Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

EIGRP auth

Hi,

I have many routers configured with EIGRP, and i want now to add message authentication to the EIGRP.

As you know, when i enable the message auth on an interface, the router will lost eigrp to its neighbor and therfore the network will be down.

Is there is any technique for example that delays implementing the message auth for sometime untill i made the config to all routers?

Thanks in advance

Abd Alqader

13 REPLIES
Hall of Fame Super Blue

Re: EIGRP auth

Abd

I have not tried this but one thing springs to mind. When you enable authentication for EIGRP you specify the AS under the interface configuration eg.

int s0/0

ip authentication mode eigrp 10 md5

What you may be able to do is configure a second eigrp process on your router and then ensure that neighborships and routes are being exchanged for this AS as well as your original one. Then you can configure authentication for the original AS while the new AS maintains the routes in your routing table.

Once authentication has been configured and verified on all routers you can then remove the second AS.

Alternatively you could configure a second routing protocol on your routers such as OSPF/RIP although you would need to change the administrative distance because EIGRP is better than both OSPF and RIP.

Both possible solutions would need testing, especially the second EIGRP AS and there will obviously be a temporary additional overhead on your routers.

If you decide to try it let me know how you get on.

Jon

Hall of Fame Super Silver

Re: EIGRP auth

Hello Abd,

you can take advantage of the key chain concept that allows to define a time window for key validity and usage.

The requirement is that all routers have NTP configured and are in sync.

see

interface ethernet 1

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 holly

key chain holly

key 1

key-string 0987654321

accept-lifetime 04:00:00 Dec 4 2006 infinite

send-lifetime 04:00:00 Dec 4 2006 04:48:00 Dec 4 1996

exit

key 2

key-string 1234567890

accept-lifetime 04:00:00 Jan 4 2007 infinite

send-lifetime 04:45:00 Jan 4 2007 infinite

see

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_cfg_eigrp_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1055004

you can set the usage of the key for some time in the future 1 or 2 days so you have time to configure all the routers in your network.

You can use this also in the future to deploy a key change.

Hope to help

Giuseppe

Bronze

Re: EIGRP auth

Hello Giuseppe,

I configured 4 routers with NTP client and they request the time from NTP server (router 5).

All in the same time sync.

And also i created a key chain in all the five routers as follows:

!

key chain test-CHAIN

key 11

key-string test_traffic

accept-lifetime 15:45:00 6 sep 2008 infinite

send-lifetime 15:45:00 6 sep 2008 infinite

!

I entered the interface mode and i applied ip authentication key-chain eigrp 1 test-CHAIN

and everything works fine and we still have EIGRP neighborship with the peers.

But once i applied

ip authentication mode eigrp 1 md5

the peer is down and i lost the connectivity.

By the way the time was "15:33:00.137 GMT Sat Sep 6 2008".

Please advise!

Dear Joy Marshall,

I will try it by addinf a second EIGRP AS and i will let you know, but after i tried the time issue with the key chain.

Thanks

Abd Alqader

Hall of Fame Super Silver

Re: EIGRP auth

Hello Abd and Jon,

luckily Abd tried this on a lab environment.

From the results we can say that an EIGRP process once configured for MD5 on the interface even without a valid key (it will be valid in the future) doesn't fall back to unauthenticated mode.

I had done extensive functional and performance tests but on OSPF authentication some years ago.

The suggestion by Jon will work because EIGRP include the AS number in each protocol message so you can easily duplicate the EIGRP config in each router have both running. Then you modify the config for process eigrp 1 to enable authentication and later remove the second process on all routers after adjacencies are restored. I would use the key-chain in order to be able to change the key in the future.

As a test could be interesting to see what happens with a valid key: if this time the key in the key-chain is already valid to see if the routers are able when inserting the command ip authentication mode eigrp 1 md5 to at least recover the neighborship quickly.

Here we are looking for EIGRP neighbor state machine that is simpler than that of OSPF: in OSPF adding authentication causes a restart of the neighbor state machine.

Best Regards

Giuseppe

Hall of Fame Super Blue

Re: EIGRP auth

Guiseppe

"luckily Abd tried this on a lab environment" - yes, very lucky !

"The suggestion by Jon will work because EIGRP"

do you know for a fact if this will work. Ordinarily i would try it out myself but i don't have access to a lab. Just wanted to know for future reference.

Jon

Hall of Fame Super Bronze

Re: EIGRP auth

It does work, else you would've heard from me :)

Hall of Fame Super Blue

Re: EIGRP auth

Good to know you are keeping me honest :)

Thanks Edison.

