cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
20
Helpful
8
Replies

EIGRP Password String on Live Network

Patrick McHenry
Level 3
Level 3

Hi,

 

I want to use an EIGRP password between routers and layer 3 switches in our environment. Is it possible to implement a EIGRP string on a live environment without any downtime?

 

Thank you

8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Pat,

I would not do that in live network without having a maintenance window:

see below:

Caution: When EIGRP message authentication is added to the Dallas interfaces, it stops receiving routing messages from its peers until they are also configured for message authentication. This does interrupt routing communications on your network.

 

Link:

http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/82110-eigrp-authentication.html

HTH

I would certainly do it during a maintenance window. Just wondering if it is possible to do on a live network with out any downtime. 

 

For instance, apply the passstring but don't let it become valid until a certain time.

 

Although NTP better be working...

 

Thanks

You can probably use the accept-lifetime and send-lifetime to set a time frame, but if there is any time issue and things don't happen the way they supposed to, you will have people and management screaming at you.smiley

HTH

Oh Welldevil

 

I'm hoping for an elegant solution though

 

     -Thanks

Hello

You can certainly create the key chain , However depending on if you apply an authentication mode will determine how much outage to the adjacency will be incurred.

 

I have found applying just the authentication key chain drops to the first interface drops the adjacency for no more than 3 seconds, then applying it to the other side of the peer has no effect.

 

however when also applying the authentication node the adjacency will drop until the other side of the peering is also configured with the same authentication mode.

See results:

R1 / R2
Key-chain TST:
    key 1 -- text "TEST"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

R2(config)#int fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 TST
R2(config-if)#
*Mar  1 00:05:00.031: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast               Ethernet0/0) is down: keychain changed
R2(config-if)#
*Mar  1 00:05:03.139: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast               Ethernet0/0) is up: new adjacency

 

 


R2(config-if)#ip authentication mode eigrp 1 md5

*Mar  1 00:15:22.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is down: authentication mode changed

 

R1
*Mar  1 00:15:23.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEther                net0/0) is down: Auth failure............

 

 

res

Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks Paul -

 

How about if I were to configure a send time that was sooner than the accept time. That way, both routers would be sending when the accept time arrived...assuming NTP was working

or,

does the configuration of EIGRP authentication on a router interface require a the other router to send a pass string regardless of the accept time?

 

Thanks

Hello

It doesn't seem to matter, as soon as you apply authentication to the first interface in the peering, the adjacency is interrupted.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

This is kind of what I'm referring to. Set the routers with an accept and send-time but, have not end time.

key chain <name_of_keychain>

 

 

key <#>
key-string <string_used_for_PSK>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>
 

 

Copied this from

 

http://gregandthenetwork.blogspot.com/2011/05/eigrp-authentication.html  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco