Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

md5 authetication in eigrp

Hi every body!

I have question about md5 authentication in eigrp.

will following configuration work?

r1s0-------------------------s0r2

Both are running eigrp:

r1

key chain zee

key 1

key-string america

r2;

key chain sarah

key 2

key-string america

=================

r1:

int s0

ip authentication eigrp 1 md5

ip authentication key -chain eigrp 1 zee

====================

r2;

int s0

ip authentication eigrp 1 md5

ip authentication key-chain eigrp 1 sarah

=================================

Will r1 and r2 be able to authenticate ech other?

Thanks a lot!

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: md5 authetication in eigrp

Cisco recommends the keys to be the same

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml

But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)

I thought that the router drops authentication packets with other keys than configured.

So it will not work

Key chain names can be different

Re: md5 authetication in eigrp

Hi Guislar,

The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

I tested in DynamIP and apparently they must match

R1

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco

debug output

de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n

When I adjusted the key, a neighborship has been formed

Hall of Fame Super Silver

Re: md5 authetication in eigrp

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count

so the receiving router can easily calculate:

the advertised distance (received metric)

the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on

Hope to help

Giuseppe

7 REPLIES

Re: md5 authetication in eigrp

Hello Sarah,

R1 and R2 will be able to authenticate each other cause the "Key-string" matches on both.

HTH

Mohamed

Re: md5 authetication in eigrp

Cisco recommends the keys to be the same

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00807f5a63.shtml

But I thought the key number must be the same. Otherwise you could create the max number of keys, hoping that 1 key fits :)

I thought that the router drops authentication packets with other keys than configured.

So it will not work

Key chain names can be different

Hall of Fame Super Silver

Re: md5 authetication in eigrp

Hello Davy,

in most common examples the key number is the same on both ends but I think they can be different as the key chain names

see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1013148

Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

So in this case the two routers should be able to become neighbors

Hope to help

Giuseppe

Re: md5 authetication in eigrp

Hi Guislar,

The text says:

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

I tested in DynamIP and apparently they must match

R1

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 1

key-string cisco

R2

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 test

router eigrp 1

network 10.0.0.0 0.0.0.3

no auto-summary

key chain test

key 2

key-string cisco

debug output

de = 5 (invalid authentication)

*Mar 1 00:10:56.923: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:10:56.923: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:10:57.643: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:10:57.647: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:01.199: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:01.199: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:02.567: EIGRP: pkt authentication key id = 1, key not defined or n

ot live

*Mar 1 00:11:02.567: EIGRP: FastEthernet0/0: ignored packet from 10.0.0.1, opco

de = 5 (invalid authentication)

*Mar 1 00:11:05.931: EIGRP: Sending HELLO on FastEthernet0/0

*Mar 1 00:11:05.931: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Mar 1 00:11:06.903: EIGRP: pkt authentication key id = 1, key not defined or n

When I adjusted the key, a neighborship has been formed

Hall of Fame Super Silver

Re: md5 authetication in eigrp

Hello Davy,

good feedaback

thanks

Giuseppe

Bronze

Re: md5 authetication in eigrp

Hi everybody!

If you guys don't mind, i have one more question.

Does router send cumulative delay and least bandwidth along the path in update or they also send the metric that it calculated to reach certain subnet?

thanks a lot!

Hall of Fame Super Silver

Re: md5 authetication in eigrp

Hello Sarah,

there are two TLVs one for internal routes and one for external routes:

actually there are separate fields for:

cumulative delay

lowest Bandwidth

min MTU on path

reliability

load

router hop count

so the receiving router can easily calculate:

the advertised distance (received metric)

the distance (metric) for the local node by considering the parameters of the interface on which the advertisement is heard and so adjusting the cumulative delay and so on

Hope to help

Giuseppe

194
Views
5
Helpful
7
Replies