group number in the range from 0 to 1023.
|
text string
|
Specifies an authentication string. The number of characters in the command plus the text string must not exceed 255 characters.
|
md5
|
Message Digest 5 (MD5) authentication.
|
key-string key
|
Specifies the secret key for MD5 authentication. The number of characters in the command plus the key string must not exceed 255 characters. We recommend using at least 16 characters.
|
0
|
(Optional) Unencrypted key. If no prefix is specified, the key is unencrypted.
|
7
|
(Optional) Encrypted key.
|
key-chain name-of-chain
|
Identifies a group of authentication keys.
|
Defaults
No authentication of GLBP messages occurs.
Command Modes
Interface configuration
Command History
Release
|
Modification
|
12.2(14)S
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(2)T
|
The md5 keyword and associated parameters were added.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
The same authentication method must be configured on all the routers that are configured to be members of the same GLBP group, to ensure interoperation. A router will ignore all GLBP messages that contain the wrong authentication information.
If password encryption is configured with the service password-encryption command, the software saves the key string in the configuration as encrypted text.
Examples
The following example configures stringxyz as the authentication string required to allow GLBP routers in group 10 to interoperate:
interface fastethernet 0/0
glbp 10 authentication text stringxyz
In the following example, GLBP queries the key chain "AuthenticateGLBP" to obtain the current live key and key ID for the specified key chain:
key chain AuthenticateGLBP
key-string ThisIsASecretKey
ip address 10.0.0.1 255.255.255.0
glbp 2 authentication md5 key-chain AuthenticateGLBP
Related Commands
Command
|
Description
|
glbp ip
|
Enables GLBP.
|
service password-encryption
|
Encrypts passwords.
|
show glbp
To display Gateway Load Balancing Protocol (GLBP) information, use the show glbp command in privileged EXEC mode.
show glbp [interface-type interface-number] [group-number] [state] [brief]
Syntax Description
interface-type interface-number
|
(Optional) Interface type and number for which output is displayed.
|
group-number
|
(Optional) GLBP group number in the range from 0 to 1023.
|
state
|
(Optional) State of the GLBP router, one of the following: active, disabled, init, listen, speak, and standby.
|
brief
|
(Optional) Summarizes each virtual gateway or virtual forwarder with a single line of output.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(14)S
|
This command was introduced.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(2)T
|
The output was enhanced to display information about Message Digest 5 (MD5) authentication.
|
12.3(7)T
|
The output was enhanced to display information about assigned redundancy names to specified groups.
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
Usage Guidelines
Use the show glbp command to display information about GLBP groups on a router. The brief keyword displays a single line of information about each virtual gateway or virtual forwarder.
Examples
The following is sample output from the show glbp command:
FastEthernet0/0 - Group 10
2 state changes, last state change 23:50:33
Virtual IP address is 10.21.8.10
Hello time 5 sec, hold time 18 sec
Next hello sent in 4.300 secs
Redirect time 600 sec, forwarder time-out 7200 sec
Authentication MD5, key "ThisStringIsTheSecretKey"
Preemption enabled, min delay 60 sec
Priority 254 (configured)
Weighting 105 (configured 110), thresholds: lower 95, upper 105
Track object 2 state Down decrement 5
Load balancing: host-dependent
There is 1 forwarder (1 active)
1 state change, last state change 23:50:15
MAC address is 0007.b400.0101 (default)
Owner ID is 0005.0050.6c08
Preemption enabled, min delay 60 sec
Active is local, weighting 105
The following is sample output from the show glbp command with the brief keyword specified:
Interface Grp Fwd Pri State Address Active router Standby router
Fa0/0 10 - 254 Active 10.21.8.10 local unknown
Fa0/0 10 1 7 Active 0007.b400.0101 local -
The following is sample output from the show glbp command that displays GLBP group 10:
FastEthernet0/0 - Group 10
2 state changes, last state change 23:50:33
Virtual IP address is 10.21.8.10
Hello time 5 sec, hold time 18 sec
Next hello sent in 4.300 secs
Redirect time 600 sec, forwarder time-out 7200 sec
Authentication MD5, key "ThisStringIsTheSecretKey"
Preemption enabled, min delay 60 sec
Priority 254 (configured)
Weighting 105 (configured 110), thresholds: lower 95, upper 105
Track object 2 state Down decrement 5
Load balancing: host-dependent
There is 1 forwarder (1 active)
1 state change, last state change 23:50:15
MAC address is 0007.b400.0101 (default)
Owner ID is 0005.0050.6c08
Preemption enabled, min delay 60 sec
Active is local, weighting 105
The following output shows that the redundancy name has been assigned to the "glbp1" group:
Router# show glbp ethernet0/1 1
Ethernet0/1 - Group 1
State is Listen
64 state changes, last state change 00:00:54
Virtual IP address is 10.1.0.7
Hello time 50 msec, hold time 200 msec
Next hello sent in 0.030 secs
Redirect time 600 sec, forwarder time-out 14400 sec
Authentication text "authword"
Preemption enabled, min delay 0 sec
Active is 10.1.0.2, priority 105 (expires in 0.184 sec)
Standby is 10.1.0.3, priority 100 (expires in 0.176 sec)
Priority 96 (configured)
Weighting 100 (configured 100), thresholds: lower 95, upper 100
Track object 1 state Up decrement 10
Load balancing: round-robin
IP redundancy name is "glbp1"
Group members:
0004.4d83.4801 (10.0.0.0)
0010.7b5a.fa41 (10.0.0.1)
00d0.bbd3.bc21 (10.0.0.2) local
Table 1 describes the significant fields shown in the displays.
Table 1 show glbp Field Descriptions
Field
|
Description
|
FastEthernet0/0 - Group
|
Interface type and number and GLBP group number for the interface.
|
State is
|
State of the virtual gateway or virtual forwarder. For a virtual gateway, the state can be one of the following:
•Active—The gateway is the active virtual gateway (AVG) and is responsible for responding to Address Resolution Protocol (ARP) requests for the virtual IP address.
•Disabled—The virtual IP address has not been configured or learned yet, but another GLBP configuration exists.
•Initial—The virtual IP address has been configured or learned, but virtual gateway configuration is not complete. An interface must be up and configured to route IP, and an interface IP address must be configured.
•Listen—The virtual gateway is receiving hello packets and is ready to change to the "speak" state if the active or standby virtual gateway becomes unavailable.
•Speak—The virtual gateway is attempting to become the active or standby virtual gateway.
•Standby—The gateway is next in line to be the AVG.
|
| |
For a virtual forwarder, the state can be one of the following:
•Active—The gateway is the active virtual forwarder (AVF) and is responsible for forwarding packets sent to the virtual forwarder MAC address.
•Disabled—The virtual MAC address has not been assigned or learned. This is a transitory state because a virtual forwarder changing to a disabled state is deleted.
•Initial—The virtual MAC address is known, but virtual forwarder configuration is not complete. An interface must be up and configured to route IP, an interface IP address must be configured, and the virtual IP address must be known.
•Listen—The virtual forwarder is receiving hello packets and is ready to change to the "active" state if the AVF becomes unavailable.
|
Virtual IP address is
|
The virtual IP address of the GLBP group. All secondary virtual IP addresses are listed on separate lines. If one of the virtual IP addresses is a duplicate of an address configured for another device, it will be marked as "duplicate." A duplicate address indicates that the router has failed to defend its ARP cache entry.
|
Hello time, hold time
|
The hello time is the time between hello packets (in seconds or milliseconds). The hold time is the time (in seconds or milliseconds) before other routers declare the active router to be down. All routers in a GLBP group use the hello- and hold-time values of the current AVG. If the locally configured values are different, the configured values appear in parentheses after the hello- and hold-time values.
|
Next hello sent in
|
The time until GLBP will send the next hello packet (in seconds or milliseconds).
|
Preemption
|
Whether GLBP gateway preemption is enabled. If enabled, the minimum delay is the time (in seconds) for which a higher-priority nonactive router will wait before preempting the lower-priority active router.
This field is also displayed under the forwarder section where it indicates GLBP forwarder preemption.
|
Active is
|
The active state of the virtual gateway. The value can be "local," "unknown," or an IP address. The address (and the expiration date of the address) is the address of the current AVG.
This field is also displayed under the forwarder section where it indicates the address of the current AVF.
|
Standby is
|
The standby state of the virtual gateway. The value can be "local," "unknown," or an IP address. The address (and the expiration date of the address) is the address of the standby gateway (the gateway that is next in line to be the AVG).
|
Weighting
|
The initial weighting value with lower and upper threshold values.
|
Track object
|
The list of objects that are being tracked and their corresponding states.
|
IP redundancy name is
|
The name of the GLBP group.
|
Related Commands
Command
|
Description
|
glbp ip
|
Enables GLBP.
|
glbp timers
|
Configures the time between hello messages and the time before other routers declare the active GLBP router to be down.
|
glbp weighting track
|
Specifies an object to be tracked that affects the weighting of a GLBP gateway.
|
Glossary
encryption—Encryption is the translation of data into a secret code. Encryption is a way to achieve data security. Encryption prevents the password or key from being easily readable in the configuration file.
MD5—Message Digest 5. An algorithm that is used to create digital signatures. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. When using a one-way hash function, you can compare a calculated message digest against the received message digest to verify that the message hasn't been tampered with. This comparison is called a hashcheck.
Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.
© 2003, 2005 Cisco Systems, Inc. All rights reserved.
