EIGRP Authentication

Posted: October 16, 2013 in Uncategorized

When entering basic config the existing routing is gone (go figure)…

Router3#
OSPFv3: Interface FastEthernet0/1 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/1
OSPFv3: DR/BDR election on FastEthernet0/1
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: Interface Loopback0 going Down
OSPFv3: Interface FastEthernet0/0 going Down
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
OSPFv3: Elect BDR 0.0.0.0
OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none
OSPFv3: Flush network LSA immediately
OSPFv3: Remember old DR 150.1.3.3 (id)
OSPFv3: 150.1.2.2 address FE80::21B:53FF:FEE5:9478 on FastEthernet0/0 is dead, state DOWN
OSPFv3: Neighbor change Event on interface FastEthernet0/0
OSPFv3: DR/BDR election on FastEthernet0/0
OSPFv3: Elect BDR 0.0.0.0

Router3#OSPFv3: Elect DR 0.0.0.0
DR: none    BDR: none

!– New EIGRP config being entered.

Router3(config)#key chain MD5CHAIN
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5STRING
Router3(config)#int f0/0
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 MD5CHAIN

Router3(config)#key chain ROLLOVER
Router3(config-keychain)#key 1
Router3(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
Router3(config-keychain)#key 2
Router3(config-keychain-key)#accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan  1 2015
Router3(config-keychain-key)#send-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015

Router3(config)#int f0/1
Router3(config-if)#ip authentication mode eigrp 1 md5
Router3(config-if)#ip authentication key-chain eigrp 1 ROLLOVER
Router3(config)#router eigrp 1
Router3(config-router)#network 150.1.0.0
Router3(config-router)#network 136.1.0.0

!- Sh run commands related to EIGRP:

key chain MD5CHAIN
key 1
key-string MD5STRING
key chain ROLLOVER
key 1
key-string KEY1
accept-lifetime 00:00:00 Jan 1 2013 01:00:00 Jan 1 2014
send-lifetime 00:00:00 Jan 1 2013 00:00:00 Jan 1 2014
key 2
accept-lifetime 23:00:00 Dec 31 2013 01:00:00 Jan 1 2015
send-lifetime 00:00:00 Jan 1 2014 00:00:00 Jan 1 2015
!
interface FastEthernet0/0
ip address 136.1.23.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 ROLLOVER
duplex auto
speed auto
ipv6 address 2001:136:1:23::3/64

!
interface FastEthernet0/1
mac-address 0005.0006.0007
ip address 136.1.13.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 MD5CHAIN
duplex auto
speed auto
ipv6 address 2001:136:1:13::3/64
!

router eigrp 1
network 136.1.0.0
network 150.1.0.0
!

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Interface PEER-TERMINATION received
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is up: new adjacency
Router3#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 136.1.23.2 (FastEthernet0/0) is down: Auth failure

!– Verification, o verify whether EIGRP-enabled interfaces have authentication configured and which key chain is being used, use below command:
Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”
Router3#

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “”MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)

Router3#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
1   136.1.23.2              Fa0/0             12 00:04:12    3   200  0  7
0   136.1.13.1              Fa0/1             10 00:23:51    1   200  0  6

Router3# sh ip eigrp interfaces detail f0/0
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/0              1        0/0         3       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/4  Un/reliable ucasts: 6/8
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 5  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “ROLLOVER”

Router3# sh ip eigrp interfaces detail f0/1
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Fa0/1              1        0/0         1       0/1           50           0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Un/reliable mcasts: 0/5  Un/reliable ucasts: 5/1
Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 0
Retransmissions sent: 0  Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5,  key-chain is “MD5CHAIN”

Router3#sh key  chain
Key-chain MD5CHAIN:
key 1 — text “MD5STRING”
accept lifetime (always valid) – (always valid) [valid now]
send lifetime (always valid) – (always valid) [valid now]
Key-chain ROLLOVER:
key 1 — text “KEY1”
accept lifetime (00:00:00 UTC Jan 1 2013) – (01:00:00 UTC Jan 1 2014) [valid now]
send lifetime (00:00:00 UTC Jan 1 2013) – (00:00:00 UTC Jan 1 2014) [valid now]
* key 2 — text “(unset)”
accept lifetime (23:00:00 UTC Dec 31 2013) – (01:00:00 UTC Jan 1 2015)
send lifetime (00:00:00 UTC Jan 1 2014) – (00:00:00 UTC Jan 1 2015)
Router3#

##### Theory #####

EIGRP authentication is a key-chain based. EIGRP only supports MD5, not clear-text. This example shows single authentication key between R1 and R3, and automatic key rotation between R2 and R3.

The potential problem with accept and send configuration is that if the routers’ time is not NTP synchronized, key rollover could happen at different time intervals, which could potentially cause a loss of the EIGRP adjacency. To prevent this, configure multiple authentication keys that accept lifetimes overlap.

###########################################################################################################

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s