question about EIGRP for BSCI Certification Exam

Unanswered Question
Jun 20th, 2009

Hi !


I'm currently studdying for my CCNP BSCI certification Exam, I use Cisco press certification guide and also other's web documentation.


I would like to have some explanation about MD5 EIGRP authentification.


I had understand we can define more then one key to authenticate to prevent someone would be able to guess the encryption key. In the "accept-lifetime" and "send-lifetime" command we can define the start time and end time of use... but duration parameter how can be able to use this parameter... and make sure the other router have the same syncronisation time... Exemple : if I set send-lifetime 20 june 2009 at 0:00:00 to 30 june 2009 at 0:00:00 and a duration of 3600 seconds. And on the other router I set accept-lifetime 20 june 2009 at 0:00:00 to 30 june 2009 at 1:00:00 and a duration of 3720 seconds. How those router are be able to syncronise there usage of MD5 key.... Example after a reload or power rest of one of them ?


In debug command "debug eigrp packets" when it show received packet with MD5 authetification key id = 1 is the key ID speciffied here is the key id 1 of tghe local or remote device ? I had understand the local and remote device have not to use the same key ID but they have to use the same key in the same order. Example R1 could use key id 1 to 10 and R2 use key ID 11 to 20 but key ID 1 should have the same key string as key id 11, and key ID 2 should have the same key string as key id 12, and so on...


in the following explanation :

"Although EIGRP is a classless routing protocol, it has classful behavior by default, such as having automatic summarization on by default. When you configure the hub router to send a default route to the remote router, ensure that the ip classless command is issued on the remote router. By default, the ip classless command is enabled in all Cisco IOS images that support the EIGRP stub routing feature."

what is the usage on the ip classless command ?


Thanks for your help !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
thotsaphon Sat, 06/20/2009 - 11:27

Hi Xine,

The first part of your concern is about time for Eigrp authentication. Yes,you're right. If router got reload/reset then time's gone. You can solve this issue by using NTP protocol to synchronize with the other clock source.

"when it show received packet with MD5 authetification key id = 1 is the key ID speciffied here is the key id 1 of tghe local or remote device ?"

Well,It's a remote device key. That's why EIGRP has to be configured the same key number and the same key-string on both sides. It checks the authentication on 2 ways.


- Eigrp sends the lowest key number for authentication if sending-lifetime is still valid. If not,let's use the higer key number in sequence(if sending-lifetime is still valid) and so on.

- The other side will check the key number and key-string and accept-lifetime for that key.


Note: It happens on both sides


You can set mini-lab to test it out. You will see if the key number/key-string is not the same. Eigrp won't come up.


For ip classless,please check out these links :

http://www.cisco.com/en/US/docs/ios/11_3/np1/configuration/guide/1cipadr.html#wp1404

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094823.shtml



Hopes I help you some.(grin)

Toshi

but my question about the synchronisation problem is :

I start my 2 devices in same time and they are time syncrhronize by using NTP protocol. we have 2 key and they are use in sequence and each senquence cannot be more then 4 hours for example...


When the to router they are use the same key at the same time base on life-time and on duration timer. after 2 days on of those router reload after power failiure on something else no matters... this router restart it's sequence by maybe using key 1 but the other router only acept key 2 at this time and start to accept key 1 only in 1 hour....


how can I do to resynchronise my key usage ??


if I use EIGRP protocol as a routing protocol, and use "no auto-summary" command because I have a discontinious network I also have to use "ip classless" command ? to my routing network working properly ?

thotsaphon Wed, 06/24/2009 - 12:59

Xine,

Please post the configuration on both routers regarding your question. Well,you are using NTP. After that you have to define sending-lifetime and accept-lifetime on both devices. Yes,It starts using the lowest number of key. However,if sending-lifetime is expired. It should use key2 for your question. As I mentioned,You need to define the same key-number/key-string and valid sending-lifetime/accept-lifetime(if used) on both ends.


if I use EIGRP protocol as a routing protocol, and use "no auto-summary" command because I have a discontinious network I also have to use "ip classless" command ? to my routing network working properly ?


It should work properly. "no auto-summary" is used to decide how to send routing updates out of the interfaces on eigrp. "ip classless" is used to decide how to forward packets out of the interface after looking in RIB.


HTH,

Toshi

xine xine Wed, 06/24/2009 - 16:32

Hi !


sorry I have no lab setup to illustrated my question (my devices IOS are too old to support MD5 authentification for EIGRP)


no matter about the "sending-lifetime and accept-lifetime on both devices" what is important for my understanding in my question is only about duration parameter....


if I use 2 keys with 2 hours durations time in round-robin fashion, exemple : on both for the first 2 hour they will use key 1, for the next 2 hours they will use key 2, next 2 hour they will use key 1 again, and so on... Both router use same clock to change from key 1 to key 2 or key 2 to key 1. This working well because each of them have been start at the same time and start to use the first key on both side, also they are use same clock device to make sure each router have the same 2 hour idea for key replacement. But, what's append when one of those device reload after power failure... They always have the same idea on what is 2 hours but when the router is back again the other one maybe using key 2 at this time, but the device as just been reload start to use it's first valid key as key 1 for the next 2 hours.... Now thoses devices will use the same clock to count 2 hours but they will not change they key at the same time....


Excuse my English, I'm a Franch people !!


thanks a lot !

Actions

This Discussion