Solved: Re: md5 authetication in eigrp

sarahr202 · ‎03-23-2009

Hi every body!

I have question about md5 authentication in eigrp.

will following configuration work?

r1s0-------------------------s0r2

Both are running eigrp:

r1

key chain zee

key 1

key-string america

r2;

key chain sarah

key 2

key-string america

=================

r1:

int s0

ip authentication eigrp 1 md5

ip authentication key -chain eigrp 1 zee

====================

r2;

int s0

ip authentication eigrp 1 md5

ip authentication key-chain eigrp 1 sarah

=================================

Will r1 and r2 be able to authenticate ech other?

Thanks a lot!

davy.timmermans · ‎03-24-2009

Cisco recommends the keys to be the same

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml

But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)

I thought that the router drops authentication packets with other keys than configured.

So it will not work

Key chain names can be different

View solution in original post

davy.timmermans · ‎03-24-2009

Hi Guislar,

The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

I tested in DynamIP and apparently they must match

R1

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco

debug output

de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n

When I adjusted the key, a neighborship has been formed

View solution in original post

Giuseppe Larosa · ‎03-24-2009

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count

so the receiving router can easily calculate:

the advertised distance (received metric)

the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on

Hope to help

Giuseppe

View solution in original post

Mohamed Sobair · ‎03-24-2009

Hello Sarah,

R1 and R2 will be able to authenticate each other cause the "Key-string" matches on both.

HTH

Mohamed

davy.timmermans · ‎03-24-2009

Cisco recommends the keys to be the same

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml

But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)

I thought that the router drops authentication packets with other keys than configured.

So it will not work

Key chain names can be different

Giuseppe Larosa · ‎03-24-2009

Hello Davy,

in most common examples the key number is the same on both ends but I think they can be different as the key chain names

see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1013148

Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

So in this case the two routers should be able to become neighbors

Hope to help

Giuseppe

davy.timmermans · ‎03-24-2009

Hi Guislar,

The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

I tested in DynamIP and apparently they must match

R1

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco

debug output

de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n

When I adjusted the key, a neighborship has been formed

Giuseppe Larosa · ‎03-24-2009

Hello Davy,

good feedaback

thanks

Giuseppe

sarahr202 · ‎03-24-2009

Hi everybody!

If you guys don't mind, i have one more question.

Does router send cumulative delay and least bandwidth along the path in update or they also send the metric that it calculated to reach certain subnet?

thanks a lot!

Giuseppe Larosa · ‎03-24-2009

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count

so the receiving router can easily calculate:

the advertised distance (received metric)

the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on

Hope to help

Giuseppe