10-24-2007 12:24 PM - edited 03-03-2019 07:19 PM
Hi,
I'm trying to find something out. I want to know if you need to have the same key ID with EIGRP between two interfaces that are authenticating with each other.
E.g. - you use MD5 authentication to secure EIGRP. You then choose an MD5 pre-shared key and this is associated with a key ID that you have to choose, i.e. 1. It is not clear within Cisco documentation as to whether this key ID has to be the same at both ends.
With OSPF, the key ID definitely has to be the same at both ends - http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3ospf.html -
"message-digest-key key-id md5 [encryption-type] key
Example:
RP/0/RP0/CPU0:router(config-router)#
message-digest-key 4 md5 0 yourkey
Specifies the MD5 authentication key for the OSPF process.
â¢Your neighbor router must have the same key identifier."
I'd appreciate confirmation, preferably with a source to confirm this for me.
Thanks.
10-24-2007 12:43 PM
EIGRP employs key-chain instead of key-id as OSPF.
Here is a sample config for EIGRP MD5
First, you create the key-chain
_____________
key chain EIGRP
key 1
key-string CISCO
_______________
Second, you apply the key-chain to the interface
________________
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP
________________
The '1' on the example above is not the key-id but the EIGRP AS number.
HTH,
10-24-2007 01:47 PM
Edsion,
I just tested and i receive an error if the key-ids are not same.
Also i doubt that the key id references the EIGRP AS.
this is what i tested
R1
key chain test1
key 2
key-string cisco
interface Serial2/0
ip address 10.10.10.1 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 test1
On R2
key chain test
key 1
key-string cisco
interface Serial2/0
ip address 10.10.10.2 255.255.255.0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 test
see the debug output.. now if i change the keyid to 1 on R1 the adjacency comes up (the number used is not the EIGRP AS)
*Mar 1 00:05:38.111: EIGRP: Sending HELLO on Serial2/0
*Mar 1 00:05:38.111: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:05:39.451: EIGRP: pkt authentication key id = 2, key not defined or n
ot live
*Mar 1 00:05:39.451: EIGRP: Serial2/0: ignored packet from 10.10.10.1, opcode =
5 (invalid authentication)
*Mar 1 00:05:42.775: EIGRP: Sending HELLO on Serial2/0
*Mar 1 00:05:42.775: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Mar 1 00:05:44.215: EIGRP: pkt authentication key id = 2, key not defined or n
R1(config)#key chain test1
R1(config-keychain)#key
R1(config-keychain)#key 1
R1(config-keychain-key)#key
R1(config-keychain-key)#key-string cisco
R1(config-keychain-key)#^Z
R1#
R1#
R1#
*Mar 1 00:13:00.703: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 00:13:01.379: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.10.10.2 (S
erial2/0) is up: new adjacency
R1#
Am i missing something
Narayan
10-24-2007 02:06 PM
Narayan,
You are correct. I was referring as to how OSPF implements key-id vs EIGRP's.
EIGRP uses 'key chain' for routing authentication and OSPF uses the key-id right on the interface.
10-25-2007 02:09 AM
Thanks for your help in clearing this up for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide