Home > Articles > Implementing EIGRP

Implementing EIGRP

Chapter Description

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco routing protocol that is designed to address the shortcomings of both distance vector and link-state routing protocols. This chapter expands on the underlying technologies within EIGRP, including the path selection process, changes in topology, load balancing, authentication, and troubleshooting common problems.

Implementing EIGRP

EIGRP is an advanced distance vector routing protocol developed by Cisco. EIGRP is suited for many different topologies and media. In a well-designed network, EIGRP scales well and provides extremely quick convergence times with minimal overhead. EIGRP is a popular choice for a routing protocol on Cisco devices.

Introducing EIGRP

EIGRP is a Cisco-proprietary routing protocol that combines the advantages of link-state and distance vector routing protocols. EIGRP is an advanced distance vector or hybrid routing protocol that includes the following features:

  • Rapid convergence: EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that uses EIGRP stores all available backup routes for destinations so that it can quickly adapt to alternate routes. If no appropriate route or backup route exists in the local routing table, EIGRP queries its neighbors to discover an alternate route.
  • Reduced bandwidth usage: EIGRP does not make periodic updates. Instead, it sends partial updates when the path or the metric changes for that route. When path information changes, DUAL sends an update about only that link rather than about the entire table.
  • Multiple network layer support: EIGRP supports AppleTalk, IP version 4 (IPv4), IP version 6 (IPv6), and Novell Internetwork Packet Exchange (IPX), which use protocol-dependent modules (PDM). PDMs are responsible for protocol requirements that are specific to the network layer.
  • Classless routing: Because EIGRP is a classless routing protocol, it advertises a routing mask for each destination network. The routing mask feature enables EIGRP to support discontiguous subnetworks and variable-length subnet masks (VLSM).
  • Less overhead: EIGRP uses multicast and unicast rather than broadcast. As a result, end stations are unaffected by routing updates and requests for topology information.
  • Load balancing: EIGRP supports unequal metric load balancing, which allows administrators to better distribute traffic flow in their networks.
  • Easy summarization: EIGRP enables administrators to create summary routes anywhere within the network rather than rely on the traditional distance vector approach of performing classful route summarization only at major network boundaries.

Each EIGRP router maintains a neighbor table. This table includes a list of directly connected EIGRP routers that have an adjacency with this router.

Each EIGRP router maintains a topology table for each routed protocol configuration. The topology table includes route entries for every destination that the router learns. EIGRP chooses the best routes to a destination from the topology table and places these routes in the routing table, as illustrated in Figure 5-1.

Figure 5-1

Figure 5-1 EIGRP Tables

In EIGRP, the best route is called a successor route while a backup route is called the feasible successor. To determine the best route (successor) and the backup route (feasible successor) to a destination, EIGRP uses the following two parameters:

  • Advertised distance: The EIGRP metric for an EIGRP neighbor to reach a particular network
  • Feasible distance: The advertised distance for a particular network learned from an EIGRP neighbor plus the EIGRP metric to reach that neighbor

A router compares all feasible distances to reach a specific network and then selects the lowest feasible distance and places it in the routing table. The feasible distance for the chosen route becomes the EIGRP routing metric to reach that network in the routing table.

The EIGRP topology database contains all the routes that are known to each EIGRP neighbor. Routers A and B send their routing tables to Router C, whose table is displayed in Figure 5-2. Both Routers A and B have pathways to network 10.1.1.0/24, as well as to other networks that are not shown.

Figure 5-2

Figure 5-2 Router C EIGRP Tables

Router C has two entries to reach 10.1.1.0/24 in its topology table. The EIGRP metric for Router C to reach both Routers A and B is 1000. Add this cost (1000) to the respective advertised distance for each router, and the results represent the feasible distances that Router C must travel to reach network 10.1.1.0/24.

Router C chooses the least-cost feasible distance (2000) and installs it in the IP routing table as the best route to reach 10.1.1.0/24. The route with the least-cost feasible distance that is installed in the routing table is called the successor route.

Router C then chooses a backup route to the successor called a feasible successor route, if one exists. For a route to become a feasible successor, a next-hop router must have an advertised distance that is less than the feasible distance of the current successor route.

If the route through the successor becomes invalid, possibly because of a topology change, or if a neighbor changes the metric, DUAL checks for feasible successors to the destination route. If one is found, DUAL uses it, avoiding the need to recompute the route. If no feasible successor exists, a recomputation must occur to determine the new successor.

Configuring and Verifying EIGRP

Use the router eigrp and network commands to create an EIGRP routing process. Note that EIGRP requires an autonomous system (AS) number. The AS number does not have to be registered as is the case when routing on the Internet with the Border Gateway Protocol (BGP) routing protocol. However, all routers within an AS must use the same AS number to exchange routing information with each other. Figure 5-3 shows the EIGRP configuration of a simple network.

Figure 5-3

Figure 5-3 EIGRP Configuration

The network command defines a major network number to which the router is directly connected. The EIGRP routing process looks for interfaces that have an IP address that belongs to the networks that are specified with the network command and begins the EIGRP process on these interfaces.

Table 5-1 applies to the EIGRP configurations on Router A in the EIGRP configuration example.

Table 5-1. EIGRP Command Example

Command

Description

router eigrp 100

Enables the EIGRP routing process for AS 100

network 172.16.0.0

Associates network 172.16.0.0 with the EIGRP routing process

network 10.0.0.0

Associates network 10.0.0.0 with the EIGRP routing process

EIGRP sends updates out of the interfaces in networks 10.0.0.0 and 172.16.0.0. The updates include information about networks 10.0.0.0 and 172.16.0.0 and any other networks that EIGRP learns.

EIGRP automatically summarizes routes at the classful boundary. In some cases, you might not want automatic summarization to occur. For example, if you have discontiguous networks, you need to disable automatic summarization to minimize router confusion. Figure 5-4 shows an example of how this summarization can cause advertisements for the 172.16.0.0 network to be sent from both Router A and Router B to Router C.

Figure 5-4

Figure 5-4 Autosummarization Causing Discontinuous Subnets

To disable automatic summarization, use the no auto-summary command in the EIGRP router configuration mode. When this command is used, both Router A and Router B will advertise the route specific to the subnet of a given interface, as shown in Figure 5-5.

Figure 5-5

Figure 5-5 Disabling Autosummarization Corrects Problem

After you enable EIGRP, various commands can be used to display information about how the protocol is operating. The show ip route eigrp command displays the current EIGRP entries in the routing table.

The show ip protocols command displays the parameters and current state of the active routing protocol process. This command shows the EIGRP AS number. It also displays filtering and redistribution numbers and neighbor and distance information. This also shows the networks that are currently being advertised on the router by the protocol.

Use the show ip eigrp interfaces [type number] [as-number] command to determine on which interfaces EIGRP is active, and to learn information about EIGRP that relates to those interfaces. If you specify an interface by using the type number option, only that interface is displayed. Otherwise, all interfaces on which EIGRP is running are displayed. If you specify an AS using the as-number option, only the routing process for the specified AS is displayed. Otherwise, all EIGRP processes are displayed. Example 5-1 shows the output of the show ip eigrp interfaces command.

Example 5-1. Determining Router Interface EIGRP Status/Information

RouterX# show ip eigrp interfaces
IP EIGRP interfaces for process 109

                   Xmit Queue    Mean   Pacing Time   Multicast    Pending
Interface  Peers   Un/Reliable   SRTT   Un/Reliable   Flow Timer   Routes
Di0        0       0/0           0      11/434        0            0
Et0        1       0/0           337    0/10          0            0
SE0:1.16   1       0/0           10     1/63          103          0
Tu0        1       0/0           330    0/16          0            0

Table 5-2 describes the significant fields generated by the show ip eigrp interfaces output.

