2 EIGRP questions: static neighborship / authentication

aocferreiraaocferreira Member Posts: 50 ■■□□□□□□□□
Hello guys,

I started a few days ago my CCNP journey and 2 things are somehow confusing me:

1) Regarding EIGRP authentication:

Router R1:

key chain r1
key 1
key-string test
key 2
key-string test2
key 3
key-string test3

Router R2:
key chain r2
key 1
key-string test2

No lifetimes are configured on the keys. Is this supposed to be working or not?

2) It seems that when configuring static neighbors, we don't need to advertize sub-nets with network command. Nevertheless, only with neighbor <IP> <local interface> (on both routers), the EIGRP adjacency don't come up... Is there anything else needed for this to work?

Thanks.

BR,
André

Comments

  • Danielh22185Danielh22185 Member Posts: 1,195 ■■■■□□□□□□
    To my knowledge if there is not a life time specified it will use the 1st listing. Are your keys configured exactly the same on both sides? Maybe a copy of your running configs will help us find an answer easier. Its a guessing game at this point.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
  • aocferreiraaocferreira Member Posts: 50 ■■□□□□□□□□
    Hello,

    The authentication is not working and I think it should not work.
    According to documentation, for sending EIGRP messages, router uses md5 digest of lowest valid key number, while for received messages it uses all valid keys... so, in this case, we would have a mismatch between test and test2.
    That is my interpretation, don't know if I'm correct or wrong. This is why it's not working?

    And regarding question number 2? Any thoughts?

    I did not save my testing scenarios, so I believe I can't upload my running configs.

    Thanks for help,
    André
  • elderkaielderkai Member Posts: 279
    In the book I was reading, it said you didn't need to advertise the network to the EIGRP and just needed the static neighbor statement. However, it never worked when I tried it, but advertising the network AND statically assigning worked and displayed that the neighborship was indeed "STATIC". I'm not sure if the book was wrong or missed something, but that's how I got it working.
  • elderkaielderkai Member Posts: 279
    Hello,

    The authentication is not working and I think it should not work.
    According to documentation, for sending EIGRP messages, router uses md5 digest of lowest valid key number, while for received messages it uses all valid keys... so, in this case, we would have a mismatch between test and test2.
    That is my interpretation, don't know if I'm correct or wrong. This is why it's not working?

    And regarding question number 2? Any thoughts?

    I did not save my testing scenarios, so I believe I can't upload my running configs.

    Thanks for help,
    André
    The authentication should work. EIGRP will use the lowest valid key number for sending, but will use all valid keys for receiving. Have you tried using debugs to see exactly what the problem is? My advice is to advertise the network to EIGRP and then see.

    EDIT: And when I say all valid keys, I mean keys that are in affect. There are different timers for both sending and receiving, but by default without doing that a key is gonna remain valid.
  • nerdydadnerdydad Member Posts: 261
    elderkai wrote: »
    In the book I was reading, it said you didn't need to advertise the network to the EIGRP and just needed the static neighbor statement. However, it never worked when I tried it, but advertising the network AND statically assigning worked and displayed that the neighborship was indeed "STATIC". I'm not sure if the book was wrong or missed something, but that's how I got it working.

    I believe the book you were reading is wrong, the interfaces will not participate in EIGRP if they are not specified in a network command.
  • elderkaielderkai Member Posts: 279
    It's the OCG. I figured that, though.
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Is this supposed to be working or not?

    No, the key number AND the key string need to match on both ends. The key chain name can be different though. Also don't forget there are two authentication commands at the interface config level, not global.

    ip authentication mode eigrp <ASN> md5
    ip authentication key-chain eigrp <ASN> <unique_key_chain_name>
  • SteveO86SteveO86 Member Posts: 1,423
    phoeneous wrote: »
    No, the key number AND the key string need to match on both ends. The key chain name can be different though. Also don't forget there are two authentication commands at the interface config level, not global.

    ip authentication mode eigrp <ASN> md5
    ip authentication key-chain eigrp <ASN> <unique_key_chain_name>

    This is completely correct, if you do not specify EIGRP with the authentication settings it does not tie the authentication to EIGRP. If you forget to include the EIGRP keyword you just configured routing authentication for RIP. If I remember correctly EIGRP only support MD5 not clear text authentication.

    Since this is the CCNP Forum, once you get this working here's a little extra credit. Configure lifetimes on the keys set the keychains to switch at a certain time icon_smile.gif
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • elderkaielderkai Member Posts: 279
    The key string obviously needs to match, but neither the key number nor key chain have to match. You can try it out and verify. :)
  • aocferreiraaocferreira Member Posts: 50 ■■□□□□□□□□
    Hello guys,

    Thanks for the updates.

    1) Regarding the static neighbors:

    In the book I'm reading, it also says that we don't need to advertize the network... Anyway, the neighborship does not come up without the "network" command. The book is CCNP ROUTE 642-902 Official Certification Guide, by Wendell Odom.

    "Also, note that the EIGRP configuration does not have to include a network command that matches the interface; EIGRP will still advertise about the subnet connected to the interface."

    So, according to your comments, I believe this is wrong.

    2) Authentication:

    According to same book stated above, only key strings need to match. Key chains and key numbers do not have to be the same in both routers. Confusing though.

    Thanks in advance.

    Br,
    André
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Hello guys,

    Thanks for the updates.

    1) Regarding the static neighbors:

    In the book I'm reading, it also says that we don't need to advertize the network... Anyway, the neighborship does not come up without the "network" command. The book is CCNP ROUTE 642-902 Official Certification Guide, by Wendell Odom.

    "Also, note that the EIGRP configuration does not have to include a network command that matches the interface; EIGRP will still advertise about the subnet connected to the interface."

    So, according to your comments, I believe this is wrong.

    2) Authentication:

    According to same book stated above, only key strings need to match. Key chains and key numbers do not have to be the same in both routers. Confusing though.

    Thanks in advance.

    Br,
    André

    But that's just one sentence. What does the config look like? What else does it say on that page?
  • JackaceJackace Member Posts: 335
    I have the same book and I saw the same information. There are definitely some inconsistencies and it makes it easy to get confused as well. In order to get around these issues I have made sure I lab everything and read from multiple sources. It still makes me nervous about all those multiple choice questions on the actual exam, because some information says one thing and other information says another. I'm always left wondering what the correct answer is according to the exam.
  • elderkaielderkai Member Posts: 279
    I thought I tested this before, but the OCG is also wrong in that you do have to have matching key numbers for the keys. Keychain still doesn't, though. Seems like an important thing to get right. ._.
  • aocferreiraaocferreira Member Posts: 50 ■■□□□□□□□□
    Hello,

    So, to summarize: regarding the authentication, key numbers and key strings do have to match. about the static neighbors, we still need to advertize the network. Correct?

    Thanks for help!

    Best regards,
    AF
  • llllvllllllllvllll Member Posts: 58 ■■□□□□□□□□
    you need to advertise networks first if you want " neighbor" command to work.
    ex:-
    R1

    Router Eigrp 10
    network 10.0.0.0 0.0.0.255
    neighbor 10.0.0.3 int serial 1/1
    end
    If you have not given network command you will receive DDB error which means that interface is receiving hello packet but Eigrp is not configured on that interface.

    So first you need to enable EIGRP process on that interface then you can apply "NEIGHBOR" command.
    It will work. :D
Sign In or Register to comment.