EIGRP Classic vs Named Authentication


         I am writing this to check my logic and to ensure that I have everything straight in my mind. I have just wrote up a little review. Please give me feedback so that I can fill any gaps in my knowledge.




EIGRP CLASSIC vs. NAMED (Authentication and Converting) 


The Basic behavior of EIGRP 


EIGRP uses Diffusing Update Algorithm (DUAL) to calculate and provide “loop-free” 


paths throughout the network allowing multiple routes to sync at the same time. Before any 


route in EIGRP can be added to the routing table it must meet the feasibility condition. The 


feasibility condition basically demands that the reported distance of a route must be less than 


the feasible distance before it is considered a loop-free path. The best path to a destination is 


installed into the routing table and selected as the next hop is called the successor, while the 


next best route that meets the feasibility condition is then installed as a feasible successor. The 


feasible successor makes it possible for EIGRP to recover from losing the successor quicker and 


without having to converge. 


EIGRP is a distance vector routing protocol that just advertises what it is directly 


connected to, this is sometimes referred to as “routing by rumor”. The benefit of this is that the 


network topology can be more forgiving than that of the link state routing protocols, making it 


possible to summarize at desire of the administrator and not on an area border router as in 




EIGRP Packets


  Hello/Ack-   Has to be sent by both routers to establish and keep a neighbor adjacent with 


each other. They are sent to multicast address in IPv4 and FF02::A in IPv6.


  Update- Once an adjacency has been created the routers send each other update packets. 


These are used to send the full table of known routes to the newly formed neighbor. These 


packets are also sent multicast. 


Query-   This packet is used to ask routers for a path for a destination, it also triggers all routers 


to converge. The response does not have to contain the exact same response of the request. 


This is where summarization can come in handy to limit the range of the query domain; this is 


also referred to as query scoping. Query scoping will help to prevent stuck in active in EIGRP 


domains that have grown to large. 


 Reply- Sent as a response to a query. 


Metrics Classic and Wide


   While there is a complex formula for both metrics all that needs to be remembered in this is 


that the classic metric is 32 bits with a multiplier of 256 only using the bandwidth and the delay 


( in milliseconds) by default. The wide metric has changed a few things from the classic first it 


has two scales that it uses as multipliers. When calculating the metric it multiplies by the wide 


scale which is 65536; this turns the metric into 64 bits. This large of a metric can make EIGRP 


more granular when picking the best routes. Once it has established the best route it will then 


divide it by the RIB-Scale before inserting it   into the RIB. 


Authentication in Classic EIGRP


   Classic EIGRP only supports clear text and MD5 authentication using key chains that are 


applied to the interfaces. The configurations are bulky and counter intuitive. (Note: the key 


string does count blank spaces as charters) 


Example –






Key Chain TEST 


Key 1


 Key-string CISCO


 Accept-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016 


Send-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016


Key 2 


Key-string CCIE


 Accept-life   00:05:00 Jan 1 2016 infinite


Send-life   00:05:00 Jan 1 2015 infinite 




Interface f0/0


IP authentication mode eigrp 100 MD5/TEXT 


IP authentication key-chain eigrp 100 TEST 




As you can see you need to have a little overlap time when you are configuring multiple keys to 


ensure that there is no re-convergence needed in the network. In addition to this it is a good 


idea to use network time protocol (NTP) to sync times on the neighbors. 


 Authentication in Named EIGRP


          Named EIGRP can support MD5 clear text and SHA-256 authentication. MD5 and clear 


text are both use key chains, while SHA-256 is done completely inside of the EIGRP process. 


Example –






Key Chain TEST 


Key 1


 Key-string CISCO


 Accept-life   00:05:00 Jan 1 2015 infinite  


Send-life   00:05:00 Jan 1 2015  infinite 






address-family IPv4 unicast autonomous-system 100


af-interface f0/0


authentication mode MD5


authentication key-chain TEST 




Af-interface default 


Authentication mode hmac-sha-256 CCIE




 As you can see the configurations for authentication in EIGRP named mode are much simpler 


and more logical. What happened in this example is that we tide the key chain with MD5 to 


interface f0/0 while we set all of the other interfaces to use SHA by default. The MD5 is 


backwards compatible with classic EIGRP. (Note: in named mode you cannot apply the 


authentication through the interface its self.) 


Classic to named Upgrade 


   You can upgrade classic EIGRP to named mode without flapping neighbor 


adjacencies through the use of the “eigrp upgrade-cli” command. You have to 


implement this per autonomous system number.




Router eigrp 100




Eigrp upgrade-cli TEST


  • SHA will be the stronger authentication, though nether will encrypt the payload only the authentication information. Ether way it is a security feature that will prevent injection of routes from an outside source. 

Sign In or Register to comment.