EIGRP Classic vs Named Authentication


         I am writing this to check my logic and to ensure that I have everything straight in my mind. I have just wrote up a little review on EIGRP authentication. Please give me feedback so that I can fill any gaps in my knowledge.



EIGRP CLASSIC vs. NAMED (Authentication and Converting)


The Basic behavior of EIGRP

            EIGRP uses Diffusing Update Algorithm (DUAL) to calculate and provide “loop-free” paths throughout the network allowing multiple routes to sync at the same time. Before any route in EIGRP can be added to the routing table it must meet the feasibility condition. The feasibility condition basically demands that the reported distance of a route must be less than the feasible distance before it is considered a loop-free path. The best path to a destination is installed into the routing table and selected as the next hop is called the successor, while the next best route that meets the feasibility condition is then installed as a feasible successor. The feasible successor makes it possible for EIGRP to recover from losing the successor quicker and without having to converge.

            EIGRP is a distance vector routing protocol that just advertises what it is directly connected to, this is sometimes referred to as “routing by rumor”. The benefit of this is that the network topology can be more forgiving than that of the link state routing protocols, making it possible to summarize at desire of the administrator and not on an area border router as in OSPF.  


EIGRP Packets

  Hello/Ack-   Has to be sent by both routers to establish and keep a neighbor adjacent with each other. They are sent to multicast address in IPv4 and FF02::A in IPv6.

  Update- Once an adjacency has been created the routers send each other update packets. These are used to send the full table of known routes to the newly formed neighbor. These packets are also sent multicast.

Query-   This packet is used to ask routers for a path for a destination, it also triggers all routers to converge. The response does not have to contain the exact same response of the request. This is where summarization can come in handy to limit the range of the query domain; this is also referred to as query scoping. Query scoping will help to prevent stuck in active in EIGRP domains that have grown to large.


 Reply- Sent as a response to a query.

Metrics Classic and Wide

   While there is a complex formula for both metrics all that needs to be remembered in this is that the classic metric is 32 bits with a multiplier of 256 only using the bandwidth and the delay ( in milliseconds) by default. The wide metric has changed a few things from the classic first it has two scales that it uses as multipliers. When calculating the metric it multiplies by the wide scale which is 65536; this turns the metric into 64 bits. This large of a metric can make EIGRP more granular when picking the best routes. Once it has established the best route it will then divide it by the RIB-Scale before inserting it   into the RIB.


Authentication in Classic EIGRP

   Classic EIGRP only supports clear text and MD5 authentication using key chains that are applied to the interfaces. The configurations are bulky and counter intuitive. (Note: the key string does count blank spaces as charters)

Example –



Key Chain TEST

Key 1

 Key-string CISCO

 Accept-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016

Send-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016

Key 2

Key-string CCIE

 Accept-life   00:05:00 Jan 1 2016 infinite

Send-life   00:05:00 Jan 1 2015 infinite                       


Interface f0/0

IP authentication mode eigrp 100 MD5/TEXT

IP authentication key-chain eigrp 100 TEST


As you can see you need to have a little overlap time when you are configuring multiple keys to ensure that there is no re-convergence needed in the network. In addition to this it is a good idea to use network time protocol (NTP) to sync times on the neighbors.

 Authentication in Named EIGRP

          Named EIGRP can support MD5 clear text and SHA-256 authentication. MD5 and clear text are both use key chains, while SHA-256 is done completely inside of the EIGRP process.      

Example –



Key Chain TEST

Key 1

 Key-string CISCO

 Accept-life   00:05:00 Jan 1 2015 infinite  

Send-life   00:05:00 Jan 1 2015  infinite



address-family IPv4 unicast autonomous-system 100

af-interface f0/0

authentication mode MD5

authentication key-chain TEST


Af-interface default

Authentication mode hmac-sha-256 CCIE


 As you can see the configurations for authentication in EIGRP named mode are much simpler and more logical. What happened in this example is that we tide the key chain with MD5 to interface f0/0 while we set all of the other interfaces to use SHA by default. The MD5 is backwards compatible with classic EIGRP. (Note: in named mode you cannot apply the authentication through the interface its self.)


Classic to named Upgrade

   You can upgrade classic EIGRP to named mode without flapping neighbor adjacencies through the use of the “eigrp upgrade-cli” command. You have to implement this per autonomous system number.


Router eigrp 100


Eigrp upgrade-cli TEST



Sign In or Register to comment.