EIGRP Classic vs Named Authentication

HELLO ALL,

         I am writing this to check my logic and to ensure that I have everything straight in my mind. I have just wrote up a little review. Please give me feedback so that I can fill any gaps in my knowledge.

Respectfully,

AntRal

 

EIGRP CLASSIC vs. NAMED (Authentication and Converting) 

 

The Basic behavior of EIGRP 

 

EIGRP uses Diffusing Update Algorithm (DUAL) to calculate and provide “loop-free” 

 

paths throughout the network allowing multiple routes to sync at the same time. Before any 

 

route in EIGRP can be added to the routing table it must meet the feasibility condition. The 

 

feasibility condition basically demands that the reported distance of a route must be less than 

 

the feasible distance before it is considered a loop-free path. The best path to a destination is 

 

installed into the routing table and selected as the next hop is called the successor, while the 

 

next best route that meets the feasibility condition is then installed as a feasible successor. The 

 

feasible successor makes it possible for EIGRP to recover from losing the successor quicker and 

 

without having to converge. 

 

EIGRP is a distance vector routing protocol that just advertises what it is directly 

 

connected to, this is sometimes referred to as “routing by rumor”. The benefit of this is that the 

 

network topology can be more forgiving than that of the link state routing protocols, making it 

 

possible to summarize at desire of the administrator and not on an area border router as in 

 

OSPF.  

 

EIGRP Packets

 

  Hello/Ack-   Has to be sent by both routers to establish and keep a neighbor adjacent with 

 

each other. They are sent to multicast address 224.0.0.10 in IPv4 and FF02::A in IPv6.

 

  Update- Once an adjacency has been created the routers send each other update packets. 

 

These are used to send the full table of known routes to the newly formed neighbor. These 

 

packets are also sent multicast. 

 

Query-   This packet is used to ask routers for a path for a destination, it also triggers all routers 

 

to converge. The response does not have to contain the exact same response of the request. 

 

This is where summarization can come in handy to limit the range of the query domain; this is 

 

also referred to as query scoping. Query scoping will help to prevent stuck in active in EIGRP 

 

domains that have grown to large. 

 

 Reply- Sent as a response to a query. 

 

Metrics Classic and Wide

 

   While there is a complex formula for both metrics all that needs to be remembered in this is 

 

that the classic metric is 32 bits with a multiplier of 256 only using the bandwidth and the delay 

 

( in milliseconds) by default. The wide metric has changed a few things from the classic first it 

 

has two scales that it uses as multipliers. When calculating the metric it multiplies by the wide 

 

scale which is 65536; this turns the metric into 64 bits. This large of a metric can make EIGRP 

 

more granular when picking the best routes. Once it has established the best route it will then 

 

divide it by the RIB-Scale before inserting it   into the RIB. 

 

Authentication in Classic EIGRP

 

   Classic EIGRP only supports clear text and MD5 authentication using key chains that are 

 

applied to the interfaces. The configurations are bulky and counter intuitive. (Note: the key 

 

string does count blank spaces as charters) 

 

Example –

 

Router1

 

!

 

Key Chain TEST 

 

Key 1

 

 Key-string CISCO

 

 Accept-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016 

 

Send-life   00:05:00 Jan 1 2015 00:15:00 Jan 2 2016

 

Key 2 

 

Key-string CCIE

 

 Accept-life   00:05:00 Jan 1 2016 infinite

 

Send-life   00:05:00 Jan 1 2015 infinite 

 

!

 

Interface f0/0

 

IP authentication mode eigrp 100 MD5/TEXT 

 

IP authentication key-chain eigrp 100 TEST 

 

!

 

As you can see you need to have a little overlap time when you are configuring multiple keys to 

 

ensure that there is no re-convergence needed in the network. In addition to this it is a good 

 

idea to use network time protocol (NTP) to sync times on the neighbors. 

 

 Authentication in Named EIGRP

 

          Named EIGRP can support MD5 clear text and SHA-256 authentication. MD5 and clear 

 

text are both use key chains, while SHA-256 is done completely inside of the EIGRP process. 

 

Example –

 

Router2

 

!

 

Key Chain TEST 

 

Key 1

 

 Key-string CISCO

 

 Accept-life   00:05:00 Jan 1 2015 infinite  

 

Send-life   00:05:00 Jan 1 2015  infinite 

 

!

 

Router EIGRP TEST

 

address-family IPv4 unicast autonomous-system 100

 

af-interface f0/0

 

authentication mode MD5

 

authentication key-chain TEST 

 

!

 

Af-interface default 

 

Authentication mode hmac-sha-256 CCIE

 

!

 

 As you can see the configurations for authentication in EIGRP named mode are much simpler 

 

and more logical. What happened in this example is that we tide the key chain with MD5 to 

 

interface f0/0 while we set all of the other interfaces to use SHA by default. The MD5 is 

 

backwards compatible with classic EIGRP. (Note: in named mode you cannot apply the 

 

authentication through the interface its self.) 

 

Classic to named Upgrade 

 

   You can upgrade classic EIGRP to named mode without flapping neighbor 

 

adjacencies through the use of the “eigrp upgrade-cli” command. You have to 

 

implement this per autonomous system number.

 

Example-

 

Router eigrp 100

 

Network 210.1.1.0 

 

Eigrp upgrade-cli TEST

Comments

  • SHA will be the stronger authentication, though nether will encrypt the payload only the authentication information. Ether way it is a security feature that will prevent injection of routes from an outside source. 

Sign In or Register to comment.