07-05-2014 12:59 AM - edited 03-04-2019 11:17 PM
Hi All,
As per the EIGRP Authentication steps:
Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string.
Suppose if have a key chain have two key identifiers in R1 and in R2 like below ..will it work ?
R1 - Key chain one
Key 1
key-string cisco
key 2
key-string admin
and in R2 - Key chain two
key 10
key-string cisco
key 15
key-string admin
And also what is use / need for more than one key identifier in a key chain ..how eigrp will process this
Regards,
Gan
07-05-2014 05:27 AM
Hi,
Key chain name as well as key numbers do not have to match on the neighboring routers.
The key chain configuration concept, allows the engineer to migrate from one key value to another over time. Just like a real key chain that has multiple keys, the IOS key chain concept allows the configuration of multiple keys—each identified with a number. If no lifetime has been configured for a key, it is considered to be valid during all time frames. However, when a key has been defined with a lifetime, the key is valid only during the valid lifetime.
Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.
HTH
kazim
07-05-2014 06:07 AM
Hi kazim,
Just to make me understand, just in case if i am not configuring any life time value for a key string, then the lowest value key identifier sting is considered as the Key string for authentication.
R1
Key chain one
Key 1
Key-string cisco ( this is key value will be considered by the eigrp packets for authentication) -- Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Key 2
Key-sting admin
Suppose in R2 ....
I configured as below
Key chain two
Key 10
Key-string admin
Key 15
Key-sting cisco
So in the above the case the received EIGRP packets can be checked with the all the key identifiers / it will be only check the least valu key identifier value alone. - Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.
Regards,
Gan
07-06-2014 04:07 AM
Hi Ganalagu,
I tested it will not work, the statement I posted above is according to my bookish knowledge. Thanks you gave me a chance to review my understanding.
So finally, Cisco recommended:
Note: It is recommended that the key number be the same on all routers involved in the configuration
For reference see this link:
http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/82110-eigrp-authentication.html
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide