Optionally, specify the time period during which this key is accepted for use on received packets using the accept-lifetime command, as shown in Figure . Figure displays the parameters for this command. Step 8 Optionally, specify the time period during which this key can be used for sending packets using the send-lifetime command, as shown in the Figure . Figure displays the parameters for this command.
Note
If the service password-encryption command is not used when implementing EIGRP authentication, the key string is stored as plain text in the router configuration. If you configure the service password-encryption command, the key string is stored and displayed in an encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key string.
Content 2.5 Configuring EIGRP Authentication 2.5.4 MD5 Authentication Example Figure displays the network used to illustrate the configuration, verification, and troubleshooting of MD5 authentication.Router R1 Configuration
Figure shows the configuration for the R1 router. MD5 authentication is configured on the serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 R1chain command specifies that the key chain R1chain is to be used. The key chain R1chain command enters configuration mode for the R1chain key chain. Two keys are defined. Key 1 is set to “first key” with the key-string firstkey command. This key is acceptable for use on packets received by R1 from January 1, 2006 onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. However, the send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 command specifies that this key is valid for use only when sending packets for one minute on January 1, 2006; it is no longer valid for use in sending packets. Key 2 is set to “second key” with the key-string secondkey command. This key is acceptable for use on packets received by R1 from January 1, 2006 onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when sending packets from January 1, 2006 onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command. R1 will accept and attempt to verify the MD5 digest of any EIGRP packets with a key ID equal to 1. R1 will also accept a packet with a key ID equal to 2. All other MD5 packets will be dropped. R1 will send all EIGRP packets using key 2, because key 1 is no longer valid for use when sending packets. Router R2 Configuration
Figure shows the configuration for the R2 router. MD5 authentication is configured on the serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 R2chain command specifies that the key chain R2chain is to be used. The key chain R2chain command enters configuration mode for the R2chain key chain. Two keys are defined. Key 1 is set to “first key” with the key-string firstkey command. This key is acceptable for use on packets received by R2 from January 1, 2006 onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when sending packets from January 1, 2006 onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command. Key 2 is set to “second key” with the key-string secondkey command. This key is acceptable for use on packets received by R2 from January 1, 2006 onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when sending packets from January 1, 2006 onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command. R2 will accept and attempt to verify the MD5 digest of any EIGRP packets with a key ID equal to 1 or 2. R2 will send all EIGRP packets using key 1, because it is the first valid key in the key chain.
Content 2.5 Configuring EIGRP Authentication 2.5.5 Verifying MD5 Authentication Figure displays the output of the show ip eigrp neighbors and show ip route commands on the R1 router.The neighbor table indicates that the two routers have successfully formed an EIGRP adjacency. The routing table verifies that the 172.17.0.0 network has been learned via EIGRP over the serial connection.The results of a ping to the R2 Fast Ethernet interface address are also displayed to illustrate that the link is working.
Content 2.5 Configuring EIGRP Authentication 2.5.6 Troubleshooting MD5 Authentication You can use the debug eigrp packets command for troubleshooting MD5 authentication. However, to identify potential problems using this command, the output of a correctly configured MD5 authentication should be recognized and understood first.Figure displays the successful exchange of MD5 authentication. The output of the debug eigrp packets command on R1 displays that R1 is receiving EIGRP packets with MD5 authentication, with a key ID equal to 1, from R2. Similarly, the output of the debug eigrp packets command on R2 illustrates that it is receiving EIGRP packets with MD5 authentication, with a key ID equal to 2, from R1. Figure displays a sample problem affecting the exchange of MD5 packets between routers R1 and R2. The key string for key 2 of router R1, the one that it uses when sending EIGRP packets, has been changed to be different from the key string that router R2 is expecting. The output of the debug eigrp packets command on R2 illustrates that R2 is receiving EIGRP packets with MD5 authentication, with a key ID equal to 2, from R1, but that there is an authentication mismatch. The EIGRP packets from R1 are ignored, and the neighbor relationship is declared to be down. The output of the show ip eigrp neighbors command confirms that R2 does not have any EIGRP neighbors. The two routers will keep trying to re-establish their neighbor relationship. Because of the different keys used by each router in this scenario, R1 will authenticate hello messages sent by R2 using key 1. However, when R1 sends a hello message back to R2 using key 2, there will be an authentication mismatch. From the perspective of R1, the relationship appears to be up for awhile, but then it times out, as illustrated by the messages received on R1 in Figure . The output of the show ip eigrp neighbors command on R1 also illustrates that R1 does have R2 in its neighbor table for a short time.
Content 2.6 Using EIGRP in the Enterprise 2.6.1 EIGRP Scalability in a Large Network EIGRP is a scalable routing protocol that ensures that as a network grows larger, it operates efficiently and adjusts rapidly to changes. Network administrators benefit from understanding practical EIGRP-specific design and configuration techniques to implement an effective scalable network. For example, you can implement EIGRP stub routers to limit the EIGRP query range, making EIGRP more scalable with fewer complications. Some of the factors that affect network scalability are as follows: