EIGRP Authentication

topology, gns3, rjlogs

Routers are sending and receiving authentication packets before adjacency performed.

Configuration of R1 :

R1(config)#interface e0/0
R1(config-if)#ip address 100.100.100.1 255.255.255.252
R1(config-if)#no shut

R1(config)#interface loopback 0
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#no shut

R1(config)#router eigrp 10
R1(config-router)#network 100.100.100.1 0.0.0.0
R1(config-router)#network 1.1.1.1 0.0.0.0
R1(config-router)#no auto-summary

R1(config)#key chain cisco
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string eigrp

R1(config)#interface e0/0
R1(config-if)#ip authentication key-chain eigrp 10 cisco
R1(config-if)#ip authentication mode eigrp 10 md5

Configuration of R2 :

R2(config)#interface e0/0
R2(config-if)#ip address 100.100.100.2 255.255.255.252
R2(config-if)#no shut

R2(config)#interface loopback 0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#no shut

R2(config)#interface loopback 1
R2(config-if)#ip address 22.22.22.22 255.255.255.255
R2(config-if)#no shut

R2(config)#router eigrp 10
R2(config-router)#network 100.100.100.2 0.0.0.0
R2(config-router)#network 2.2.2.2 0.0.0.0
R2(config-router)#network 22.22.22.22 0.0.0.0
R2(config-router)#no auto-summary
R2(config)#key chain cisco
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string eigrp

R2(config)#interface e0/0
R2(config-if)#ip authentication key-chain eigrp 10 cisco
R2(config-if)#ip authentication mode eigrp 10 md5

Let’s verify from R1 :

R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Jan 13 06:52:04.560: EIGRP: Sending HELLO on Et0/0 – paklen 60
*Jan 13 06:52:04.560: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jan 13 06:52:05.355: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 13 06:52:05.355: EIGRP: Received HELLO on Et0/0 – paklen 60 nbr 100.100.100.2
*Jan 13 06:52:05.356: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
–output omitted–

Showing neighbor adjacency  :

eigrp, neighbor, verification

R1#sh ip route eigrp
–output omitted–
Gateway of last resort is not set

2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/409600] via 100.100.100.2, 00:05:06, Ethernet0/0
22.0.0.0/32 is subnetted, 1 subnets
D 22.22.22.22 [90/409600] via 100.100.100.2, 00:05:06, Ethernet0/0

Now let’s try to change the authentication at one side, so the authentication will mismatched and failed.

Change configuration on R2 :

R2(config)#interface e0/0
R2(config-if)#no ip authentication key-chain eigrp 10
R2(config-if)#ip authentication key-chain eigrp 10 eigrp

The key-chain from cisco has changed to eigrp, now let’s take a look on R1 :

R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Jan 13 07:07:22.324: EIGRP: Et0/0: ignored packet from 100.100.100.2, opcode = 5 (missing authentication)
R1#
*Jan 13 07:07:23.973: EIGRP: Sending HELLO on Et0/0 – paklen 60
*Jan 13 07:07:23.973: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R1#
*Jan 13 07:07:26.604: EIGRP: Et0/0: ignored packet from 100.100.100.2, opcode = 5 (missing authentication)
R1#
*Jan 13 07:07:28.768: EIGRP: Sending HELLO on Et0/0 – paklen 60
*Jan 13 07:07:28.768: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R1#
*Jan 13 07:07:31.483: EIGRP: Et0/0: ignored packet from 100.100.100.2, opcode = 5 (missing authentication)
R1#u all
*Jan 13 07:07:33.382: EIGRP: Sending HELLO on Et0/0 – paklen 60
*Jan 13 07:07:33.382: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

R1#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)

R1#sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override

Since the authentication is failed, the adjacency process will not performed.

Also read : RIP Authentication.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s