Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
10
Helpful
10
Replies

EIGRP MD5

Go to solution
jeff.cook
Level 1
Level 1

‎08-04-2009 12:07 PM - edited ‎03-06-2019 07:05 AM

When our EIGRP routing was first setup the installers didn't secure it. We now have 25 routers, and it is way past time to secure it. I have read and understand how to enable and have done so on there networks with OSPF, but not once the network is using it.

How can I set this up without taking the network down?

Any thoughts.

Thank You

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-04-2009 12:23 PM

Jeff

Once MD5 auth is enabled on all interfaces then changing the key can be done without any downtime.

But as Jerry notes this won't work when you actually configure it for the first time.

If no downtime is acceptable then one way around this is to configure a second EIGRP AS on each router. Because authentication uses the AS number a second AS would allow you to break the original AS while adding MD5 auth and the router will still have all the routes in the second temporary AS.

Once MD5 is enabled and working in the original AS then you can delete the second temporary AS.

Jon

View solution in original post

10 Replies 10

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee

‎08-04-2009 12:13 PM

Hi Jeff,

EIGRP authentication is a per interface configuration. It will affect the directly connected interfaces. When you enable authentication on two (2) adjacent interfaces (remote first then local), since EIGRP converge really fast, the neighbor adjacency will flop (depend on how fast you enter the commands on that interface).

HTH,

jerry

0 Helpful

Go to solution
jeff.cook
Level 1
Level 1
In response to Jerry Ye

‎08-04-2009 12:20 PM

That might not work very well on a network with 5 routers on it. Not sure I can tyoe that fast.

It may work for the point to point links however.

0 Helpful

Go to solution
jeff.cook
Level 1
Level 1
In response to jeff.cook

‎08-04-2009 12:21 PM

Oh but I could add a second vlan and setup the MD5 key on that one.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-04-2009 12:23 PM

Jeff

Once MD5 auth is enabled on all interfaces then changing the key can be done without any downtime.

But as Jerry notes this won't work when you actually configure it for the first time.

If no downtime is acceptable then one way around this is to configure a second EIGRP AS on each router. Because authentication uses the AS number a second AS would allow you to break the original AS while adding MD5 auth and the router will still have all the routes in the second temporary AS.

Once MD5 is enabled and working in the original AS then you can delete the second temporary AS.

Jon

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎08-04-2009 12:26 PM

Great idea Jon.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jerry Ye

‎08-04-2009 12:28 PM

Thanks Jerry.

0 Helpful

Go to solution
jeff.cook
Level 1
Level 1
In response to Jon Marshall

‎08-04-2009 12:28 PM

I thought I read somewhere Cisco only supports one EIGRP AS per device.

0 Helpful

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to jeff.cook

‎08-04-2009 12:30 PM

Not EIGRP, you can have multiple process.

Single process for BGP.

HTH,

jerry

0 Helpful

Go to solution
jeff.cook
Level 1
Level 1
In response to Jerry Ye

‎08-04-2009 12:33 PM

Cool. That sounds like a great plan. I will give it a shot. I'm assuming I need to redistribute EIGRP 1 into EIGRP 2 and vis versa to make this work.

Thank you very much.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jeff.cook

‎08-04-2009 12:34 PM

Jeff

No you don't need to redistribute between the 2. You just configure a second AS on each router with the same configuration as the first.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card