03-23-2009 11:57 PM - edited 03-06-2019 04:46 AM
Hi every body!
I have question about md5 authentication in eigrp.
will following configuration work?
r1s0-------------------------s0r2
Both are running eigrp:
r1
key chain zee
key 1
key-string america
r2;
key chain sarah
key 2
key-string america
=================
r1:
int s0
ip authentication eigrp 1 md5
ip authentication key -chain eigrp 1 zee
====================
r2;
int s0
ip authentication eigrp 1 md5
ip authentication key-chain eigrp 1 sarah
=================================
Will r1 and r2 be able to authenticate ech other?
Thanks a lot!
Solved! Go to Solution.
03-24-2009 12:45 AM
Cisco recommends the keys to be the same
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml
But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)
I thought that the router drops authentication packets with other keys than configured.
So it will not work
Key chain names can be different
03-24-2009 01:46 AM
Hi Guislar,
The text says:
Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.
I tested in DynamIP and apparently they must match
R1
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 test
router eigrp 1
network 10.0.0.0 0.0.0.3
no auto-summary
key chain test
key 1
key-string cisco
R2
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 test
router eigrp 1
network 10.0.0.0 0.0.0.3
no auto-summary
key chain test
key 2
key-string cisco
debug output
de = 5 (invalid authentication)
*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n
ot live
*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco
de = 5 (invalid authentication)
*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n
ot live
*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco
de = 5 (invalid authentication)
*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n
When I adjusted the key, a neighborship has been formed
03-24-2009 01:23 PM
Hello Sarah,
there are two TLVs one for internal routes and one for external routes:
actually there are separate fields for:
cumulative delay
lowest Bandwidth
min MTU on path
reliability
load
router hop count
so the receiving router can easily calculate:
the advertised distance (received metric)
the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on
Hope to help
Giuseppe
03-24-2009 12:27 AM
Hello Sarah,
R1 and R2 will be able to authenticate each other cause the "Key-string" matches on both.
HTH
Mohamed
03-24-2009 12:45 AM
Cisco recommends the keys to be the same
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml
But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)
I thought that the router drops authentication packets with other keys than configured.
So it will not work
Key chain names can be different
03-24-2009 01:24 AM
Hello Davy,
in most common examples the key number is the same on both ends but I think they can be different as the key chain names
see
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1013148
Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.
So in this case the two routers should be able to become neighbors
Hope to help
Giuseppe
03-24-2009 01:46 AM
Hi Guislar,
The text says:
Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.
I tested in DynamIP and apparently they must match
R1
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 test
router eigrp 1
network 10.0.0.0 0.0.0.3
no auto-summary
key chain test
key 1
key-string cisco
R2
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 test
router eigrp 1
network 10.0.0.0 0.0.0.3
no auto-summary
key chain test
key 2
key-string cisco
debug output
de = 5 (invalid authentication)
*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n
ot live
*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco
de = 5 (invalid authentication)
*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n
ot live
*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco
de = 5 (invalid authentication)
*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0
*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n
When I adjusted the key, a neighborship has been formed
03-24-2009 01:53 AM
Hello Davy,
good feedaback
thanks
Giuseppe
03-24-2009 11:10 AM
Hi everybody!
If you guys don't mind, i have one more question.
Does router send cumulative delay and least bandwidth along the path in update or they also send the metric that it calculated to reach certain subnet?
thanks a lot!
03-24-2009 01:23 PM
Hello Sarah,
there are two TLVs one for internal routes and one for external routes:
actually there are separate fields for:
cumulative delay
lowest Bandwidth
min MTU on path
reliability
load
router hop count
so the receiving router can easily calculate:
the advertised distance (received metric)
the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide