09-05-2008 02:46 PM - edited 03-03-2019 11:26 PM
Hi,
I have many routers configured with EIGRP, and i want now to add message authentication to the EIGRP.
As you know, when i enable the message auth on an interface, the router will lost eigrp to its neighbor and therfore the network will be down.
Is there is any technique for example that delays implementing the message auth for sometime untill i made the config to all routers?
Thanks in advance
Abd Alqader
09-05-2008 04:45 PM
Abd
I have not tried this but one thing springs to mind. When you enable authentication for EIGRP you specify the AS under the interface configuration eg.
int s0/0
ip authentication mode eigrp 10 md5
What you may be able to do is configure a second eigrp process on your router and then ensure that neighborships and routes are being exchanged for this AS as well as your original one. Then you can configure authentication for the original AS while the new AS maintains the routes in your routing table.
Once authentication has been configured and verified on all routers you can then remove the second AS.
Alternatively you could configure a second routing protocol on your routers such as OSPF/RIP although you would need to change the administrative distance because EIGRP is better than both OSPF and RIP.
Both possible solutions would need testing, especially the second EIGRP AS and there will obviously be a temporary additional overhead on your routers.
If you decide to try it let me know how you get on.
Jon
09-05-2008 11:01 PM
Hello Abd,
you can take advantage of the key chain concept that allows to define a time window for key validity and usage.
The requirement is that all routers have NTP configured and are in sync.
see
interface ethernet 1
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 holly
key chain holly
key 1
key-string 0987654321
accept-lifetime 04:00:00 Dec 4 2006 infinite
send-lifetime 04:00:00 Dec 4 2006 04:48:00 Dec 4 1996
exit
key 2
key-string 1234567890
accept-lifetime 04:00:00 Jan 4 2007 infinite
send-lifetime 04:45:00 Jan 4 2007 infinite
see
you can set the usage of the key for some time in the future 1 or 2 days so you have time to configure all the routers in your network.
You can use this also in the future to deploy a key change.
Hope to help
Giuseppe
09-06-2008 05:44 AM
Hello Giuseppe,
I configured 4 routers with NTP client and they request the time from NTP server (router 5).
All in the same time sync.
And also i created a key chain in all the five routers as follows:
!
key chain test-CHAIN
key 11
key-string test_traffic
accept-lifetime 15:45:00 6 sep 2008 infinite
send-lifetime 15:45:00 6 sep 2008 infinite
!
I entered the interface mode and i applied ip authentication key-chain eigrp 1 test-CHAIN
and everything works fine and we still have EIGRP neighborship with the peers.
But once i applied
ip authentication mode eigrp 1 md5
the peer is down and i lost the connectivity.
By the way the time was "15:33:00.137 GMT Sat Sep 6 2008".
Please advise!
Dear Joy Marshall,
I will try it by addinf a second EIGRP AS and i will let you know, but after i tried the time issue with the key chain.
Thanks
Abd Alqader
09-07-2008 11:42 PM
Hello Abd and Jon,
luckily Abd tried this on a lab environment.
From the results we can say that an EIGRP process once configured for MD5 on the interface even without a valid key (it will be valid in the future) doesn't fall back to unauthenticated mode.
I had done extensive functional and performance tests but on OSPF authentication some years ago.
The suggestion by Jon will work because EIGRP include the AS number in each protocol message so you can easily duplicate the EIGRP config in each router have both running. Then you modify the config for process eigrp 1 to enable authentication and later remove the second process on all routers after adjacencies are restored. I would use the key-chain in order to be able to change the key in the future.
As a test could be interesting to see what happens with a valid key: if this time the key in the key-chain is already valid to see if the routers are able when inserting the command ip authentication mode eigrp 1 md5 to at least recover the neighborship quickly.
Here we are looking for EIGRP neighbor state machine that is simpler than that of OSPF: in OSPF adding authentication causes a restart of the neighbor state machine.
Best Regards
Giuseppe
09-08-2008 08:33 AM
Guiseppe
"luckily Abd tried this on a lab environment" - yes, very lucky !
"The suggestion by Jon will work because EIGRP"
do you know for a fact if this will work. Ordinarily i would try it out myself but i don't have access to a lab. Just wanted to know for future reference.
