Chapter 2133© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring and Verifying EIGRP Authentication
Chapter 2134© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Router Authentication
Many routing protocols support authentication such that a router authenticates the source of each routing update packet that it receives. Simple password authentication is supported by:
• IS-IS • OSPF• RIPv2
MD5 authentication is supported by:• OSPF• RIPv2• BGP• EIGRP
Chapter 2135© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Simple Password vs. MD5 Authentication
Simple password authentication:• Router sends packet and key.• Neighbor checks if received key matches its key.• Is not secure.
MD5 authentication:• Configure a “key” (password) and key-id; router generates a message
digest, or hash, of the key, key-id and message.• Message digest is sent with packet; key is not sent.• Is secure.
Chapter 2136© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP MD5 Authentication
EIGRP supports MD5 authentication. Router generates and checks every EIGRP packet. Router
authenticates the source of each routing update packet that it receives. Configure a “key” (password) and key-id; each participating
neighbor must have same key configured.
Chapter 2137© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
MD5 Authentication
EIGRP MD5 authentication:• Router generates a message digest, or hash, of the key, key-id, and
message.• EIGRP allows keys to be managed using key chains.• Specify key-id (number, key, and lifetime of key).• First valid activated key, in order of key numbers, is used.
Chapter 2138© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Planning for EIGRP
The following key parameters must be defined in enough detail before configuring EIGRP authentication:• The EIGRP AS number• The authentication mode (MD5)• The definition of one or more keys to authenticate EIGRP packets,
according to the network security plan.• The keys’ lifetime, if multiple keys are defined.
Once defined, the following steps may be implemented:1.Configure the authentication mode for EIGRP.2.Configure the key chain.3.Optionally configure the keys’ lifetime parameters.4.Enable authentication to use the key(s) in the key chain.
Chapter 2139© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure the Authentication Mode for EIGRP
Specify MD5 authentication for EIGRP packets.Router(config-if)#
ip authentication mode eigrp autonomous-system md5
Enable EIGRP packet authentication using key in the key-chain.Router(config-if)#
ip authentication key-chain eigrp autonomous-system name-of-chain
Chapter 2140© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure the Key Chain
Define the keychain in key chain configuration mode.Router(config)#
key chain name-of-chain
Identify the key and enter the key-id configuration mode. Router(config-keychain)#
key key-id
Router(config-keychain-key)#
key-string text
Identify key string (password)
Chapter 2141© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configure Keys Lifetime Parameters (Optional)
Specify when the key will be accepted for received packets.
Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration seconds}
Specify when the key can be used for sending EIGRP packets.
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration seconds}
Chapter 2142© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Enable Authentication to Use the Key Chain
Enable EIGRP packet authentication using key in the key-chain.
Router(config-if)#
ip authentication key-chain eigrp autonomous-system name-of-chain
Chapter 2143© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0Fa0/0R1 R2
172.16.1.0 /24
EIGRP AS 100R1# show running-config!<output omitted> !key chain R1chainkey 1key-string FIRST-KEYaccept-lifetime 04:00:00 Jan 1 2009 infinitesend-lifetime 04:00:00 Jan 1 2009 04:00:00 Jan 31 2009
key 2key-string SECOND-KEYaccept-lifetime 04:00:00 Jan 25 2009 infinitesend-lifetime 04:00:00 Jan 25 2009 infinite
!<output omitted> !interface FastEthernet0/0ip address 172.16.1.1 255.255.255.0!interface Serial0/0/0bandwidth 64ip address 192.168.1.101 255.255.255.224ip authentication mode eigrp 100 md5ip authentication key-chain eigrp 100 R1chain
!router eigrp 100network 172.16.1.0 0.0.0.255network 192.168.1.0auto-summary
172.17.2.0 /24
S0/0/0S0/0/0
64 kbps192.168.1.96 /27
.101.102
.1.1
Chapter 2144© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0Fa0/0R1 R2
172.16.1.0 /24
EIGRP AS 100 R2# show running-config!<output omitted> !key chain R2chainkey 1key-string FIRST-KEYaccept-lifetime 04:00:00 Jan 1 2009 infinitesend-lifetime 04:00:00 Jan 1 2009 infinite
key 2key-string SECOND-KEYaccept-lifetime 04:00:00 Jan 25 2009 infinitesend-lifetime 04:00:00 Jan 25 2009 infinite
!<output omitted> !interface FastEthernet0/0ip address 172.17.2.2 255.255.255.0
!interface Serial0/0/0bandwidth 64ip address 192.168.1.102 255.255.255.224ip authentication mode eigrp 100 md5ip authentication key-chain eigrp 100 R2chain
!router eigrp 100network 172.17.2.0 0.0.0.255network 192.168.1.0auto-summary
172.17.2.0 /24
S0/0/0S0/0/0
64 kbps192.168.1.96 /27
.101.102
.1.1
Chapter 2145© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying MD5 AuthenticationR1#*Apr 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/0) is up: new adjacency R1#R1# show ip eigrp neighborsIP-EIGRP neighbors for process 100H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num0 192.168.1.102 Se0/0/0 12 00:03:10 17 2280 0 14R1# R1# show ip route
<output omitted>
Gateway of last resort is not setD 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masksD 172.16.0.0/16 is a summary, 00:31:31, Null0C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masksC 192.168.1.96/27 is directly connected, Serial0/0/0D 192.168.1.0/24 is a summary, 00:31:31, Null0R1# R1# ping 172.17.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
Chapter 2146© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying MD5 Authentication
R1# show key chainKey-chain R1chain:
key 1 -- text “FIRST-KEY"accept lifetime (04:00:00 Jan 1 2009) - (always valid) [valid now]send lifetime (04:00:00 Jan 1 2009) - (04:00:00 Jan 31 2009)
key 2 -- text “SECOND-KEY"accept lifetime (04:00:00 Jan 25 2009) - (always valid) [valid now]send lifetime (04:00:00 Jan 25 2009) - (always valid) [valid now]
Chapter 2147© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Troubleshooting MD5 Authentication
R1# debug eigrp packetsEIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/0 nbr 192.168.1.102*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQun/rely 0/0
R2# debug eigrp packetsEIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)R2#*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/0 nbr 192.168.1.101*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQun/rely 0/0
Chapter 2148© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring EIGRP MD5 Authentication
Fa0/0Fa0/0R1 R2
172.16.1.0 /24
EIGRP AS 100
R1(config-if)# key chain R1chainR1(config-keychain)# key 2R1(config-keychain-key)# key-string wrongkeyR1(config-keychain-key)#
172.17.2.0 /24
S0/0/0S0/0/0
64 kbps192.168.1.96 /27
.101.102
.1.1
R2# debug eigrp packetsEIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch*Jan 21 16:50:18.749: EIGRP: Serial0/0/0: ignored packet from 192.168.1.101, opcode = 5 (invalid authentication)*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/0*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101(Serial0/0/0) is down: Auth failure
R2# R2# show ip eigrp neighborsIP-EIGRP neighbors for process 100R2#
Chapter 2149© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Optimizing EIGRP Implementations
Chapter 2150© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Factors That Influence EIGRP Scalability
Quantity of routing information exchanged between peers: without proper route summarization, this can be excessive. Number of routers that must be involved when a topology
change occurs. Depth of topology: the number of hops that information must
travel to reach all routers. Number of alternate paths through the network.
Chapter 2151© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Query Process
Queries are sent when a route is lost and no feasible successor is available. The lost route is now in “active” state. Queries are sent to all neighboring routers on all interfaces
except the interface to the successor. If the neighbors do not have their lost-route information,
queries are sent to their neighbors. If a router has an alternate route, it answers the query; this
stops the query from spreading in that branch of the network.
Chapter 2152© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Overwhelming EIGRP Query Process In a large internetwork EIGRP queries can generate many
resources.
Several solutions exist to optimize the query propagation process and to limit the amount of unnecessary EIGRP load on the links, including:• Summarization• EIGRP stub routing feature.
Chapter 2153© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Stuck-in-Active
If a router does not receive a reply to all the outstanding queries within default 3 minutes (180 seconds), the route goes into Stuck-in-Active (SIA) state. Common SIA reasons:
• A router is too busy to answer the query. • A router cannot allocate the memory to process the query. • The circuit between the two routers is not reliable.• The router has unidirectional links.
SIA solutions:• Redesign the network to limit the query range by route summarization
and the ip summary-address eigrp command.• Configure the remote routers as stub EIGRP routers.
Chapter 2154© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Summarization
Poorly designed networks can make summarization difficult. Manually summarize the routes whenever possible to support a hierarchical
network design. The more networks EIGRP summarizes, the lower the number of queries
being sent out.• Ultimately reduces the occurrence of SIA errors.
Chapter 2155© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Summarization
This network design is better because subnet addresses from individual major networks are localized within each cloud, allowing summary routes configured using the ip summary-address eigrp command to be injected into the core.
As an added benefit, the summary routes act as a boundary for the queries generated by a topology change.
Chapter 2156© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
SIA Solution: Stub Networks
The EIGRP Stub Routing feature: • Improves network stability• Reduces resource utilization• Simplifies remote router (spoke) configuration
Chapter 2157© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Stub Routing
Stub routing is commonly used in hub-and-spoke topology. Stub router sends a special peer information packet to all
neighboring routers to report its status as a stub router.• Any neighbor that receives a packet informing it of the stub status
does not query the stub router for any routes. • Stub routers are not queried and instead, hub routers connected to
the stub router answer the query on behalf of the stub router.
Only the remote routers are configured as stubs.
Chapter 2158© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
EIGRP Stub
Configure a router as a stub router.Router(config-router)#
eigrp stub [receive-only | connected | static | summary | redistributed]
Parameter Description
receive-onlyRestricts the router from sharing any of its routes with any other router within
an EIGRP AS. Keyword cannot be combined with any other keyword.
connectedPermits the EIGRP stub routing feature to send connected routes.
This option is enabled by default and is the most widely practical stub option.
staticPermits the EIGRP stub routing feature to send static routes.
Redistributing static routes with the redistribute static command is still necessary.
summaryPermits the EIGRP stub routing feature to send automatically summarized
and / or manually summarized routes.This option is enabled by default.
redistributedPermits the EIGRP stub routing feature to send redistributed routes.
Redistributing routes with the redistribute command is still necessary.
Chapter 2159© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Example: EIGRP Stub Parameters
If stub connected is configured:• B will advertise 10.1.2.0/24 to A.• B will not advertise 10.1.2.0/23,
10.1.3.0/23, or 10.1.4.0/24. If stub summary is
configured:• B will advertise 10.1.2.0/23 to A.• B will not advertise 10.1.2.0/24,
10.1.3.0/24, or 10.1.4.0/24.
Chapter 2160© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Example: EIGRP Stub Parameters (Cont.)
If stub static is configured: • B will advertise 10.1.4.0/24 to A.• B will not advertise 10.1.2.0/24,
10.1.2.0/23, or 10.1.3.0/24. If stub receive-only is
configured:• B won’t advertise anything to A,
so A needs to have a static route to the networks behind B to reach them.
Chapter 2161© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Graceful Shutdown
Graceful shutdown, implemented with the goodbye message feature, is designed to improve EIGRP network convergence.
In the figure, router A is using router B as the successor for anumber of routes; router C is the feasible successor for the same routes. Router B normally would not tell router A if the EIGRP process on router B was going down, for example, if router B was being reconfigured. Router A would have to wait for its hold timer to expire before it would discover the change and react to it. Packets sent during this time would be lost.
With graceful shutdown, the goodbye message is broadcast when an EIGRP routing process is shut down to inform adjacent peers about the impending topology change. This feature allows supporting EIGRP peers to synchronize and recalculate neighbor relationships more efficiently than would occur if the peers discovered the topology change after the hold timer expired.
The goodbye message is supported in Cisco IOS Software Release 12.3(2), 12.3(3)B, and 12.3(2)T and later. Goodbye messages are sent in hello packets. EIGRP sends an interface goodbye message with all K values set to 255 when taking down all peers on an interface.
router eigrp 100eigrp nsf....
Chapter 2162© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 SummaryThe chapter focused on the following topics:
Features of EIGRP, including fast convergence, use of partial updates, multiple network layer support, use of multicast and unicast, VLSM support, seamless connectivity across all data link layer protocols and topologies, and sophisticated metric.
EIGRP’s underlying processes and technologies—neighbor discovery/recovery mechanism, RTP, DUAL finite state machine, and protocol-dependent modules.
EIGRP's tables—neighbor table, topology table, and routing table
EIGRP terminology:
• Advertised distance (the metric for an EIGRP neighbor router to reach the destination; the metric between the next-hop router and the destination)
• Feasible distance (the sum of the AD from the next-hop neighbor, and the cost between the local router and the next-hop router)
• Successor (a neighboring router that has a least-cost loop-free path to a destination, the lowest FD)
• Feasible successor (a neighboring router that has a loop-free backup path to a destination).
• Passive routes, those not undergoing recomputation; active routes, those undergoing recomputation
The five EIGRP packet types: hello, update, query, reply, and acknowledgment.
• Updates, queries, and replies are sent reliably.
Chapter 2163© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 Summary• EIGRP initial route discovery process, started by a router sending hello packets.
Neighboring routers reply with update packets, which populate the router's topology table. The router chooses the successor routes and offers them to the routing table.
• The DUAL process including selecting FSs. To qualify as an FS, a next-hop router must have an AD less than the FD of the current successor route for the particular network, to ensure a loop-free network.
• The EIGRP metric calculation, which defaults to bandwidth (the slowest bandwidth between the source and destination) + delay (the cumulative interface delay along the path).
• Planning EIGRP implementations, including:• IP addressing• Network topology• EIGRP traffic engineering.
• The list of tasks for each router in the network include: • Enabling the EIGRP routing protocol (with the correct AS number)• Configuring the proper network statements• Optionally configuring the metric to appropriate interfaces.
Chapter 2164© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Chapter 2 Summary (continued)
• Basic EIGRP configuration commands.• Commands for verifying EIGRP operation.• Configuring a passive-interface. • Propagating a default route.• EIGRP summarization.• EIGRP over Frame Relay.• EIGRP over MPLS.• EIGRP load-balancing• EIGRP operation in WAN environments:• Configuring, verifying, and troubleshooting EIGRP MD5 authentication.• EIGRP scalability factors, including the amount of information exchanged, the number
of routers, the depth of the topology, and the number of alternative paths through the network.
• The SIA state and how to limit the query range to help reduce SIAs.• Configuring the remote routers as stub EIGRP routers.• Graceful shutdown, which broadcasts a goodbye message (in a hello packet, with all K
values set to 255) when an EIGRP routing process is shut down, to inform neighbors
Chapter 2165© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Resources
http://www.cisco.com/go/eigrp http://www.cisco.com/en/US/customer/docs/ios/iproute_eigr
p/command/reference/ire_book.html