Skip navigation
Cisco Learning Home > CCNP R&S Study Group > Discussions
4285 Views 19 Replies Latest reply: Apr 28, 2012 8:08 PM by Patrick RSS 1 2 Previous Next

Currently Being Moderated

EIGRP Authentication

May 16, 2011 6:18 AM

Aninda 302 posts since
Jun 19, 2010

Hi guys,

 

Below is the lab I'm working on (from CBT Nuggets Route).

 

I thought I'd just try fooling around a bit, just to see what does what. Mess up things and see what happens you know.

 

authentication.png

Now from what I know, we enable authention after setting up key chains in eigrp. And since it only supports md5 and no clear text so that is the only real option we got.

I went and set up the key chains as follows:

 

On BB:

 

BB(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

    key 1 -- text "cisco1"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

On R2:

 

R2(config-keychain-key)#do sh key chain

Key-chain EIGRP_KEYS:

    key 2 -- text "cisco2"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

On R3:

 

R3(config-keychain-key)#do sho key chain

Key-chain EIGRP_KEYS:

    key 1 -- text "cisco1"

        accept lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

        send lifetime (00:00:00 UTC Mar 1 2002) - (infinite) [valid now]

 

 

I then enabled md5 authentication on ONLY BB Router (on s0/0):

 

BB(config)#int s0/0

BB(config-if)#ip authentication mode eigrp 35 md5

 

Now, I understand due to a mismatch in authentication type (one side uses md5 - the other no authentication enabled at all), the neighbor relationship would go down.

 

But for some reason, it keeps bouncing between neighbor up and down. I don't get it.

 

R2(config)#

*Mar  1 00:38:24.687: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:38:29.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:39:48.619: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:39:52.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:41:11.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:41:14.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:42:34.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:42:37.931: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:43:57.447: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:43:59.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:45:19.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:45:22.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:46:42.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:46:46.575: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

R2(config)#

*Mar  1 00:48:06.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is down: retry limit exceeded

R2(config)#

*Mar  1 00:48:09.579: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 35: Neighbor 10.1.24.1 (Ser ial0/0) is up: new adjacency

 

 

What is happening here, can someone please explain this?

  • Eddie 225 posts since
    Feb 4, 2011
    Currently Being Moderated
    3. May 16, 2011 6:52 AM (in response to Aninda)
    Re: EIGRP Authentication

    Hello Aninda,

    i have this is bug too!

    after i am add key 2 and all was good))

    key chain must match on both routers!!!

    R3#sh key chain
    Key-chain cisco:
        key 1 -- text "www"
            accept lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
            send lifetime (06:00:00 UTC May 1 2011) - (06:00:00 UTC Jun 1 2011) [valid now]
        key 2 -- text "test"
            accept lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
            send lifetime (06:00:00 UTC Jun 1 2011) - (06:00:00 UTC Jul 1 2011)
        key 3 -- text "infiniti_key"
            accept lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
            send lifetime (06:00:00 UTC Jul 1 2011) - (infinite)
    R3#sh run int f0/0
    Building configuration...

    Current configuration : 263 bytes
    !
    interface FastEthernet0/0
    ip address 172.16.2.2 255.255.255.0
    ip bandwidth-percent eigrp 1 999999
    ip hello-interval eigrp 1 2
    ip hold-time eigrp 1 6
    ip authentication mode eigrp 1 md5
    ip authentication key-chain eigrp 1 cisco
    duplex auto
    speed auto
    end

    R3#

     

     

    R3#debug eigrp packets

    EIGRP Packets debugging is on

        (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

    R3#

    May 16 17:51:05.688: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:05.696: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:05.700:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:05.796: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:05.800:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    May 16 17:51:05.816: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:05.816: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:05.820:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    R3#

    May 16 17:51:06.008: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:06.012:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:07.512: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:07.516: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:07.520:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:07.572: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:07.572: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:07.576:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:07.720: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:07.720:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:08.004: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:08.004:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

    May 16 17:51:09.372: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:09.372: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:09.376:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:09.460: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:09.460: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:09.464:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:09.476: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:09.476:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#un

    May 16 17:51:09.944: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:09.944:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#un all

    All possible debugging has been turned off

    R3#

    May 16 17:51:11.216: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:11.220: EIGRP: Received HELLO on FastEthernet0/0 nbr 172.16.2.1

    May 16 17:51:11.220:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    May 16 17:51:11.304: EIGRP: Sending HELLO on FastEthernet0/0

    May 16 17:51:11.308:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    May 16 17:51:11.380: EIGRP: received packet with MD5 authentication, key id = 1

    May 16 17:51:11.380: EIGRP: Received HELLO on FastEthernet0/1 nbr 172.16.1.1

    May 16 17:51:11.380:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

    R3#

    May 16 17:51:11.768: EIGRP: Sending HELLO on FastEthernet0/1

    May 16 17:51:11.772:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

    R3#

  • Ahmed 114 posts since
    Nov 14, 2010
    Currently Being Moderated
    4. May 16, 2011 7:02 AM (in response to Eddie)
    Re: EIGRP Authentication

    In order to run authentication between the router, clock on all routers must be synchronised,

    Try setting one of the route as NTP Master and the others NTP Client.

  • Ahmed 114 posts since
    Nov 14, 2010
    Currently Being Moderated
    5. May 16, 2011 7:06 AM (in response to Eddie)
    Re: EIGRP Authentication

    if you remember from the same video jermy speak about the NTP while doing the authentication, but NTP Configuration is not shown.  Go to Routergods.com for the ntp video and is three command setup.  you can do it easily.

  • Eddie 225 posts since
    Feb 4, 2011
    Currently Being Moderated
    6. May 16, 2011 7:16 AM (in response to Ahmed)
    Re: EIGRP Authentication

    Ahmed, you are right!!!

    R3 is client

    R3#sh run | inc
    R3#sh run | include ntp
    ntp clock-period 17179688
    ntp server 172.16.1.1
    R3#sh ntp associations

          address         ref clock     st  when  poll reach  delay  offset    disp
    *~172.16.1.1       127.127.7.1       3   135   512  377     8.0   36.67    11.4
    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
    R3#sh clock
    18:13:11.169 UTC Mon May 16 2011
    R3#

     

    R1 is master

    R1#sh run | inc ntp
    ntp master 3
    R1#sh ntp ***
    R1#sh ntp associations

          address         ref clock     st  when  poll reach  delay  offset    disp
    *~127.127.7.1      127.127.7.1       2    16    64  377     0.0    0.00     0.0
    * master (synced), # master (unsynced), + selected, - candidate, ~ configured
    R1#sh clo
    R1#sh clock
    18:15:01.986 UTC Mon May 16 2011
    R1#

  • Ahmed 114 posts since
    Nov 14, 2010
    Currently Being Moderated
    7. May 16, 2011 7:19 AM (in response to Eddie)
    Re: EIGRP Authentication

    does it solve your problem

  • Daz_UK 136 posts since
    Sep 4, 2009
    Currently Being Moderated
    8. May 16, 2011 10:13 AM (in response to Aninda)
    Re: EIGRP Authentication

    Aninda

    Have you added the IP AUTHENTICATION KEY-CHAIN EIGRP 1 EIGRP-KEY  under the s 0/0 interface ?

  • Adam - CCNP 47 posts since
    Dec 23, 2010
    Currently Being Moderated
    9. May 16, 2011 2:54 PM (in response to Aninda)
    Re: EIGRP Authentication

    Hi,

     

    You need to configure the key chains on each router, and then tell the interface to use MD5 authentication but then you need to tell the interface what key chain to use.

     

    So e.g.

     

    BB(config)#int s0/0

    BB(config-if)#ip authentication mode eigrp 35 md5

    BB(config-if)#ip authentication key-chain eigrp 35 EIGRP_KEY

     

    Remember that as well as the key-strings, the key numbers also have to match. You can call the key chains whatever you want.

     

    Cheers

  • Ahmed 114 posts since
    Nov 14, 2010
    Currently Being Moderated
    11. May 16, 2011 7:17 PM (in response to Aninda)
    Re: EIGRP Authentication

    debug eigrp packets

    and paste the result

  • Ahmed 114 posts since
    Nov 14, 2010
    Currently Being Moderated
    12. May 16, 2011 7:19 PM (in response to Aninda)
    Re: EIGRP Authentication

    it is very idfficult to synchronize the clock manually, for sure there will be a differance in in min. or sec,

    and a differance of min. or sec makes a big differance for the security and logging.

  • smsnaqvi 534 posts since
    Feb 6, 2010
    Currently Being Moderated
    14. May 16, 2011 10:52 PM (in response to Aninda)
    Re: EIGRP Authentication

    Hi Aninda

     

    On the BB router, in the global config mde type in

     

    config # ntp server  66.27.60.10

     

    the above ip is an ntp server

     

    then on R2 and R3, in the global config mode, type in

     

    ntp server 10.1.24.1 and 10.1.34.1 respectively. Your BB is the primary point of contact with the public NTP server, R2 and R3 will consider the BB router as their servers to synchronize the time. You wanna read about NTP, here you go.

     

    http://oreilly.com/catalog/hardcisco/chapter/ch10.html

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)