cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
802
Views
5
Helpful
6
Replies

adding EIGRP authentication on existing EIGRP config without interrupt

rabbyx7xafc
Level 1
Level 1

hey fellow netheads,

so here is the scenario. we have over 50 cisco branches connected to the ASR in our DC in a mgre/dmvpn configuration with eigrp running.

 

We need to add md5 authentication to the eigrp. now as i understand, as soon i configure the authentication on the core, all those 50 branches will break their eigrp neighbourship with the ASR until i configure the same on the branches.

 

What would be the best way to approach this without impacting all the remote sites at the same time.

 

Can i configure a new instance of eigrp (current one is router eigrp 1), and add them one by one to the new one while removing from the old one? 

 

any advise would be highly appreciated

1 Accepted Solution

Accepted Solutions

Hello
TBH Im not sure this is applicable to without incurring outage, especially in a DMVPN environment, as the DMVPN NHS (hub) is servicing all NHC's(spokes) and eigrp authentication is applied on a per interface basis, so as soon as you apply authentication either on NHS or NHC tunnels the eigrp adjacency will drop.
Adding an addtional eigrp stanza wont make any differance either


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

6 Replies 6

Hi, i tried your 2nd option in GNS3 and it worked. creating another eigrp instance and use same networks with new neighbor connectivity worked for me. 

 

rate this and mark as answer if you solved your concern from this

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Hello,

 

I think you can define an accept lifetime on the key chain. If you set this to a future date, you can add the keys without them actually being active until that date. I'll lab this up to check if this works...

Hello @Georg Pauwen 

The key chain lifetimes are for the keys expiration nothing more, if you don’t specify a lifetime the keys just won’t expire, As such im quite sure even specifying a future lifetime would not work but it’s worth testing?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

@paul driver You are absolutely right, I just tested this and indeed as soon as the autentication is added to the interface, the neighbor goes down. Probably an EEM script that runs at midnight would be a solution...

Cheers @Georg Pauwen for the validation much appreciated


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello
TBH Im not sure this is applicable to without incurring outage, especially in a DMVPN environment, as the DMVPN NHS (hub) is servicing all NHC's(spokes) and eigrp authentication is applied on a per interface basis, so as soon as you apply authentication either on NHS or NHC tunnels the eigrp adjacency will drop.
Adding an addtional eigrp stanza wont make any differance either


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card