Hall of Fame Super Silver

Re: EIGRP auth

Hello Jon,

I haven't access to a lab in these days, too.

I apologize for my first proposal that was a real denial of service.

With the precedent of the first post the question is very correct !

However, I trust theory that leads to say that two EIGRP processes on the same set of interfaces/subnets can work.

here, there is no space for implementation choices: if all packets contain the eigrp AS number they can be sent and received without causing confusion.

Best Regards

Jon

Hall of Fame Super Bronze

Re: EIGRP auth

Rack1R2#sh run | sec eigrp

router eigrp 1

network 150.1.2.2 0.0.0.0

network 192.168.12.2 0.0.0.0

no auto-summary

router eigrp 2

network 150.1.2.2 0.0.0.0

network 192.168.12.2 0.0.0.0

no auto-summary

_______________

Rack1R1#sh run | sec eigrp

router eigrp 1

network 192.168.12.1 0.0.0.0

no auto-summary

router eigrp 2

network 192.168.12.1 0.0.0.0

no auto-summary

_____________

Rack1R1#sh ip eigrp topo

IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 1 successors, FD is 2297856

via 192.168.12.2 (2297856/128256), Serial1/0

IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 0 successors, FD is Inaccessible

via 192.168.12.2 (2297856/128256), Serial1/0

Rack1R2#sh ip eigrp topology

IP-EIGRP Topology Table for AS(1)/ID(192.168.12.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 1 successors, FD is 128256

via Connected, Loopback0

IP-EIGRP Topology Table for AS(2)/ID(150.1.2.2)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 1 successors, FD is 128256

via Connected, Loopback0

_____________

While configuring R1 for authentication and using AS 2.

Rack1R1(config-if)#ip authentication mode eigrp 2 md5

!

!

*Mar 1 00:08:00.023: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 192.168.12.2 (Serial1/0) is down: authentication mode changed

R1 keeps reachability to 150.1.2.2 via AS1

Rack1R1#sh ip eigrp to

IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 1 successors, FD is 2297856

via 192.168.12.2 (2297856/128256), Serial1/0

IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

_____________

After configuring authentication in R2:

Rack1R1#

*Mar 1 00:10:27.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 192.168.12.2 (Serial1/0) is up: new adjacency

Rack1R1#sh ip eigrp to

IP-EIGRP Topology Table for AS(1)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 1 successors, FD is 2297856

via 192.168.12.2 (2297856/128256), Serial1/0

IP-EIGRP Topology Table for AS(2)/ID(192.168.12.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 192.168.12.0/30, 1 successors, FD is 2169856

via Connected, Serial1/0

P 150.1.2.2/32, 0 successors, FD is Inaccessible

via 192.168.12.2 (2297856/128256), Serial1/0

___

HTH,

Hall of Fame Super Blue

Re: EIGRP auth

Giuseppe

This is a much better solution than my options but one question.

I thought the option of setting lifetimes on keys was to allow a smooth transition between keys rather than initial setup. Because with initial setup as soon as you specify authentication it's going to need a key to use.

Have you used your solution to go from unauthenticated to authenticated ?

Jon

Blue

Re: EIGRP auth

Jon is right.

I'm wondering what the Hellos and Holdtime are set for. In a converged network, EIGRP shouldn;t send anything but Hellos every configured time inetrval, 5 30 by default on T1 speeds and above, and 60 180 on speeds below T1.

I wonder what would happen if he set the EIGRP hellos to a high interval and then QUICKLY configure the EIGRP neighbor before that HEllo time expires....?

[EDIT] Scratch that. it's a stupid idea. I just tried it in a lab and it failed. I think that the router must send a HEllo as soon as any configuration is done to the neighborship process. And once it does, the neighbor is down. And, since youve changed the timers to be so slow, you will have to wait a long time for the neighborship to come up. [EDIT]

Thnaks

Victor

Hall of Fame Super Bronze

Re: EIGRP auth

Giuseppe,

The key chain delay is useful when moving from one password to another in an already authenticated EIGRP infrastructure. Once you enable the MD5 hash, the remote router must have MD5 enabled else the connection is lost.

HTH,

__

Edison.

Bronze

Re: EIGRP auth

Thanks to all.

Yes, i think the key chain option is valid if we change the password not from un-authenticated to authenticated environment.

I will try the second option by creating a new EIGRP AS in my lab tomorrow and i will let you know.

by the way, i think the last option is to keep the current AS and start applying the auth from spoke routers toward the hub interface by interface.

Thanks again

Abd Alqader

237
Views
0
Helpful
13
Replies