Optionally, specify the time period during which
this key is accepted for use on received packets using the
accept-lifetime command, as shown in Figure . Figure
displays the parameters for this command. Step 8
Optionally, specify the time period during which this key can
be used for sending packets using the send-lifetime
command, as shown in the Figure . Figure displays the
parameters for this command.
Note
If the
service password-encryption command is not used when
implementing EIGRP authentication, the key string is stored as
plain text in the router configuration. If you configure the
service password-encryption command, the key string is
stored and displayed in an encrypted form. When it is
displayed, an encryption type of 7 is specified before the
encrypted key string.
Content 2.5 Configuring
EIGRP Authentication 2.5.4 MD5 Authentication
Example Figure displays the network used to illustrate the
configuration, verification, and troubleshooting of MD5
authentication.Router R1 Configuration
Figure shows
the configuration for the R1 router. MD5 authentication is
configured on the serial 0/0/1 interface with the ip
authentication mode eigrp 100 md5 command. The ip
authentication key-chain eigrp 100 R1chain command
specifies that the key chain R1chain is to be used. The key
chain R1chain command enters configuration mode for the
R1chain key chain. Two keys are defined. Key 1 is set to “first
key” with the key-string firstkey command. This key is
acceptable for use on packets received by R1 from January 1,
2006 onward, as specified in the accept-lifetime 04:00:00
Jan 1 2006 infinite command. However, the send-lifetime
04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 command specifies
that this key is valid for use only when sending packets for
one minute on January 1, 2006; it is no longer valid for use in
sending packets. Key 2 is set to “second key” with the
key-string secondkey command. This key is acceptable for
use on packets received by R1 from January 1, 2006 onward, as
specified in the accept-lifetime 04:00:00 Jan 1 2006
infinite command. This key can also be used when sending
packets from January 1, 2006 onward, as specified in the
send-lifetime 04:00:00 Jan 1 2006 infinite command. R1
will accept and attempt to verify the MD5 digest of any EIGRP
packets with a key ID equal to 1. R1 will also accept a packet
with a key ID equal to 2. All other MD5 packets will be
dropped. R1 will send all EIGRP packets using key 2, because
key 1 is no longer valid for use when sending packets.
Router R2 Configuration
Figure shows the
configuration for the R2 router. MD5 authentication is
configured on the serial 0/0/1 interface with the ip
authentication mode eigrp 100 md5 command. The ip
authentication key-chain eigrp 100 R2chain command
specifies that the key chain R2chain is to be used. The key
chain R2chain command enters configuration mode for the
R2chain key chain. Two keys are defined. Key 1 is set to “first
key” with the key-string firstkey command. This key is
acceptable for use on packets received by R2 from January 1,
2006 onward, as specified in the accept-lifetime 04:00:00
Jan 1 2006 infinite command. This key can also be used when
sending packets from January 1, 2006 onward, as specified in
the send-lifetime 04:00:00 Jan 1 2006 infinite command.
Key 2 is set to “second key” with the key-string
secondkey command. This key is acceptable for use on
packets received by R2 from January 1, 2006 onward, as
specified in the accept-lifetime 04:00:00 Jan 1 2006
infinite command. This key can also be used when sending
packets from January 1, 2006 onward, as specified in the
send-lifetime 04:00:00 Jan 1 2006 infinite command. R2
will accept and attempt to verify the MD5 digest of any EIGRP
packets with a key ID equal to 1 or 2. R2 will send all EIGRP
packets using key 1, because it is the first valid key in the
key chain.
Content 2.5 Configuring EIGRP
Authentication 2.5.5 Verifying MD5
Authentication Figure displays the output of the show
ip eigrp neighbors and show ip route commands on the
R1 router.The neighbor table indicates that the two routers
have successfully formed an EIGRP adjacency. The routing table
verifies that the 172.17.0.0 network has been learned via EIGRP
over the serial connection.The results of a ping to the
R2 Fast Ethernet interface address are also displayed to
illustrate that the link is working.
Content 2.5
Configuring EIGRP Authentication 2.5.6
Troubleshooting MD5 Authentication You can use the debug
eigrp packets command for troubleshooting MD5
authentication. However, to identify potential problems using
this command, the output of a correctly configured MD5
authentication should be recognized and understood first.Figure
displays the successful exchange of MD5 authentication. The
output of the debug eigrp packets command on R1 displays
that R1 is receiving EIGRP packets with MD5 authentication,
with a key ID equal to 1, from R2. Similarly, the output of the
debug eigrp packets command on R2 illustrates that it is
receiving EIGRP packets with MD5 authentication, with a key ID
equal to 2, from R1. Figure displays a sample problem affecting
the exchange of MD5 packets between routers R1 and R2. The key
string for key 2 of router R1, the one that it uses when
sending EIGRP packets, has been changed to be different from
the key string that router R2 is expecting. The output of the
debug eigrp packets command on R2 illustrates that R2 is
receiving EIGRP packets with MD5 authentication, with a key ID
equal to 2, from R1, but that there is an authentication
mismatch. The EIGRP packets from R1 are ignored, and the
neighbor relationship is declared to be down. The output of the
show ip eigrp neighbors command confirms that R2 does
not have any EIGRP neighbors. The two routers will keep trying
to re-establish their neighbor relationship. Because of the
different keys used by each router in this scenario, R1 will
authenticate hello messages sent by R2 using key 1. However,
when R1 sends a hello message back to R2 using key 2, there
will be an authentication mismatch. From the perspective of R1,
the relationship appears to be up for awhile, but then it times
out, as illustrated by the messages received on R1 in Figure .
The output of the show ip eigrp neighbors command on R1
also illustrates that R1 does have R2 in its neighbor table for
a short time.
Content 2.6 Using EIGRP in the
Enterprise 2.6.1 EIGRP Scalability in a Large
Network EIGRP is a scalable routing protocol that ensures
that as a network grows larger, it operates efficiently and
adjusts rapidly to changes. Network administrators benefit from
understanding practical EIGRP-specific design and configuration
techniques to implement an effective scalable network. For
example, you can implement EIGRP stub routers to limit the
EIGRP query range, making EIGRP more scalable with fewer
complications. Some of the factors that affect network
scalability are as follows: - Amount of information
exchanged between neighbors: If more information than
necessary for routing to function correctly is exchanged
between EIGRP neighbors, the routers have to work harder at
neighbor startup and to react to changes in the network.
- Number of routers: When a topology change occurs in
the network, EIGRP resource consumption directly relates to the
number of routers that must be involved in the change.
- Depth of the topology: The topology depth can affect
the convergence time. Depth refers to the number of hops that
information must travel to reach all routers. A multinational
network without route summarization is an example of a network
with large depth and therefore increasing convergence time. A
three-tiered network design (as described in Module 1) is