cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
3
Replies

key chain EIGRP

Steve Coady
Level 1
Level 1

Hello

 

What kind of problems could arise by using the key chain EIGRP config?

how would this correctly be implemented?

 

I recently migrated to a new ASA and DMZ architecture.

 

The old architecture looked like:

  traffic coming into network would hit the DMZ_1 switch, then go to the ASA, back to the DMZ switch and then across a TRUNK to the CORE.

       -All the ASA interfaces connected to this one DMZ switch.

       -DMZ_1 switch has Eigrp and uses "key chain EIGRP" commands.

 

The new architecture looks like:

   traffic coming into network would hit the DMZ_1 switch, then go to the ASA. The Inside interface and DMZ interfaces now connect to a new  

   switch, DMZ_2, which then which then has (2) Trunks to Core.  The DMZ_1 switch no longer has a Trunk to the Core.

                   1). for Inside traffic

                   2). For DMZ traffic

 

My ASA uses EIGRP and advertises the Inside interface ip address as the default gateway.

The ASA does not have the key chain EIGRP" commands.

 

DMZ_2 switch config was pretty much copied from DMZ_1 with changes based on new Trunk links.

This switch Does not appear to have received the default gateway from the ASA

 

Both the ASA and the DMZ_2 see each other in the eigrp ne table.

 

sMc
1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Steve

The key chain commands in EIGRP are used for authentication.

The confusing part of your post is that you say original switch DMZ_1 has the key chain commands but the ASA doesn't and yet it was working.

Does this mean you didn't need the default route from the ASA on the DMZ_1 switch before ?

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Steve

The key chain commands in EIGRP are used for authentication.

The confusing part of your post is that you say original switch DMZ_1 has the key chain commands but the ASA doesn't and yet it was working.

Does this mean you didn't need the default route from the ASA on the DMZ_1 switch before ?

Jon

Jon

 

Thank you for the response.

 

From what little I have read and see, I thought the key statement on only the DMZ switch was peculiar especially since it is working.

 

No the current DMZ_1 switch receives the default gateway via EIGRP from the current ASA.

 

In DMZ_2, I see the ASA Inside int in the EIGRP ne table.

 

What would prevent the DMZ_2 switch from obtaining the default gateway dynamically from the ASA?

 

 

 

 

 

 

sMc

Steve

Have you looked at the full topology table on the new switch ie.

"sh ip eigrp topology all-links"

Jon