I want to use an EIGRP password between routers and layer 3 switches in our environment. Is it possible to implement a EIGRP string on a live environment without any downtime?
I would not do that in live network without having a maintenance window:
Caution: When EIGRP message authentication is added to the Dallas interfaces, it stops receiving routing messages from its peers until they are also configured for message authentication. This does interrupt routing communications on your network.
I would certainly do it during a maintenance window. Just wondering if it is possible to do on a live network with out any downtime.
For instance, apply the passstring but don't let it become valid until a certain time.
Although NTP better be working...
You can probably use the accept-lifetime and send-lifetime to set a time frame, but if there is any time issue and things don't happen the way they supposed to, you will have people and management screaming at you.
You can certainly create the key chain , However depending on if you apply an authentication mode will determine how much outage to the adjacency will be incurred.
I have found applying just the authentication key chain drops to the first interface drops the adjacency for no more than 3 seconds, then applying it to the other side of the peer has no effect.
however when also applying the authentication node the adjacency will drop until the other side of the peering is also configured with the same authentication mode.
R1 / R2
key 1 -- text "TEST"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
R2(config-if)#ip authentication key-chain eigrp 1 TST
*Mar 1 00:05:00.031: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast Ethernet0/0) is down: keychain changed
*Mar 1 00:05:03.139: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast Ethernet0/0) is up: new adjacency
R2(config-if)#ip authentication mode eigrp 1 md5
*Mar 1 00:15:22.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is down: authentication mode changed
*Mar 1 00:15:23.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEther net0/0) is down: Auth failure............
Thanks Paul -
How about if I were to configure a send time that was sooner than the accept time. That way, both routers would be sending when the accept time arrived...assuming NTP was working
does the configuration of EIGRP authentication on a router interface require a the other router to send a pass string regardless of the accept time?
It doesn't seem to matter, as soon as you apply authentication to the first interface in the peering, the adjacency is interrupted.
This is kind of what I'm referring to. Set the routers with an accept and send-time but, have not end time.
key chain <name_of_keychain>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>
Copied this from