EIGRP Authentication on Frame Relay (just for recreation!)

As part of my ongoing studies I’ve been looking at running EIGRP over a hybrid Frame-Relay network. This is mainly an exercise in switching off split horizon – and a very long winded way of getting there. Whilst doing the EIGRP authentication part an interesting point came up up where by it became apparent that having 2 matching key-chains was not good enough. The key numbers also have to match! So to start with we need to set up the key chain:

key chain EIGRP_KEY
 key 1
   key-string sup3r_s3cr3t

Then I set up the EIGRP on the router (nothing complicated):

router eigrp 20
 network 10.10.10.1 0.0.0.0
 network 10.11.0.1 0.0.0.0
 network 192.168.1.0
 no auto-summary

Now I add the 2 lines of config to the s1/0.2 interface to first tell the interface to use MD5 with EIGRP and the second line to specify the key chain.

interface Serial1/0.2 multipoint
 ip address 10.10.10.1 255.255.255.0
 ip authentication mode eigrp 20 md5
 ip authentication key-chain eigrp 20 EIGRP_KEY
 no ip split-horizon eigrp 20
 snmp trap link-status
 frame-relay map ip 10.10.10.3 104 broadcast
 frame-relay map ip 10.10.10.4 105 broadcast

When I add the authentication configuration into the serial interface, the neighbourship is immediately trashed! Note the date on the GNS3 servers never got set – oops!

*Mar  1 02:01:51.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.3 (Serial1/0.2) is down: authentication mode changed
*Mar  1 02:01:51.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.4 (Serial1/0.2) is down: authentication mode changed

Now the interesting bit…(!)

On router 4 (which is in 10.10.10.4 which you can see from the logs above fell off the air when the authentication went on) I test to see the neighbours:

R4#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 20

So no neighbours there. Now i add the config with a different keychain name, but the same key-string and same key number:

key chain MY_CHAIN
 key 1
   key-string sup3r_s3cr3t

interface Serial1/0
 ip address 10.10.10.4 255.255.255.0
 ip authentication mode eigrp 20 md5
 ip authentication key-chain eigrp 20 MY_CHAIN
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 10.10.10.1 501 broadcast
 frame-relay map ip 10.10.10.3 501 broadcast
 no frame-relay inverse-arp

And up it comes:

*Mar  1 02:13:29.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.1 (Serial1/0) is up: new adjacency

Now I do R3 which is another neighbour router but use the same keychain name, same secret but a different key number:

key chain EIGRP_KEY
 key 2
   key-string sup3r_s3cr3t

interface Serial1/0
 ip address 10.10.10.3 255.255.255.0
 ip authentication mode eigrp 20 md5
 ip authentication key-chain eigrp 20 EIGRP_KEY
 encapsulation frame-relay
 serial restart-delay 0
 no arp frame-relay
 frame-relay map ip 10.10.10.1 401 broadcast
 frame-relay map ip 10.10.10.4 401 broadcast
 no frame-relay inverse-arp

Not a murmor! Now I’ll change the key number as follows:

key chain EIGRP_KEY
 key 1
   key-string sup3r_s3cr3t

It took a moment, but:

*Mar  1 02:21:40.975: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 20: Neighbor 10.10.10.1 (Serial1/0) is up: new adjacency

Just for completeness, here is R3 showing its EIGRP neighbours.

R3#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 20
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.10.10.1              Se1/0            139 00:03:23   12   200  0  39

So the lesson is, match the key number and the key string but don’t worry about the key-chain name.

This entry was posted in Cisco and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *