As part of my ongoing studies I’ve been looking at running EIGRP over a hybrid Frame-Relay network. This is mainly an exercise in switching off split horizon – and a very long winded way of getting there. Whilst doing the EIGRP authentication part an interesting point came up up where by it became apparent that having 2 matching key-chains was not good enough. The key numbers also have to match! So to start with we need to set up the key chain:
key chain EIGRP_KEY key 1 key-string sup3r_s3cr3t
Then I set up the EIGRP on the router (nothing complicated):
router eigrp 20 network 10.10.10.1 0.0.0.0 network 10.11.0.1 0.0.0.0 network 192.168.1.0 no auto-summary
Now I add the 2 lines of config to the s1/0.2 interface to first tell the interface to use MD5 with EIGRP and the second line to specify the key chain.
interface Serial1/0.2 multipoint ip address 10.10.10.1 255.255.255.0 ip authentication mode eigrp 20 md5 ip authentication key-chain eigrp 20 EIGRP_KEY no ip split-horizon eigrp 20 snmp trap link-status frame-relay map ip 10.10.10.3 104 broadcast frame-relay map ip 10.10.10.4 105 broadcast
When I add the authentication configuration into the serial interface, the neighbourship is immediately trashed! Note the date on the GNS3 servers never got set – oops!
*Mar 1 02:01:51.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.3 (Serial1/0.2) is down: authentication mode changed *Mar 1 02:01:51.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.4 (Serial1/0.2) is down: authentication mode changed
Now the interesting bit…(!)
On router 4 (which is in 10.10.10.4 which you can see from the logs above fell off the air when the authentication went on) I test to see the neighbours:
R4#sh ip eigrp neighbors IP-EIGRP neighbors for process 20
So no neighbours there. Now i add the config with a different keychain name, but the same key-string and same key number:
key chain MY_CHAIN key 1 key-string sup3r_s3cr3t interface Serial1/0 ip address 10.10.10.4 255.255.255.0 ip authentication mode eigrp 20 md5 ip authentication key-chain eigrp 20 MY_CHAIN encapsulation frame-relay serial restart-delay 0 frame-relay map ip 10.10.10.1 501 broadcast frame-relay map ip 10.10.10.3 501 broadcast no frame-relay inverse-arp
And up it comes:
*Mar 1 02:13:29.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.1 (Serial1/0) is up: new adjacency
Now I do R3 which is another neighbour router but use the same keychain name, same secret but a different key number:
key chain EIGRP_KEY key 2 key-string sup3r_s3cr3t interface Serial1/0 ip address 10.10.10.3 255.255.255.0 ip authentication mode eigrp 20 md5 ip authentication key-chain eigrp 20 EIGRP_KEY encapsulation frame-relay serial restart-delay 0 no arp frame-relay frame-relay map ip 10.10.10.1 401 broadcast frame-relay map ip 10.10.10.4 401 broadcast no frame-relay inverse-arp
Not a murmor! Now I’ll change the key number as follows:
key chain EIGRP_KEY key 1 key-string sup3r_s3cr3t
It took a moment, but:
*Mar 1 02:21:40.975: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.1 (Serial1/0) is up: new adjacency
Just for completeness, here is R3 showing its EIGRP neighbours.
R3#sh ip eigrp neighbors IP-EIGRP neighbors for process 20 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.10.10.1 Se1/0 139 00:03:23 12 200 0 39
So the lesson is, match the key number and the key string but don’t worry about the key-chain name.