Jon
09-08-2008 09:39 AM
It does work, else you would've heard from me :)
09-08-2008 11:15 AM
Good to know you are keeping me honest :)
Thanks Edison.
09-08-2008 12:42 PM
Hello Jon,
I haven't access to a lab in these days, too.
I apologize for my first proposal that was a real denial of service.
With the precedent of the first post the question is very correct !
However, I trust theory that leads to say that two EIGRP processes on the same set of interfaces/subnets can work.
here, there is no space for implementation choices: if all packets contain the eigrp AS number they can be sent and received without causing confusion.
Best Regards
Jon
09-08-2008 01:14 PM
Rack1R2#sh run | sec eigrp
router eigrp 1
network 150.1.2.2 0.0.0.0
network 192.168.12.2 0.0.0.0
no auto-summary
router eigrp 2
network 150.1.2.2 0.0.0.0
network 192.168.12.2 0.0.0.0
no auto-summary
_______________
Rack1R1#sh run | sec eigrp
router eigrp 1
network 192.168.12.1 0.0.0.0
no auto-summary
router eigrp 2
network 192.168.12.1 0.0.0.0
no auto-summary
_____________
Rack1R1#sh ip eigrp topo
IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 1 successors, FD is 2297856
via 192.168.12.2 (2297856/128256), Serial1/0
IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 0 successors, FD is Inaccessible
via 192.168.12.2 (2297856/128256), Serial1/0
Rack1R2#sh ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(192.168.12.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 1 successors, FD is 128256
via Connected, Loopback0
IP-EIGRP Topology Table for AS(2)/ID(150.1.2.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 1 successors, FD is 128256
via Connected, Loopback0
_____________
While configuring R1 for authentication and using AS 2.
Rack1R1(config-if)#ip authentication mode eigrp 2 md5
!
!
*Mar 1 00:08:00.023: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 192.168.12.2 (Serial1/0) is down: authentication mode changed
R1 keeps reachability to 150.1.2.2 via AS1
Rack1R1#sh ip eigrp to
IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 1 successors, FD is 2297856
via 192.168.12.2 (2297856/128256), Serial1/0
IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
_____________
After configuring authentication in R2:
Rack1R1#
*Mar 1 00:10:27.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 192.168.12.2 (Serial1/0) is up: new adjacency
Rack1R1#sh ip eigrp to
IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 1 successors, FD is 2297856
via 192.168.12.2 (2297856/128256), Serial1/0
IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.12.0/30, 1 successors, FD is 2169856
via Connected, Serial1/0
P 150.1.2.2/32, 0 successors, FD is Inaccessible
via 192.168.12.2 (2297856/128256), Serial1/0
___
HTH,
09-06-2008 05:52 AM
Giuseppe
This is a much better solution than my options but one question.
I thought the option of setting lifetimes on keys was to allow a smooth transition between keys rather than initial setup. Because with initial setup as soon as you specify authentication it's going to need a key to use.
Have you used your solution to go from unauthenticated to authenticated ?
Jon
09-06-2008 07:06 AM
Jon is right.
I'm wondering what the Hellos and Holdtime are set for. In a converged network, EIGRP shouldn;t send anything but Hellos every configured time inetrval, 5 30 by default on T1 speeds and above, and 60 180 on speeds below T1.
I wonder what would happen if he set the EIGRP hellos to a high interval and then QUICKLY configure the EIGRP neighbor before that HEllo time expires....?
[EDIT] Scratch that. it's a stupid idea. I just tried it in a lab and it failed. I think that the router must send a HEllo as soon as any configuration is done to the neighborship process. And once it does, the neighbor is down. And, since youve changed the timers to be so slow, you will have to wait a long time for the neighborship to come up. [EDIT]
Thnaks
Victor
09-06-2008 11:46 AM
Giuseppe,
The key chain delay is useful when moving from one password to another in an already authenticated EIGRP infrastructure. Once you enable the MD5 hash, the remote router must have MD5 enabled else the connection is lost.
HTH,
__
Edison.
09-06-2008 12:34 PM
Thanks to all.
Yes, i think the key chain option is valid if we change the password not from un-authenticated to authenticated environment.
I will try the second option by creating a new EIGRP AS in my lab tomorrow and i will let you know.
by the way, i think the last option is to keep the current AS and start applying the auth from spoke routers toward the hub interface by interface.
Thanks again
Abd Alqader
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: