Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
21222324252627282930
24
OL-11615-01
For more information on the spanning-tree guard root command on the Catalyst 4500, refer to the
following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/cmdref/snmp
_vtp.htm#wp1031770
Routing Protocol Security
Routing is one of the most important parts of an infrastructure to keep a network running and, as such,
it is absolutely critical to take the necessary measures to secure it. There are different ways routing can
be compromised, from the injection of illegitimate updates to DoS attacks that are specifically designed
to disrupt routing.
Fortunately, Catalyst 6500 and 4500 Series switches support a set of features for BGP, IS-IS, OSPF,
EIGRP and RIPv2, that help secure the routing infrastructure. The following are the recommended best
practices:
Neighbor Authentication, page 24
Route Filtering, page 25
TTL Security Check, page 26
Note Cisco IOS software provides other routing security features that are not directly related to infrastructure
protection, but that help secure the network. To learn more about these other security features, refer to
the Cisco IOS IP Protocols Configuration Guide at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide
_book09186a0080087fa9.html
Neighbor Authentication
Neighbor authentication is a feature that is available on most routing protocols, and which ensures that
a router receives only reliable routing information from trusted neighbors. That is achieved by certifying
the authenticity of each neighbor and the integrity of its routing updates. Technically, each router is
initially configured with a shared secret key that is used to validate each routing update. Before sending
a routing update, each router is required to sign it with the predefined secret key and include the resulting
signature as part of the update message. Finally, the update is verified by the receiving neighbor to prove
its authenticity and integrity.
Most routing protocols support two types of neighbor authentication, plain text and Message Digest
Algorithm Version 5 (MD5) authentication. Plain text authentication consists of sending the secret key
in the clear inside each routing update message, which does not provide much security because keys can
be intercepted while in transit. MD5 authentication works by processing each routing update with an
MD5 hash function and by including the resulting signature (digest) as part of the routing update
message. MD5 authentication is more secure because the actual shared secret key is never sent over the
network.
MD5 neighbor authentication is available for the following routing protocols:
Border Gateway Protocol (BGP)
IP Enhanced Interior Gateway Routing Protocol (EIGRP)
Intermediate System-to-Intermediate System (IS-IS)