2 EIGRP questions: static neighborship / authentication

aocferreira

Hello guys,

I started a few days ago my CCNP journey and 2 things are somehow confusing me:

1) Regarding EIGRP authentication:

Router R1:

key chain r1
key 1
key-string test
key 2
key-string test2
key 3
key-string test3

Router R2:
key chain r2
key 1
key-string test2

No lifetimes are configured on the keys. Is this supposed to be working or not?

2) It seems that when configuring static neighbors, we don't need to advertize sub-nets with network command. Nevertheless, only with neighbor <IP> <local interface> (on both routers), the EIGRP adjacency don't come up... Is there anything else needed for this to work?

Thanks.

BR,
André

Danielh22185

To my knowledge if there is not a life time specified it will use the 1st listing. Are your keys configured exactly the same on both sides? Maybe a copy of your running configs will help us find an answer easier. Its a guessing game at this point.

aocferreira

Hello,

The authentication is not working and I think it should not work.
According to documentation, for sending EIGRP messages, router uses md5 digest of lowest valid key number, while for received messages it uses all valid keys... so, in this case, we would have a mismatch between test and test2.
That is my interpretation, don't know if I'm correct or wrong. This is why it's not working?

And regarding question number 2? Any thoughts?

I did not save my testing scenarios, so I believe I can't upload my running configs.

Thanks for help,
André

elderkai

In the book I was reading, it said you didn't need to advertise the network to the EIGRP and just needed the static neighbor statement. However, it never worked when I tried it, but advertising the network AND statically assigning worked and displayed that the neighborship was indeed "STATIC". I'm not sure if the book was wrong or missed something, but that's how I got it working.

elderkai

aocferreira wrote: »

Hello,

The authentication is not working and I think it should not work.
According to documentation, for sending EIGRP messages, router uses md5 digest of lowest valid key number, while for received messages it uses all valid keys... so, in this case, we would have a mismatch between test and test2.
That is my interpretation, don't know if I'm correct or wrong. This is why it's not working?

And regarding question number 2? Any thoughts?

I did not save my testing scenarios, so I believe I can't upload my running configs.

Thanks for help,
André

The authentication should work. EIGRP will use the lowest valid key number for sending, but will use all valid keys for receiving. Have you tried using debugs to see exactly what the problem is? My advice is to advertise the network to EIGRP and then see.

EDIT: And when I say all valid keys, I mean keys that are in affect. There are different timers for both sending and receiving, but by default without doing that a key is gonna remain valid.

nerdydad

elderkai wrote: »

In the book I was reading, it said you didn't need to advertise the network to the EIGRP and just needed the static neighbor statement. However, it never worked when I tried it, but advertising the network AND statically assigning worked and displayed that the neighborship was indeed "STATIC". I'm not sure if the book was wrong or missed something, but that's how I got it working.

I believe the book you were reading is wrong, the interfaces will not participate in EIGRP if they are not specified in a network command.

elderkai

It's the OCG. I figured that, though.

phoeneous

aocferreira wrote: »

Is this supposed to be working or not?

No, the key number AND the key string need to match on both ends. The key chain name can be different though. Also don't forget there are two authentication commands at the interface config level, not global.

ip authentication mode eigrp <ASN> md5
ip authentication key-chain eigrp <ASN> <unique_key_chain_name>

SteveO86

phoeneous wrote: »

No, the key number AND the key string need to match on both ends. The key chain name can be different though. Also don't forget there are two authentication commands at the interface config level, not global.

ip authentication mode eigrp <ASN> md5
ip authentication key-chain eigrp <ASN> <unique_key_chain_name>

This is completely correct, if you do not specify EIGRP with the authentication settings it does not tie the authentication to EIGRP. If you forget to include the EIGRP keyword you just configured routing authentication for RIP. If I remember correctly EIGRP only support MD5 not clear text authentication.

Since this is the CCNP Forum, once you get this working here's a little extra credit. Configure lifetimes on the keys set the keychains to switch at a certain time

elderkai

The key string obviously needs to match, but neither the key number nor key chain have to match. You can try it out and verify.

aocferreira

Hello guys,

Thanks for the updates.

1) Regarding the static neighbors:

In the book I'm reading, it also says that we don't need to advertize the network... Anyway, the neighborship does not come up without the "network" command. The book is CCNP ROUTE 642-902 Official Certification Guide, by Wendell Odom.

"Also, note that the EIGRP configuration does not have to include a network command that matches the interface; EIGRP will still advertise about the subnet connected to the interface."

So, according to your comments, I believe this is wrong.

2) Authentication:

According to same book stated above, only key strings need to match. Key chains and key numbers do not have to be the same in both routers. Confusing though.

Thanks in advance.

Br,
André

phoeneous

aocferreira wrote: »

Hello guys,

Thanks for the updates.

1) Regarding the static neighbors:

In the book I'm reading, it also says that we don't need to advertize the network... Anyway, the neighborship does not come up without the "network" command. The book is CCNP ROUTE 642-902 Official Certification Guide, by Wendell Odom.

"Also, note that the EIGRP configuration does not have to include a network command that matches the interface; EIGRP will still advertise about the subnet connected to the interface."

So, according to your comments, I believe this is wrong.

2) Authentication:

According to same book stated above, only key strings need to match. Key chains and key numbers do not have to be the same in both routers. Confusing though.

Thanks in advance.

Br,
André

But that's just one sentence. What does the config look like? What else does it say on that page?

Jackace

I have the same book and I saw the same information. There are definitely some inconsistencies and it makes it easy to get confused as well. In order to get around these issues I have made sure I lab everything and read from multiple sources. It still makes me nervous about all those multiple choice questions on the actual exam, because some information says one thing and other information says another. I'm always left wondering what the correct answer is according to the exam.

elderkai

I thought I tested this before, but the OCG is also wrong in that you do have to have matching key numbers for the keys. Keychain still doesn't, though. Seems like an important thing to get right. ._.

aocferreira

Hello,

So, to summarize: regarding the authentication, key numbers and key strings do have to match. about the static neighbors, we still need to advertize the network. Correct?

Thanks for help!

Best regards,
AF

llllvllll

you need to advertise networks first if you want " neighbor" command to work.
ex:-
R1

Router Eigrp 10
network 10.0.0.0 0.0.0.255
neighbor 10.0.0.3 int serial 1/1
end
If you have not given network command you will receive DDB error which means that interface is receiving hello packet but Eigrp is not configured on that interface.

So first you need to enable EIGRP process on that interface then you can apply "NEIGHBOR" command.
It will work.