×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

EIGRP Authentication

Unanswered Question
Jul 5th, 2014
User Badges:

Hi All,

 

As per the EIGRP Authentication steps:

 

Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string. 

 

Suppose if have a key chain have two key identifiers in R1 and in R2 like below ..will it work ?

 

R1 - Key chain one

Key 1

key-string cisco

key 2

key-string admin

 

and in R2 - Key chain two

key 10

key-string cisco

key 15 

key-string admin

 

And also what is use / need for more than one key identifier in a key chain ..how eigrp will process this

 

Regards,

Gan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
syed kazim abbas Sat, 07/05/2014 - 05:27
User Badges:
  • Bronze, 100 points or more

 Hi,

Key chain name as well as key numbers do not have to match on the neighboring routers.

The key chain configuration concept, allows the engineer to migrate from one key value to another over time. Just like a real key chain that has multiple keys, the IOS key chain concept allows the configuration of multiple keys—each identified with a number. If no lifetime has been configured for a key, it is considered to be valid during all time frames. However, when a key has been defined with a lifetime, the key is valid only during the valid lifetime.

Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.

HTH

kazim

Ganesan Palaniappan Sat, 07/05/2014 - 06:07
User Badges:

Hi kazim,

Just to make me understand, just in case if i am not configuring any life time value for a key string, then the lowest value key identifier sting is considered as the Key string for authentication.

 

R1

Key chain one

Key 1

Key-string cisco  ( this is key value will be considered by the eigrp packets for authentication) -- Sending EIGRP messages: Use the lowest key number among all currently valid keys.

 

Key 2

Key-sting admin

 

Suppose in R2 ....

I configured as below

Key chain two

Key 10

Key-string admin

Key 15

Key-sting cisco

 

So in the above the case the received EIGRP packets can be checked with the all the key identifiers / it will be only check the least valu key identifier value alone. - Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.

Regards,

Gan

 

syed kazim abbas Sun, 07/06/2014 - 04:07
User Badges:
  • Bronze, 100 points or more

Hi Ganalagu,

I tested it will not work, the statement I posted above is according to my bookish knowledge. Thanks you gave me a chance to review my understanding. 

So finally, Cisco recommended:

Note: It is recommended that the key number be the same on all routers involved in the configuration

For reference see this link:

http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-r...

HTH

Actions

This Discussion

Related Content