cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
528
Views
4
Helpful
3
Replies

EIGRP Authentication

Hi All,

 

As per the EIGRP Authentication steps:

 

Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string. 

 

Suppose if have a key chain have two key identifiers in R1 and in R2 like below ..will it work ?

 

R1 - Key chain one

Key 1

key-string cisco

key 2

key-string admin

 

and in R2 - Key chain two

key 10

key-string cisco

key 15 

key-string admin

 

And also what is use / need for more than one key identifier in a key chain ..how eigrp will process this

 

Regards,

Gan

3 Replies 3

 Hi,

Key chain name as well as key numbers do not have to match on the neighboring routers.

The key chain configuration concept, allows the engineer to migrate from one key value to another over time. Just like a real key chain that has multiple keys, the IOS key chain concept allows the configuration of multiple keys—each identified with a number. If no lifetime has been configured for a key, it is considered to be valid during all time frames. However, when a key has been defined with a lifetime, the key is valid only during the valid lifetime.

Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.

HTH

kazim

Hi kazim,

Just to make me understand, just in case if i am not configuring any life time value for a key string, then the lowest value key identifier sting is considered as the Key string for authentication.

 

R1

Key chain one

Key 1

Key-string cisco  ( this is key value will be considered by the eigrp packets for authentication) -- Sending EIGRP messages: Use the lowest key number among all currently valid keys.

 

Key 2

Key-sting admin

 

Suppose in R2 ....

I configured as below

Key chain two

Key 10

Key-string admin

Key 15

Key-sting cisco

 

So in the above the case the received EIGRP packets can be checked with the all the key identifiers / it will be only check the least valu key identifier value alone. - Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.

Regards,

Gan

 

Hi Ganalagu,

I tested it will not work, the statement I posted above is according to my bookish knowledge. Thanks you gave me a chance to review my understanding. 

So finally, Cisco recommended:

Note: It is recommended that the key number be the same on all routers involved in the configuration

For reference see this link:

http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/82110-eigrp-authentication.html

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: