[OSL | CCIE_RS] EIGRP Authentication on NBMA Hub and Spoke

Wed, 02 May 2012 18:13:12 -0700 



Hi all,Came across an interesting little tidbit of info today while playing 
around with EIGRP authentication on a frame hub and spoke network. No doubt, 
you'll remember the IPE lab where you have a frame hub and spoke, running OSPF, 
and you have to use different authentication keys for each of the spokes?  
Well, I tried doing the same with EIGRP authentication, using key chains.  Hub 
had keys 1 and 2; spoke 1 had key 1; spoke 2 had key 2.  All were valid keys: I 
had configured send and accept lifetimes on ALL keys that started 00:00:00 1 
jan 1993 and lasted an infinite lifetime.  The "show key chain" command 
confirmed that ALL keys were valid. The bahaviour I saw was that the neighbour 
relationship between hub and spoke 1 was solid.  However, the neighbour 
relationship between hub and spoke 2 continually flapped.  Hub would see it 
come up as a valid neighbour, 180 hold time would expire, it would reset, come 
back in again etc.  On spoke 2, you never saw the hub as a neighbour
 . Doing a bit of debug eigrp packet showed that the hub ONLY used key 1 and 
not key 2.  Hub would accept key 2 from spoke 2 but never send with it.  
Doesn't this defeat the point of having overlapping send and receive lifetimes 
on the keys for key switchover?  The hub simply did not use the second key, 
even although it was receiving and correctly authenticating received packets 
with it! Firstly, does anyone know if there is some sort of timeout here, when 
the hub reverts to using both keys?  I gave up waiting (I spent about 10 
minutes troubleshooting until I decided to try another tack). My workaround in 
the end was to configure two GRE tunnels, between each spoke and the hub, and 
move EIGRP away from the physical interfaces and onto the tunnels, and use 
different key chains on the hub.  Worked a treat.  Suppose I could have used 
PPPoFR as well, but that would have incurred more typing! Regards, George.      
                               
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

http://onlinestudylist.com/mailman/listinfo/ccie_rs






















					Reply via email to