Table 5-2. show ip eigrp interfaces Output

Field

Description

Interface

Interface over which EIGRP is configured

Peers

Number of directly connected EIGRP neighbors on the interface

Xmit Queue Un/Reliable

Number of packets remaining in the Unreliable and Reliable queues

Mean SRTT

Average smoothed round-trip time (SRTT) interval (in milliseconds) for all neighbors on the interface

Pacing Time Un/Reliable

Number of milliseconds to wait after transmitting unreliable and reliable packets

Multicast Flow Timer

Number of milliseconds to wait for acknowledgment of a multicast packet by all neighbors before transmitting the next multicast packet

Pending Routes

Number of routes in the packets in the transmit queue waiting to be sent

Use the show ip eigrp neighbors command to display the neighbors that were discovered by EIGRP and to determine when neighbors become active and inactive, as demonstrated in Example 5-2. This command is also useful for debugging certain types of transport problems.

Example 5-2. Displaying Discovered Active/Inactive EIGRP Neighbors

RouterX# show ip eigrp neighbors
IP-EIGRP Neighbors for process 77
Address         Interface     Holdtime        Uptime    Q      Seq   SRTT     RTO
                              (secs)          (h:m:s)   Count  Num   (ms)     (ms)
172.16.81.28    Ethernet1     13              0:00:41   0      11     4       20
172.16.80.28    Ethernet0     14              0:02:01   0      10     12      24
172.16.80.31    Ethernet0     12              0:02:02   0      4      5       20

Table 5-3 describes the significant fields for the show ip eigrp neighbors command.

Table 5-3. show ip eigrp neighbors Output

Field

Description

process 77

AS number that is specified with the router command.

Address

IP address of the EIGRP peer.

Interface

Interface on which the router is receiving hello packets from the peer.

Holdtime

Length of time (in seconds) that Cisco IOS Software waits to hear from the peer before declaring it down. If the peer is using the default hold time, this number is less than 15. If the peer configures a nondefault hold time, the nondefault hold time is displayed. The hold time would be less than 180 on a sub-T1 multipoint interface.

Uptime

Elapsed time (in hours:minutes:seconds) since the local router first heard from this neighbor.

Q Count

Number of EIGRP packets (update, query, and reply) that the software is waiting to send.

Seq Num

Sequence number of the last update, query, or reply packet that was received from this neighbor.

SRTT

Smooth round-trip time (SRTT). The number of milliseconds that is required for an EIGRP packet to be sent to this neighbor and for the local router to receive an acknowledgment of that packet.

RTO

Retransmission timeout (RTO) (in milliseconds). This is the amount of time the software waits before resending a packet from the retransmission queue to a neighbor.

The show ip eigrp topology command displays the EIGRP topology table, the active or passive state of routes, the number of successors, and the feasible distance to the destination, as demonstrated in Example 5-3.

Example 5-3. Displaying EIGRP Topology Information

RouterX# show ip eigrp topology
IP-EIGRP Topology Table for process 77
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - Reply status
P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776
          via 172.16.80.28 (46251776/46226176), Ethernet0
          via 172.16.81.28 (46251776/46226176), Ethernet1
          via 172.16.80.31 (46277376/46251776), Serial0
P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200
          via Connected, Ethernet1
          via 172.16.81.28 (307200/281600), Ethernet1
          via 172.16.80.28 (307200/281600), Ethernet0
          via 172.16.80.31 (332800/307200), Serial0

Table 5-4 describes the significant fields for the show ip eigrp topology command output.

Table 5-4. show ip eigrp topology Output

Field

Description

Codes

The state of this topology table entry. Passive and Active refer to the EIGRP state with respect to this destination; Update, Query, and Reply refer to the type of packet that is being sent.

P - Passive

Indicates that no EIGRP computations are being performed for this destination.

A - Active

Indicates that EIGRP computations are being performed for this destination.

U - Update

Indicates that an update packet was sent to this destination.

Q - Query

Indicates that a query packet was sent to this destination.

R - Reply

Indicates that a reply packet was sent to this destination.

r - Reply status

A flag that is set after the software has sent a query and is waiting for a reply.

172.16.90.0

Destination IP network number.

255.255.255.0

Destination subnet mask.

successors

Number of successors. This number corresponds to the number of next hops in the IP routing table. If "successors" is capitalized, the route or next hop is in a transition state.

