Solved: Re: adding EIGRP authentication on existing EIGRP config without inter

rabbyx7xafc · ‎10-03-2021

hey fellow netheads,

so here is the scenario. we have over 50 cisco branches connected to the ASR in our DC in a mgre/dmvpn configuration with eigrp running.

We need to add md5 authentication to the eigrp. now as i understand, as soon i configure the authentication on the core, all those 50 branches will break their eigrp neighbourship with the ASR until i configure the same on the branches.

What would be the best way to approach this without impacting all the remote sites at the same time.

Can i configure a new instance of eigrp (current one is router eigrp 1), and add them one by one to the new one while removing from the old one?

any advise would be highly appreciated

paul driver · ‎10-04-2021

Hello
TBH Im not sure this is applicable to without incurring outage, especially in a DMVPN environment, as the DMVPN NHS (hub) is servicing all NHC's(spokes) and eigrp authentication is applied on a per interface basis, so as soon as you apply authentication either on NHS or NHC tunnels the eigrp adjacency will drop.
Adding an addtional eigrp stanza wont make any differance either

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Kasun Bandara · ‎10-03-2021

Hi, i tried your 2nd option in GNS3 and it worked. creating another eigrp instance and use same networks with new neighbor connectivity worked for me.

rate this and mark as answer if you solved your concern from this

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Georg Pauwen · ‎10-03-2021

Hello,

I think you can define an accept lifetime on the key chain. If you set this to a future date, you can add the keys without them actually being active until that date. I'll lab this up to check if this works...

paul driver · ‎10-04-2021

Hello @Georg Pauwen

The key chain lifetimes are for the keys expiration nothing more, if you don’t specify a lifetime the keys just won’t expire, As such im quite sure even specifying a future lifetime would not work but it’s worth testing?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎10-04-2021

@paul driver You are absolutely right, I just tested this and indeed as soon as the autentication is added to the interface, the neighbor goes down. Probably an EEM script that runs at midnight would be a solution...

paul driver · ‎10-04-2021

Cheers @Georg Pauwen for the validation much appreciated

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎10-04-2021

Hello
TBH Im not sure this is applicable to without incurring outage, especially in a DMVPN environment, as the DMVPN NHS (hub) is servicing all NHC's(spokes) and eigrp authentication is applied on a per interface basis, so as soon as you apply authentication either on NHS or NHC tunnels the eigrp adjacency will drop.
Adding an addtional eigrp stanza wont make any differance either

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

adding EIGRP authentication on existing EIGRP config without interrupt