Protocol Authentication

This chapter contains the following sections:

COOP

Overview

Council of Oracle Protocol (COOP) is used to communicate the mapping information (location and identity) to the spine proxy. A leaf switch forwards endpoint address information to the spine switch 'Oracle' using Zero Message Queue (ZMQ). COOP running on the spine nodes will ensure all spine nodes maintain a consistent copy of endpoint address and location information and additionally maintain the distributed hash table (DHT) repository of endpoint identity to location mapping database.

COOP data path communication provides high priority to transport using secured connections. COOP is enhanced to leverage the MD5 option to protect COOP messages from malicious traffic injection. The APIC controller and switches support COOP protocol authentication.

COOP protocol is enhanced to support two ZMQ authentication modes: strict and compatible.

  • Strict mode: COOP allows MD5 authenticated ZMQ connections only.

  • Compatible mode: COOP accepts both MD5 authenticated and non-authenticated ZMQ connections for message transportation.

Using COOP with Cisco APIC

To support COOP Zero Message Queue (ZMQ) authentication support across the Cisco Application Centric Infrastructure (ACI) fabric, the Application Policy Infrastructure Controller (APIC) supports the MD5 password and also supports the COOP secure mode.

COOP ZMQ Authentication Type Configuration—A new managed object, coop:AuthP, is added to the Data Management Engine (DME)/COOP database (coop/inst/auth). The default value for the attribute type is "compatible", and users have the option to configure the type to be "strict".

COOP ZMQ Authentication MD5 password—The APIC provides a managed object (fabric:SecurityToken), that includes an attribute to be used for the MD5 password. An attribute in this managed object, called "token", is a string that changes every hour. COOP obtains the notification from the DME to update the password for ZMQ authentication. The attribute token value is not displayed.

Guidelines and Limitations

Follow these guidelines and limitations:

  • During an ACI fabric upgrade, the COOP strict mode is disallowed until all switches are upgraded. This protection prevents the unexpected rejection of a COOP connection that could be triggered by prematurely enabling the strict mode.

Configuring COOP Authentication Using the APIC GUI

Procedure

Step 1

On the menu bar, choose System > System Settings.

Step 2

In the Navigation pane, click on COOP Group.

Step 3

In the Work pane, under the Policy Property area in the Type field, choose the desired type from the Compatible Type and Strict Type options.

Step 4

Click Submit.

This completes the COOP authentication policy configuration.

Configuring COOP Authentication Using the Cisco NX-OS-Style CLI

Procedure

Configure the COOP authentication policy using the strict mode option.

Example:

apic1# configure
apic1(config)# coop-fabric
apic1(config-coop-fabric)# authentication type ?
compatible  Compatible type
strict      Strict type
apic101-apic1(config-coop-fabric)# authentication type strict

Configuring COOP Authentication Using the REST API

Procedure

Configure a COOP authentication policy.

In the example, the strict mode is chosen.

Example:

https://172.23.53.xx/api/node/mo/uni/fabric/pol-default.xml
 
<coopPol type="strict">
</coopPol>

EIGRP

Overview

EIGRP combines the benefits of distance vector protocols with the features of link-state protocols. EIGRP sends out periodic Hello messages for neighbor discovery. Once EIGRP learns a new neighbor, it sends a one-time update of all the local EIGRP routes and route metrics. The receiving EIGRP router calculates the route distance based on the received metrics and the locally assigned cost of the link to that neighbor. After this initial full route table update, EIGRP sends incremental updates to only those neighbors affected by the route change. This process speeds convergence and minimizes the bandwidth used by EIGRP.

For Cisco APIC, EIGRP Authentication uses Route-map's keychain infrastructure for MD5 Authentication. It takes two parameters to configure Authentication between two EIGRP peers. The parameters are:

  • Mode

  • Keychain

Guidelines and Limitations

Follow these guidelines and limitations:

  • Only MD5 Authentication is supported. Keychain is the Keychain name configured under RPM.

  • When there is authentication mismatch between two EIGRP peers, then neighborship flaps. The reason for the flap can be verified in show eigrp internal event-history syslog.

Configuring EIGRP Authentication Using the APIC GUI

Procedure

Step 1

On the menu bar, choose Tenanttenant-name.

Step 2

In the Navigation pane, expand Policies > Protocol > EIGRP.

Step 3

Expand EIGRP and right-click EIGRP KeyChains to open Create Keychain Policy and perform the following actions:

  1. In the Name field, enter a name for the policy.

  2. In the KeyID field, enter a key ID number.

  3. In the Preshared key field, enter the preshared key information.

  4. Optional. In the Start Time and End Time fields, enter a time.

Step 4

In the Navigation pane, right-click on EIGRP Interface and perform the following actions:

  1. In the Authentication field, click the box to enable.

  2. In the Key Chain Policy field, select the policy just created from the drop-down and click Submit.

Configuring EIGRP Authentication Using the NX-OS CLI

Procedure

Step 1

Configure keychain-policy and key-policy under Tenant.

Example:

tenant T1 
keychain-policy KeyChainPol
key-policy 2

Step 2

Optional. Configure Start time.

Example:

startime 2018-11-01T08:39:27.000+00:00
exit

Step 3

Enter the leaf configuration from APIC. Enable authentication in the interface and configure the key-chain policy.

Example:

IFC1(config-leaf)# show run 
# Command: show running-config leaf 104
# Time: Thu Nov 8 12:05:45 2018
leaf 104 
interface ethernet 1/2.45
vrf member tenant T1 vrf V1 l3out L3Out
ip router eigrp authentication keychain-policy KeyChainPol
ip router eigrp authentication enable
!
ipv6 router eigrp authentication keychain-policy KeyChainPol
ipv6 router eigrp authentication enable
exit

Step 4

To verfiy EIGRP configuration:

Example:

fav-blr4-ls-leaf4# show ip eigrp interfaces eth1/2.17
EIGRP interfaces for process 1 VRF T1:V1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
eth1/2.17 0 0/0 0 0/0 50 0
Hello interval is 5 sec
Holdtime interval is 15 sec
Next xmit serial: 0
Un/reliable mcasts: 0/3 Un/reliable ucasts: 6/4
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 1
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Classic/wide metric peers: 0/0
Authentication mode is md5, key-chain is T1:KeyChainPol
ifav-blr4-ls-leaf4#

Step 5

For troubleshooting it on a switch, following CLIs can be used. And EIGRP Auth is supported on both IPv4 and IPv6 address families.

Example:

(none)# show ip eigrp interface vrf all
EIGRP interfaces for process 100 VRF pepsi
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes 
eth1/1 1 0/0 207 0/0 828 0 
Hello interval is 10 sec 
Holdtime interval is 15 sec 
Next xmit serial: 0 
Un/reliable mcasts: 0/7 Un/reliable ucasts: 21/18 
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 
Retransmissions sent: 4 Out-of-sequence rcvd: 2 
Classic/wide metric peers: 0/1 
Authentication mode is md5, key-chain is eigrp-auth

(none)# show ipv6 eigrp interface vrf pepsi 
IPv6-EIGRP interfaces for process 100 VRF pepsi 
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes 
eth1/1 0 0/0 0 0/0 0 0 
Hello interval is 10 sec 
Holdtime interval is 15 sec 
Next xmit serial: 0 
Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0 
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 
Retransmissions sent: 0 Out-of-sequence rcvd: 0 
Classic/wide metric peers: 0/0 
Authentication mode is md5, key-chain is eigrp-auth