Hello Deepak,

Thank you for your question!

If you are using MD5 or SHA-256 authentication, both the key number and the key string must match between the routers. If any documents state otherwise, they are likely incorrect - can you link them here? I would like to have a look.

As you know, a key chain can hold multiple keys, each having a unique key number. This means that an outgoing EIGRP packet can be signed using multiple keys, and an incoming EIGRP packet can be verified against multiple keys - but there has to be a way to uniquely select a particular key to sign a packet, and verify it. So, this is what happens:

When sending packets, EIGRP will pick the first valid key (a key with the lowest key number whose send-lifetime has not expired yet) and authenticate the packet contents. The key number will also be included in the packet. The receiving router will use this key number to select the proper key in the key chain to verify the signature of the packet. Clearly, if the key numbers do not match between routers, the receiving router will be unable to find the correct key to verify the received packet, or will use a different key than intended.

Please feel welcome to ask further!

Best regards,
Peter

Hi,

This the example:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13719-50.html

key chain kal
!--- Name a key chain. A key chain may contain more than one key for added security. !--- It need not be identical on the remote router.
key 1
!--- This is the Identification number of an authentication key on a key chain. !--- It need not be identical on the remote router. 
key-string 234
!--- The actual password or key-string. !--- It needs to be identical to the key-string on the remote router. 
!

Regards,

Deepak Kumar

Hi @Peter Paluch 

Sorry, This was my misunderstanding about this document. I missed the word "Plain Text Authentication" in the article. Now I went through this link (this is my 5th time, Bad luck) and found missing line. Above statement is only valid with Plain text authentication. 

I am really sorry for this miss understanding.

Regards,

Deepak Kumar

Hi Deepak,

No apologies needed whatsoever!

Yes, indeed - for plaintext authentication, protocols typically don't include the key number in the authenticated packets. This is, however, entirely up to how the authentication mechanism has been implemented for the protocol, and different protocols may differ in their behavior.

For EIGRP, this does not really apply since EIGRP does not support plaintext authentication. For EIGRP, key numbers must always match as well as key strings.

Thank you for joining, and please keep the questions coming! ;)

Best regards,
Peter

Hello Peter, I will try to expand this further.

The main idea behind taking the values only when the route is advertised and not take them dynamically is the stability, as already mentioned. But why? If EIGRP would read dynamically those values, the changes in the topology would be too constant and would make it unstable.

Lets take load as an example: The load on a link is a variable value that changes according to the usage.

Please, consider the topology in the image attached. Assume EIGRP would be reading the values dynamically for this example

Router A has 2 paths to D. The A-B link and the A-C link, both having 10Mb of bandwidth. If the primary path to D is the link between A and C and it would bear a high load (assume a high usage of the bandwidth), then it would be advertised and EIGRP would switch it to the link between A and B. But what would happen if now the A-B link also gets loaded?

Then it would switch again to A-C, because A-C link is not loaded. And then it would switch back quickly to A-B again for the same reason, and this pendulum would be moving back and forth as utilization in the links changes over time. 

It would depend on the traffic volume and how fast the traffic would be bouncing between those links.

The churn in the values and their consequences, which in this case would be instability, are reason to not read these values dynamically.

------------------------------------------------------

EDIT: Came back to complement the answer:

The route is not being advertised when those 2 metric components are changed over time (not causing triggered update, when changed). How they can cause the network unstability then?

No, they would not cause instability if only taken as snapshots. They are for the most part, useless in that regard. Those metrics were kept as a backwards compatibility mechanism for redistribution to work between IGRP and EIGRP.

------------------------------------------------------

Hope that helps. Please don't hesitate to ask of anything else can be clarified.

Thanks!

Hello David.

Thank you for the explanation, it makes sense now :)

Peter F.

Hello Peter

Fantastic! I'm glad it was helpful :)

Please, don't hesitate on posting more questions, keep 'em coming! :D 

Thanks!

Hi Alan,

Thank you for joining us!

The H stands for Handle. A handle is an internal ID referring to a particular EIGRP neighbor in a protocol-independent way - instead of the software code referring to a neighbor by its address (which would be different for IPv4, IPv6, IPX, or AppleTalk EIGRP used to support), EIGRP instead assigns the particular neighbor a simple, address-family-independent number, and refers to the neighbor through this number. The handle is a value entirely local to the router, and is not advertised in any EIGRP packets.

For all practical purposes, the H column simply enumerates the neighbors in the ascending order in which they have been discovered, starting from 0 upwards.

Please feel welcome to ask further!

Best regards,
Peter

Thank you. When i was doing my CCNA course work many, many moons ago, this was one of the few unexplained and perhaps undocumented details about EIGRP, and one for which my trainer Jeremy challenged us to find an answer. Better late than never I guess.