EIGRP configuration verification and authentication
 


router eigrp enables EIGRP and puts the user in EIGRP configuration mode, in which one or more network commands are configured.  For each interface matched by a network command, EIGRP tries to discover neighbors on that interface, and EIGRP advertises the subnet connected to the interface.

Main configuration tasks:

Step 1: Enter EIGRP configuration mode, and define the EIGRP ASN by using the router eigrp as-number global command.

Step 2: Configure one or more network ip-address [wildcard-mask] router subcommands.  This enables EIGRP on any matched interface and causes EIGRP to advertise the connected subnet.

Step 3: (Optional) Change the interface Hello and hold timers using the ip hello-interval eigrp asn time and ip hold-time eigrp asn time interface subcommands.

Step 4: (Optional) Impact metric calculations by tuning bandwidth and delay using the bandwidth value and delay value interface subcommands.

Step 5: (Optional) Configure EIGRP authentication.

Step 6: (Optional) Configure support for multiple equal-cost routes using the maximum-paths number and variance multiplier router subcommands.

Basic EIGRP Configuration

For EIGRP configuration, all three routers must use the same AS number in the router eigrp command.  The actual number used doesn’t matter so long as it is the same on all routers in the EIGRP group.  The numbers are 1-65,535.

show ip route/show ip route eigrp both list the EIGRP-learned routes with a “D” beside them.  “D” signifies EIGRP.  E was already being used for Exterior Gateway Protocol (EGP) when Cisco created EIGRP.

You can see information about EIGRP neighbors with the show ip eigrp neighbors command and information about the number of active neighbors/peers with the show ip eigrp interfaces command.  show ip eigrp neighbors shows a “Q Cnt” (Queue Count) column, listing either the number of packets waiting to be sent to a neighbor or packets that have been sent but for which no acknowledgement has been received.  show ip eigrp interfaces lists similar information in the “Xmit Queue Un/Reliable” column, which separates statistics for EIGRP messages that are sent with RTP (reliable) or without it (unreliable).

EIGRP allocates its RID just like OSPF – based on the configured value, or the highest IP address of an up/up loopback interface, or the highest IP address of a nonloopback interface, in that order.  The only difference compared to OSPF is that the EIGRP RID is configured with the eigrp router-id value router subcommand.

The EIGRP network command can be configured without a wildcard mask.  Without a wildcard mask, the network command use use a classful network as the lone parameter, and all interfaces in the classful network are matched.

EIGRP Metrics, Successors, and Feasible Successors

An EIGRP successor route is a route that has the best metric for reaching a subnet, and a Feasible Successor (FS) route is a route that could be used if the successor route failed.

Convergence Using the Feasible Successor Routes

To see EIGRP convergence in action, you could use debug eigrp fsm.

 

EIGRP Authentication

EIGRP supports only MD5 authentication.  Steps involved:

Step 1: Create an (authentication) key chain:

a. Create the chain and give it a name with the key chain name global command (this also puts the user into key chain config mode).

b. Create one or more key numbers using the key number command in the key chain configuration mode.

c. Define the authentication key’s value using the key-string value command in key configuration mode.

d. (Optional) Define the lifetime (time period) for both sending and accepting this particular key.

Step 2: Enable EIGRP MD5 authentication on an interface, for a particular EIGRP ASN, using the ip authentication mode eigrp asn md5 interface subcommand.

Step 3: Refer to the correct key chain to be used on an interface using the ip authentication key-chain eigrp asn name-of-chain interface subcommand.

IOS configures the key values separately, then requires an interface subcommand to refer to the key values.  To support the ability to have multiple keys, and even multiple sets of keys, the configuration includes the concept of a key chain and multiple keys on each key chain.

IOS lets you configure multiple key chains so that different key chains can be used on different interfaces.  Each key chain can include multiple keys.  Having multiple keys in one key chain allows neighbors to still be up and working while the keys are being changed.  Changing keys enhances security.

EIGRP authentication lifetime of a key can be configured as well.  If this isn’t configured, the key is valid forever.  However, if it is configured, the router uses the key only during the listed times.

To support the useful lifetime concept, a router must know the time and date.  Routers can set the time and date with the clock set EXEC command.  Routers can also use Network Time Protocol (NTP), a protocol that allows routers to synchronize their time-of-day clocks.

For authentication to work, neighboring routers must both have EIGRP MD5 authentication enabled, and the key strings they currently use must match.  Note that the key chain name does not need to match.  The most common problems relate to when the useful lifetime settings do not match, or one of the router’s clocks has the wrong time.  NTP should be enabled and used before restricting keys to a particular time frame.

To verify that the authentication worked, use the show ip eigrp neighbors command.  If the authentication fails, the neighbor relationship will not form.  You can see more details about the authentication process using the debug eigrp packets command.