As per the EIGRP Authentication steps:
Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string.
Suppose if have a key chain have two key identifiers in R1 and in R2 like below ..will it work ?
R1 - Key chain one
and in R2 - Key chain two
And also what is use / need for more than one key identifier in a key chain ..how eigrp will process this
Key chain name as well as key numbers do not have to match on the neighboring routers.
The key chain configuration concept, allows the engineer to migrate from one key value to another over time. Just like a real key chain that has multiple keys, the IOS key chain concept allows the configuration of multiple keys—each identified with a number. If no lifetime has been configured for a key, it is considered to be valid during all time frames. However, when a key has been defined with a lifetime, the key is valid only during the valid lifetime.
Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.
Just to make me understand, just in case if i am not configuring any life time value for a key string, then the lowest value key identifier sting is considered as the Key string for authentication.
Key chain one
Key-string cisco ( this is key value will be considered by the eigrp packets for authentication) -- Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Suppose in R2 ....
I configured as below
Key chain two
So in the above the case the received EIGRP packets can be checked with the all the key identifiers / it will be only check the least valu key identifier value alone. - Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.
I tested it will not work, the statement I posted above is according to my bookish knowledge. Thanks you gave me a chance to review my understanding.
So finally, Cisco recommended:
Note: It is recommended that the key number be the same on all routers involved in the configuration
For reference see this link: