For two routers to become EIGRP neighbors, the following parameters must match:
- IP addresses in the same subnet
- same AS number
- same K-values
- same PSK (pass router authentication)
-EIGRP authentication causes routers to authenticate every EIGRP message.
-To do so, the routers should use the same preshared key (PSK), generating an MD5 digest for each EIGRP message based on that shared PSK.
-The key chain configuration concept allows the engineer to migrate from one key value to another over time.
-Just like a real key chain that has multiple keys, the IOS key chain concept allows the configuration of multiple keys—each identified with a number.
-If no lifetime has been configured for a key, it is considered to be valid during all time frames.
-However, when a key has been defined with a lifetime, the key is valid only during the valid lifetime.
-The existence of multiple keys in a key chain, and the existence of valid lifetimes for each key, can cause some confusion about when the keys are used.
-The rules can be summarized as follows:
■ Sending EIGRP messages: Use the lowest key number among all currently valid keys.
■ Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys.
First, consider routers R6 and R7 (currently being neighbors):
R6#clock set 10:42:20 7 July 2013
R7#clock set 10:42:20 7 July 2013
R6#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.0.2 Se0/0 10 00:12:29 42 252 0 11
1 172.16.0.10 Se0/1 11 00:12:29 31 200 0 3
0 172.16.0.6 Fa0/1 10 00:12:29 797 4782 0 10
R6(config)#key chain R6R7
R6(config-keychain)#key 1
R6(config-keychain-key)#key-string test67
R6(config-keychain-key)#accept-lifetime 11:55:55 7 July 2013 20:00:00 8 July 2013
R6(config-keychain-key)#send-lifetime 11:55:55 7 July 2013 20:00:00 8 July 2013
R6(config-keychain-key)#exit
R6(config-keychain)#key 2
R6(config-keychain-key)#key-string abcd1234
R6(config-keychain-key)#accept-lifetime 20:00:00 8 July 2013 infinite
R6(config-keychain-key)#send-lifetime 20:00:00 8 July 2013 infinite
Note: The key chain name and key numbers do not have to match on the two routers, only the key-string MUST MATCH!
Now we have to apply the key chain to interface connecting to R7, thus bringing the neighborship down (until the same config is made on R7):
R6(config)#interface serial 0/1
R6(config-if)#ip authentication mode eigrp 1 md5
Jul 7 12:04:34.707: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is down: authentication mode changed
R6(config-if)#ip authentication key-chain eigrp 9 R6R7
R7(config)#key chain R7R6
R7(config-keychain)#key 3
R7(config-keychain-key)#key
R7(config-keychain-key)#key-string test67
R7(config-keychain-key)#accept-lifetime 11:55:55 7 July 2013 20:00:00 8 July 2013
R7(config-keychain-key)#send-lifetime 11:55:55 7 July 2013 20:00:00 8 July 2013
R7(config-keychain-key)#exit
R7(config-keychain)#key 4
R7(config-keychain-key)#key-string abcd1234
R7(config-keychain-key)#accept-lifetime 20:00:00 8 July 2013 infinite
R7(config-keychain-key)#send-lifetime 20:00:00 8 July 2013 infinite
R7(config-keychain-key)#
Jul 7 12:10:17.235: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is up: new adjacency
Apply the key chain to the interface connecting to R6:
R7(config)#interface serial 0/0
R7(config-if)#ip authentication mode eigrp 1 md5
R7(config-if)#
Jul 7 12:27:05.267: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is down: authentication mode changed
Jul 7 12:27:08.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is up: new adjacency
R7(config-if)#ip authentication key-chain eigrp 1 R7R6
R7(config-if)#
Jul 7 12:27:34.603: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is down: keychain changed
Jul 7 12:27:35.823: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is up: new adjacency
Now the neighborship is up again:
R7#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.9 Se0/0 10 00:03:53 51 306 0 26
If disabling authentication on R7's Serial0/0 interface, then the neighborship fails (missing authentication):
R7(config)#interface serial 0/0
R7(config-if)#no ip authentication mode eigrp 1 md5
R6#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R6#
Jul 7 12:35:41.003: EIGRP: Serial0/1: ignored packet from 172.16.0.10, opcode = 5 (missing authentication)
Jul 7 12:35:41.007: EIGRP: Dropping peer, invalid authentication
Jul 7 12:35:41.011: EIGRP: Sending HELLO on Serial0/1
Jul 7 12:35:41.011: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Jul 7 12:35:41.015: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is down: Auth failure
If changing the key-string in the key chain configured on R7, then the neighborship fails (invalid authentication):
R6#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R6#
Jul 7 12:41:52.967: EIGRP: received packet with MD5 authentication, key id = 1
Jul 7 12:41:57.519: EIGRP: pkt key id = 1, authentication mismatch
Jul 7 12:41:57.523: EIGRP: Serial0/1: ignored packet from 172.16.0.10, opcode = 5 (invalid authentication)
Jul 7 12:41:57.523: EIGRP: Dropping peer, invalid authentication
Jul 7 12:41:57.527: EIGRP: Sending HELLO on Serial0/1
Jul 7 12:41:57.527: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Jul 7 12:41:57.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is down: Auth failure
No comments:
Post a Comment