Unlike OSPF, EIGRP supports only one type of authentication: MD5.
To configure MD5 authentication, first you need to define a key chain, one or more key numbers and a key-string. Then you need to enable MD5 authentication on the interface with this key chain.
To prepare the topology, we have this basic configuration, with other parameters left to default:
R1
R2
With this configuration and interfaces in up/up state, we won't have any problems in establishing neighbor relationship between the two routers.
Now to define the key chain:
At this point, we are still not using authentication because MD5 is not enabled on both interfaces yet.
Let's enable it on R2 first and see what will happen:
I got the following output from R1's console:
Remember that when using EIGRP one of the conditions for routers to become neighbors is that they must pass authentication (if configured). In this case, R1 and R2 must use the same authentication type (no authentication versus MD5 authentication). From the output above, we can see that authentication has failed between the two routers.
As soon as MD5 is enabled on R1's s0/0/0 interface, I got the following output from R1's console:
Note that the key chain name does not need to match between the two routers. But the key number (1) and key-string (cisco) must match.
To check if there is no problem with routes being learned:
To configure MD5 authentication, first you need to define a key chain, one or more key numbers and a key-string. Then you need to enable MD5 authentication on the interface with this key chain.
To prepare the topology, we have this basic configuration, with other parameters left to default:
R1
hostname R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.0
clock rate 2000000
!
router eigrp 99
network 1.0.0.0
network 10.0.0.0
no auto-summary
R2
hostname R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.0
clock rate 2000000
!
router eigrp 99
network 2.0.0.0
network 10.0.0.0
no auto-summary
With this configuration and interfaces in up/up state, we won't have any problems in establishing neighbor relationship between the two routers.
Now to define the key chain:
R1(config)#key chain EIGRP_KEY_R1
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco
R2(config)#key chain EIGRP_KEY_R2
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
At this point, we are still not using authentication because MD5 is not enabled on both interfaces yet.
Let's enable it on R2 first and see what will happen:
R2(config)#int s0/0
R2(config-if)#ip authentication mode eigrp 99 md5
R2(config-if)#ip authentication key-chain eigrp 99 EIGRP_KEY_R2
I got the following output from R1's console:
*Mar 1 00:06:52.363: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 99: Neighbor 10.1.1.2 (Serial0/0) is down: Interface Goodbye received
*Mar 1 00:06:57.011: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 99: Neighbor 10.1.1.2 (Serial0/0) is up: new adjacency
*Mar 1 00:07:35.795: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 99: Neighbor 10.1.1.2 (Serial0/0) is down: Auth failure
Remember that when using EIGRP one of the conditions for routers to become neighbors is that they must pass authentication (if configured). In this case, R1 and R2 must use the same authentication type (no authentication versus MD5 authentication). From the output above, we can see that authentication has failed between the two routers.
R1(config)#int s0/0
R1(config-if)#ip authentication mode eigrp 99 md5
R1(config-if)#ip authentication key-chain eigrp 99 EIGRP_KEY_R1
As soon as MD5 is enabled on R1's s0/0/0 interface, I got the following output from R1's console:
*Mar 1 00:12:53.695: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 99: Neighbor 10.1.1.2 (Serial0/0) is up: new adjacency
Note that the key chain name does not need to match between the two routers. But the key number (1) and key-string (cisco) must match.
To check if there is no problem with routes being learned:
R1#sh ip route EIGRP
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2297856] via 10.1.1.2, 01:15:45, Serial0/0
R2#sh ip ro EIGRP
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 10.1.1.1, 01:16:29, Serial0/0
Correction: I read in the Cisco Press CCNP Route Official Certification Guide that the key number doesn't need to match.
ReplyDelete