FD

Feasible distance. The feasible distance is the best metric to reach the destination or the best metric that was known when the route went active. This value is used in the feasibility condition check. If the reported distance of the router (the metric after the slash) is less than the feasible distance, the feasibility condition is met and that path is a feasible successor. After the software determines it has a feasible successor, it does not need to send a query for that destination.

replies

The number of replies that are still outstanding (have not been received) with respect to this destination. This information appears only when the destination is in active state.

state

The exact EIGRP state that this destination is in. It can be the number 0, 1, 2, or 3. This information appears only when the destination is in the active state.

via

The IP address of the peer that told the software about this destination. The first n of these entries, where n is the number of successors, are the current successors. The remaining entries on the list are feasible successors.

(46251776/46226176)

The first number is the EIGRP metric that represents the cost to the destination. The second number is the EIGRP metric that this peer advertised.

Ethernet0

The interface from which this information was learned.

Serial0

The interface from which this information was learned.

The show ip eigrp traffic command displays the number of packets sent and received, as demonstrated in Example 5-4.

Example 5-4. Displaying the Number of EIGRP Sent/Received Packets

RouterX# show ip eigrp traffic
IP-EIGRP Traffic Statistics for process 77
  Hellos sent/received: 218/205
  Updates sent/received: 7/23
  Queries sent/received: 2/0
  Replies sent/received: 0/2
  Acks sent/received: 21/14

Table 5-5 describes the fields that might be shown in the display.

Table 5-5. show ip eigrp traffic Output

Field

Description

process 77

The AS number that is specified in the router command

Hellos sent/received

The number of hello packets that were sent and received

Updates sent/received

The number of update packets that were sent and received

Queries sent/received

The number of query packets that were sent and received

Replies sent/received

The number of reply packets that were sent and received

Acks sent/received

The number of acknowledgment packets that were sent and received

The debug ip eigrp privileged EXEC command helps you analyze the EIGRP packets that an interface sends and receives, as demonstrated in Example 5-5. Because the debug ip eigrp command generates a substantial amount of output, use it only when traffic on the network is light.

Example 5-5. Analyzing Sent/Received EIGRP Packets

RouterX# debug ip eigrp
IP-EIGRP: Processing incoming UPDATE packet
IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 –
256000 104960
IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 –
256000 104960
IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 –
256000 104960
IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200
IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480
IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400
IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080
IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1

Table 5-6 describes the fields in the sample output from the debug ip eigrp command.

Table 5-6. debug ip eigrp Output

Field

Description

IP-EIGRP

Indicates that this is an IP EIGRP packet.

Ext

Indicates that the following address is an external destination rather than an internal destination, which would be labeled as Int.

do not advertise out

Indicates interfaces out which EIGRP will not advertise the given route. This configuration prevents routing loops (split horizon).

M

Displays the computed metric, which includes the sent metric (SM) and the cost between this router and the neighbor. The first number is the composite metric. The next two numbers are the inverse bandwidth and the delay, respectively.

SM

Displays the metric as reported by the neighbor.

Load Balancing with EIGRP

Typically, networks are configured with multiple paths to a remote network. When these paths are equal or nearly equal, it makes sense to utilize all the available paths. Unlike Layer 2 forwarding, Layer 3 forwarding has the capability to load-balance between multiple paths. That is, the router can send frames out multiple interfaces to reduce the amount of traffic sent to a single network connection. The key to this feature is that the network paths must be of equal cost (or nearly equal for some protocols like EIGRP). EIGRP uses a metric to compute the costs to a given network.

EIGRP Metric

The EIGRP metric can be based on several criteria, but EIGRP uses only two of these criteria by default:

  • Bandwidth: The smallest bandwidth between source and destination
  • Delay: The cumulative interface delay in microseconds along the path

The following criteria can be used but are not recommended because they typically result in frequent recalculation of the topology table:

  • Reliability: This value represents the worst reliability between the source and destination, based on keepalives.
  • Load: This value represents the worst load on a link between the source and destination, computed based on the packet rate and the configured bandwidth of the interface.

