md5 authetication in eigrp

Answered Question
Mar 23rd, 2009
User Badges:
  • Bronze, 100 points or more

Hi every body!

I have question about md5 authentication in eigrp.


will following configuration work?


r1s0-------------------------s0r2

Both are running eigrp:

r1

key chain zee

key 1

key-string america


r2;

key chain sarah

key 2

key-string america


=================

r1:

int s0

ip authentication eigrp 1 md5

ip authentication key -chain eigrp 1 zee

====================

r2;

int s0

ip authentication eigrp 1 md5

ip authentication key-chain eigrp 1 sarah

=================================

Will r1 and r2 be able to authenticate ech other?


Thanks a lot!

Correct Answer by Giuseppe Larosa about 8 years 1 month ago

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count


so the receiving router can easily calculate:

the advertised distance (received metric)


the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on


Hope to help

Giuseppe



Correct Answer by davy.timmermans about 8 years 1 month ago

Hi Guislar,


The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.



I tested in DynamIP and apparently they must match




R1


interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test


router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2



interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test


router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco


debug output


de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n



When I adjusted the key, a neighborship has been formed



Correct Answer by davy.timmermans about 8 years 1 month ago

Cisco recommends the keys to be the same


http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml


But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)


I thought that the router drops authentication packets with other keys than configured.


So it will not work


Key chain names can be different

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Mohamed Sobair Tue, 03/24/2009 - 00:27
User Badges:
  • Gold, 750 points or more


Hello Sarah,


R1 and R2 will be able to authenticate each other cause the "Key-string" matches on both.




HTH

Mohamed

Correct Answer
davy.timmermans Tue, 03/24/2009 - 00:45
User Badges:
  • Silver, 250 points or more

Cisco recommends the keys to be the same


http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml


But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)


I thought that the router drops authentication packets with other keys than configured.


So it will not work


Key chain names can be different

Giuseppe Larosa Tue, 03/24/2009 - 01:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Davy,

in most common examples the key number is the same on both ends but I think they can be different as the key chain names


see


http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1013148


Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.


So in this case the two routers should be able to become neighbors


Hope to help

Giuseppe


Correct Answer
davy.timmermans Tue, 03/24/2009 - 01:46
User Badges:
  • Silver, 250 points or more

Hi Guislar,


The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.



I tested in DynamIP and apparently they must match




R1


interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test


router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2



interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test


router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco


debug output


de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n



When I adjusted the key, a neighborship has been formed



Giuseppe Larosa Tue, 03/24/2009 - 01:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Davy,

good feedaback


thanks


Giuseppe


sarahr202 Tue, 03/24/2009 - 11:10
User Badges:
  • Bronze, 100 points or more

Hi everybody!

If you guys don't mind, i have one more question.


Does router send cumulative delay and least bandwidth along the path in update or they also send the metric that it calculated to reach certain subnet?


thanks a lot!

Correct Answer
Giuseppe Larosa Tue, 03/24/2009 - 13:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count


so the receiving router can easily calculate:

the advertised distance (received metric)


the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on


Hope to help

Giuseppe



Actions

This Discussion