Load Balancing Across Equal Paths

Equal-cost load balancing is the capability of a router to distribute traffic over all its network ports that are the same metric from the destination address. Load balancing increases the use of network segments and increases effective network bandwidth.

For IP, Cisco IOS Software applies load balancing across up to four equal-cost paths by default. With the maximum-paths maximum-path router configuration command, up to 16 equal-cost routes can be kept in the routing table. If you set the maximum-path to 1, you disable load balancing. When a packet is process switched, load balancing over equal-cost paths occurs on a per-packet basis. When packets are fast switched, load balancing over equal-cost paths occurs on a per-destination basis.

Configuring Load Balancing Across Unequal-Cost Paths

EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequal-cost load balancing. The degree to which EIGRP performs load balancing is controlled with the variance command.

The multiplier parameter for the variance command is a value from 1 to 128, used for load balancing. The default is 1, which indicates that only equal-cost load balancing is being performed. The multiplier defines the range of metric values that are accepted for load balancing by the EIGRP process.

Example: Variance

In Figure 5-6, a variance of 2 is configured, and the range of the metric values, which are the feasible distances for Router E to get to network 172.16.0.0, is 20 to 45. This range of values determines the feasibility of a potential route.

Figure 5-6

Figure 5-6 Variance Example

A route is feasible if the next router in the path is closer to the destination than to the current router and if the metric of the alternate path is within the variance. Load balancing can use only feasible paths, and the routing table includes only these paths. The two feasibility conditions are as follows:

  • The local best metric, which is the current feasible distance, must be greater than the best metric (the advertised distance) that is learned from the next router. In other words, the next router in the path must be closer to the destination than to the current router; this criterion prevents routing loops.
  • The metric of the alternate path must be less than the variance multiplied by the local best metric (the current feasible distance).

If both of these conditions are met, the route is determined to be feasible and can be added to the routing table.

In Figure 5-6, three paths to network 172.16.0.0 exist with the following metrics:

  • Path 1: 30 (through B)
  • Path 2: 20 (through C)
  • Path 3: 45 (through D)

By default, the router places only path 2 (through C) in the routing table because it is the least-cost path. To load-balance over paths 1 and 2, use a variance of 2 because 20 * 2 = 40, which is greater than the metric through path 1.

In Figure 5-6, Router E uses Router C as the successor because it has the lowest feasible distance (20). With the variance 2 command applied to Router E, the path through Router B meets the criteria for load balancing. In this case, the feasible distance through Router B is less than twice the feasible distance for the successor (Router C).

Router D is not considered for load balancing with this variance because the feasible distance through Router D is greater than twice the feasible distance for the successor (Router C). In the example, however, Router D would never be a feasible successor no matter what the variance is. This decision is because the advertised distance of Router D is 25, which is greater than the Router E feasible distance of 20; therefore, to avoid a potential routing loop, Router D is not considered a feasible successor.

EIGRP Authentication

You can configure EIGRP neighbor authentication, also known as neighbor router authentication or route authentication, such that routers can participate in routing based on predefined passwords. By default, no authentication is used for EIGRP packets. EIGRP can be configured to use Message Digest Algorithm 5 (MD5) authentication.

When you configure neighbor authentication on a router, the router authenticates the source of each routing update packet that it receives. For EIGRP MD5 authentication, you must configure an authenticating key and a key ID on both the sending and the receiving router. The key is sometimes referred to as a password.

The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Each key has its own key ID, which the router stores locally. The combination of the key ID and the interface that is associated with the message uniquely identifies the MD5 authentication key in use.

EIGRP enables you to manage keys by using key chains. Each key definition within the key chain can specify a time interval for which that key is activated (its lifetime). Then, during the lifetime of a given key, routing update packets are sent with this activated key. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and it uses the first valid key that it encounters.

Keys cannot be used during time periods for which they are not activated. Therefore, it is recommended that for a given key chain, key activation times overlap to avoid any period of time for which no key is activated. If a time exists during which no key is activated, neighbor authentication cannot occur, and therefore, routing updates fail.

Creating a Key Chain

Perform the following steps to create a key chain:

  • Step 1 Enter the key chain command to enter the configuration mode for the key chain. The value provided for the name-of-chain parameter for the key chain command indicates the name of the authentication key chain from which a key is to be obtained.
  • Step 2 Use the key command to identify a key ID to use, and enter configuration mode for that key. The value provided for the key-id parameter of the key command indicates the ID number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key ID numbers need not be consecutive.
  • Step 3 Use the key-string command to identify the key string (password) for this key. The value provided for the text parameter of the key-string command indicates the authentication string that is to be used to authenticate sent and received EIGRP packets. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters. The first character cannot be a number, and the string is case sensitive.
  • Step 4 Optionally, use accept-lifetime to specify the time during which this key is accepted for use on received packets. If you do not enter an accept-lifetime command, the time is infinite. Table 5-7 describes the accept-lifetime command parameters.

    Table 5-7. accept-lifetime Parameters

    Parameter

    Description

    start-time

    Beginning time that the key that is specified by the key command is valid for use on received packets. The syntax can be either of the following:

    hh:mm:ss month date year

    hh:mm:ss date month year

    where

    hh: Hours

    mm: Minutes

    ss: Seconds

    month: First three letters of the name of the month

    date: Date (1–31)

    year: Year (four digits)

    The default start time. The earliest acceptable date is January 1, 1993.

    infinite

    The key is valid for use on received packets from the start-time value on, with no end time.

    end-time

    The key is valid for use on received packets from the start-time value until the end-time value. The syntax is the same as that for the start-time value. The end-time value must be after the start-time value. The default end time is infinite.

    seconds

    Length of time (in seconds) that the key is valid for use on received packets. The range is from 1 to 2147483646.

  • Step 5 Optionally, specify the time during which this key can be used for sending packets using the send-lifetime command. If you do not enter a send-lifetime command, the time is infinite. Table 5-8 describes the send-lifetime command parameters.

Table 5-8. send-lifetime Parameters

Parameter

Description

start-time

Beginning time that the key specified by the key command is valid to be used for sending packets. The syntax can be either of the following:

hh:mm:ss month date year

hh:mm:ss date month year

where

hh: Hours

mm: Minutes

ss: Seconds

month: First three letters of the name of the month

date: Date (1–31)

year: Year (four digits)

The default start time and the earliest acceptable date is January 1, 1993.

infinite

The key is valid to be used for sending packets from the start-time value on.

end-time

The key is valid to be used for sending packets from the start-time value until the end-time value. The syntax is the same as that for the start-time value. The end-time value must be after the start-time value. The default end time is infinite.

seconds

Length of time (in seconds) that the key is valid to be used for sending packets. The range is from 1 to 2147483646.

Configuring MD5 Authentication for EIGRP

To configure MD5 authentication for EIGRP, complete the following steps:

  • Step 1 Enter configuration mode for the interface on which you want to enable authentication.
  • Step 2 Use the ip authentication mode eigrp autonomous-system md5 command to specify that MD5 authentication is to be used for EIGRP packets. The value provided for the autonomous-system parameter of the ip authentication mode eigrp md5 command indicates the EIGRP AS number in which authentication is to be used.
  • Step 3 Use the ip authentication key-chain eigrp autonomous-system name-of-chain command to specify which key chain to use for the authentication of EIGRP packets. Table 5-9 describes the parameters for this command.

Table 5-9. ip authentication key-chain eigrp Parameters

Parameter

Description

autonomous-system

The EIGRP AS number in which authentication is to be used

name-of-chain

The name of the authentication key chain from which a key is to be obtained

Example: MD5 Authentication Configuration

Figure 5-7 shows an example network used for the configuration of EIGRP MD5 authentication for Router X in Example 5-6.

Figure 5-7

Figure 5-7 Network Topology for EIGRP MD5 Configuration Example

Example 5-6. Configuring EIGRP MD5 Authentication on Router X

RouterX
<output omitted>
key chain RouterXchain
 key 1
  key-string firstkey
  accept-lifetime 04:00:00 Jan 1 2006 infinite
  send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
 key 2
  key-string secondkey
  accept-lifetime 04:00:00 Jan 1 2006 infinite
  send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
!
interface Serial0/0/1
 bandwidth 64
 ip address 192.168.1.101 255.255.255.224
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 RouterXchain

MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterXchain command specifies that the key chain RouterXchain is to be used for EIGRP AS 100.

The key chain RouterXchain command enters configuration mode for the RouterXchain key chain. Two keys are defined. Key 1 is set to "first key" with the key-string firstkey command. This key is acceptable for use on packets that are received by Router X from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. However, the send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 command specifies that this key is valid for use only when packets are sent for one minute on January 1, 2006; afterward, it is no longer valid for use in sending packets.

Key 2 is set to "second key" with the key-string secondkey command. This key is acceptable for use on packets that are received by Router X from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.

Therefore, Router X accepts and attempts to verify the MD5 digest of any EIGRP packets with a key ID equal to 1. Router X will also accept a packet with a key ID equal to 2. All other MD5 packets are dropped. Router X sends all EIGRP packets using key 2 because key 1 is no longer valid for use in sending packets.

Example 5-7 shows the configuration of EIGRP MD5 authentication for Router Y in Figure 5-7.

Example 5-7. Configuring EIGRP MD5 Authentication on Router Y

RouterY
<output omitted>
key chain RouterYchain
 key 1
  key-string firstkey
  accept-lifetime 04:00:00 Jan 1 2006 infinite
  send-lifetime 04:00:00 Jan 1 2006 infinite
 key 2
  key-string secondkey
  accept-lifetime 04:00:00 Jan 1 2006 infinite
  send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
!
interface Serial0/0/1
 bandwidth 64
 ip address 192.168.1.102 255.255.255.224
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 RouterYchain

MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterYchain command specifies that the key chain RouterYchain is to be used for EIGRP AS 100.

The key chain RouterYchain command enters configuration mode for the RouterYchain key chain. Two keys are defined. Key 1 is set to "first key" with the key-string firstkey command. This key is acceptable for use on packets that are received by Router Y from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.

Key 2 is set to "second key" with the key-string secondkey command. This key is acceptable for use on packets that are received by Router Y from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.

Therefore, Router Y accepts and attempts to verify the MD5 digest of any EIGRP packets with a key ID equal to 1 or 2. Router Y uses key 1 to send all EIGRP packets because it is the first valid key in the key chain.

Verifying MD5 Authentication

Example 5-8 shows the output of the show ip eigrp neighbors and show ip route commands on Router X.

Example 5-8. Verifying EIGRP MD5 Authentication on Router X

RouterX# show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT  RTO  Q  Seq
                                            (sec)         (ms)      Cnt Num
0   192.168.1.102           Se0/0/1           12 00:03:10   17 2280  0  14

RouterX# show ip route
<output omitted>
Gateway of last resort is not set
D    172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.16.0.0/16 is a summary, 00:31:31, Null0
C       172.16.1.0/24 is directly connected, FastEthernet0/0
     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.96/27 is directly connected, Serial0/0/1
D       192.168.1.0/24 is a summary, 00:31:31, Null0

RouterX# ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

The fact that the neighbor table shows the IP address of Router Y indicates that the two routers have successfully formed an EIGRP adjacency. The routing table verifies that the 172.17.0.0 network has been learned through EIGRP over the serial connection. Therefore, the MD5 authentication for EIGRP must have been successful between Router X and Router Y.

The results of a ping to the Router Y FastEthernet interface address are also displayed to illustrate that the link is working.

Summary of Implementing EIGRP

The following summarizes the key points that were discussed in the previous sections:

  • EIGRP is a classless, advanced distance vector routing protocol that runs the DUAL algorithm.
  • EIGRP requires you to configure an autonomous system number that must match on all routers to exchange routes.
  • EIGRP is capable of load balancing across unequal-cost paths.
  • EIGRP supports MD5 authentication to protect against unauthorized, rogue routers entering your network.
3. Troubleshooting EIGRP | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020