Enhanced Interior

Gateway Routing
Protocol
(EIGRP)

266
Ahmed Nabil
• EIGRP features:
1- Advanced D.V protocol:
Classless, no periodic updates, multicast updates, manual
summarization, triggered partial updates at change

2- Rapid convergence
Use DUAL (Diffusion Update Algorithm) that keep a backup route
for each best route, if available

3- Loop free topology

DUAL sets a conditions for choosing its best routes and backup
routes, which is called the feasibility conditions

4- Easy configuration
Its origin is D.V

5- Seamless connectivity across all data link layer protocols

Work with BMA, NBMA, point-to-point protocols with the operation

6- Reduce B.w waste

No periodic updates

7- Efficient updating
Incremented updates, triggered & partial updates

8- Support multiple network layer protocols

IP, IPX & AppleTalk, EIGRP makes separate routing, neighbor &
topology table for each protocol

9- Use composite metric and compatible with IGRP

Composite metric depends on B.W, delay, load, reliability, MTU)
EIGRP metric (32 bits)= 256 * IGRP metric (24 bits)

10- Load balancing

Across equal and unequal path costs

267
Ahmed Nabil
• EIGRP terminologies :
1- Neighbor table
(list of all neighbors)
#show ip eigrp neighbors
2- Topology table
(list of all routes to all destination network, as a matter of fact, it is
routing tables of all neighbors)
#show ip eigrp topology [all-links]
3- Routing table
(best routes to all destination networks)
#show ip route [eigrp]

4- Successor ‗S‘
(the best route)
5- Feasible successor ‗FS‘
(the backup route)
6- Feasible distance ‗FD‘
(the metric from source to destination)
7- Advertised distance ‗AD‘
(the metric from my neighbor to destination)
268
Ahmed Nabil
• EIGRP packet types:

1- Hello packet:
- Used for neighbor discovery and maintains neighbor
relationship
- Sent periodically on 224.0.0.10
- Period of Hello:
5 sec. On fast links ( > 1.54 Mbps) & point to point links
60 sec. On slow links (<or= 1.54 Mbps)
Dead interval = 3 * hello interval (15sec for fast links, 180
sec for slow links)

2- Update packet:
- Contain the RTG table at startup (sent unicast).
- Contain partial update in case of change (sent multicast
on 224.0.0.10)

3- Query packet:
- It is sent if the S is lost and there is no FS in the
topology table on multicast 224.0.0.10, it is used to
declare the failure of a link & requesting information
about another path from the neighbor

4- Reply packet:
- It is the reply for the query, sent on unicast address

5- Ack packet:
- Acknowledges all EIGRP packets except Hello packet

269
Ahmed Nabil
• EIGRP components:

1- PDM (Protocol Dependent Module)

- Depends on the routed protocol (IP, IPX, Appletalk).
- It allows EIGRP to adapt according to the routed protocol.
- Each protocol has its own EIGRP module and operates
independently from any of the others that may be running.
The IP-EIGRP module, for example, is responsible for
sending and receiving EIGRP packets that are encapsulated
in IP. IP-EIGRP is also responsible for parsing. EIGRP
packets and informing DUAL of the new information that has
been received.

2- DUAL (Diffusion Update ALgorithm)

- It is a finite state machine.
- Responsible for maintenance of routing table and topology
table using some conditions

3- RTP (Retransmission Transport Protocol)

- To provide reliability using ACK (like TCP), but with a stop-
and-wait mechanism.
- RTP using 2 timers:
a) SRTT (smooth round trip time)
- Average time between sending a message and receiving
back a reply
b) RTO (retransmission time out)
- RTO is the time waiting for ACK, before retransmitting the
packet
NOTE:
- Neighbor to be dead after:
a) 16 RTO.
b) Dead interval.

270
Ahmed Nabil
• Operation :
At startup:
 Every router discover its neighbors (begin establishing
adjacency) using hello protocol.
 EIGRP routers to be neighbors:
1- they must have the same AS no.
2- they must have the same K-values.

- The routers will form adjacency even if hello & dead

intervals
didn‘t match

The debug output below will display that action

RouterA# debug eigrp packets

Mismatched adjacency values

01:39:13: EIGRP: Received HELLO on Serial0/0 nbr 10.1.1.2
01:39:13:AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:39:13: K-value mismatch

271
Ahmed Nabil
 Then the router exchanges its routing table with its neighbors.
 From the RTG tables of neighbors the router forms
the topology table.

Each router will apply DUAL algorithm on its Topology

table to form a routing table
Configuring EIGRP metric K-values

272
Ahmed Nabil
 The command below #debug eigrp packets
Will display that operation
RouterA# debug eigrp packets

Normal Hello Processing

01:38:29: EIGRP: Sending HELLO on Serial0/0
01:38:29: AS 200, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
01:38:31: EIGRP: Received HELLO on Serial0/0 nbr 10.1.2.2
01:38:31: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ
un/rely 0/0
Received EIGRP Update
01:38:33: EIGRP: Received UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 2100, Flags 0x0, Seq 23/37 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/0
01:38:33: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
01:38:33: Ack seq 23 iidbQ un/rely 0/0 peerQ un/rely 1/0
01:38:33: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 1/0
01:38:33: EIGRP: Enqueueing UPDATE on Serial0/0 iidbQ un/rely 0/1
serno 75-75
01:38:33: EIGRP: Sending UPDATE on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 38/23 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1 serno 75-75
01:38:33: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
01:38:33: AS 200, Flags 0x0, Seq 0/38 idbQ 0/0 iidbQ un/rely 0/0
peerQ un/rely 0/1

At convergence:
- no periodic updates, only hello packets
• Hellos sent periodically every 5 seconds on the following
links:
- Broadcast media: Ethernet
- Point-to-point serial links: (PPP), (HDLC)
- Point-to-point subinterface: Frame Relay, ATM
- Multipoint circuits with bandwidth greater than T1:
Frame Relay, ATM
• Hellos sent every 60 seconds on the following links:
- Multipoint circuits with bandwidth less than or equal
to T1: Frame Relay, ATM, and X.25
• Hold time by default is three times the hello time 273
Ahmed Nabil
At change:
• 1- If there is a FS:
• If the router has a FS in its topology table, it will use it in case
of the S failure and it will send update to indicate that it uses a
new route.
• 2- If there is no FS:
• The router sends a query packet to ask for another route to
the destination network.
• The other routers will reply the query

The debug command below will show that action

•RouterA# debug eigrp packets

Shut down of a neighbor's interface

•01:38:11: EIGRP: Received QUERY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 24/38 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
•01:38:11: EIGRP: Enqueueing ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: Ack seq 24 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 1/0
•01:38:11: EIGRP: Sending REPLY on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 39/24 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely
0/1 serno 76-76
•01:38:11: EIGRP: Received ACK on Serial0/0 nbr 10.1.2.2
•01:38:11: AS 200, Flags 0x0, Seq 0/39 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1

EIGRP operation summary

274
Ahmed Nabil
• Route selection:
- By applying DUAL on the topology table to get the RTG table.
- DUAL:
1- Track all routes advertised by neighbors.
2- Select a loop free path using a successor ‗S‘ and ‗FS‘.
3- If a S is lost, FS is used.
4- If no FS available, it queries neighbors and recalculate S.
5- It can hold up to 4 routes by default and 16 or more as max. for
the same destination network in the RTG table.
6- It can differentiate between different types of paths :
- internal path (Admin. Dist.=90 & symbol in RTG table is ‗D‘.
- summary path (Admin. Dist.=5 & symbol in RTG table is ‗D‘
out of interface null 0.
-external path (Admin. Dist. =170 & symbol in RTG table is
‗DEX‘.
• How to choose S?
- S is the route that have the least metric.
Metric = 256* [k1*BW + (k2*BW / 256-load) + k3*delay + (k5 /
reliability+k4)]
By default,
7
k1=k3=1 , k2=k4=k5=0
BW=10 /BWi, BWi=Bandwidth of interface in units of Kbps
Delay=delayi * 10, delayi=delay of interface in microseconds
These values can be observed from the #show interface
command
• How to choose FS?
―This is called the feasibility condition‖
The route that satisfy that inequality FD (S) > AD ( FS) , is
eligible to be the FS

275
Ahmed Nabil
Example on EIGRP route calculation
Which path from A to D is better when using EIGRP protocol?

All delays
in units of tens of
microseconds

• Delay is the sum of all the delays of the links along the
paths:
Delay = [delay in tens of microseconds] x 256
• BW is the lowest bandwidth of the links along the
paths:
BW = [10,000,000 / (bandwidth in kbps)] x 256
ABCD Least Bandwidth 64 kbps, Total Delay
6,000
7
Metric= [10 /64 + 6000] x 256=41,536,000
A  X  Y  Z  D Least BW 256 kbps, Total Delay 8,000
7
Metric= [10 /256 + 8000] x 256=12,048,000

Least metric is path A  X  Y  Z  D

276
Ahmed Nabil
Dual Example:

Stable Network

Link between B & D fails, so

D lost his best path to
Network 10.1.1.0/24

D sends a query to its existing

Neighbors (C & E) asking for a
new path & announcing the link
failure from its side

C answers with a reply with

a worst path, but valid, while
E queries C.
D cannot take any decisions unless
All queries are replied
277
Ahmed Nabil
 C also replies to E
announcing existence
of the path to 10.1.1.0/24

Replies returns to D,
So D can finally take a decision

Again the network re-converged

Though the DUAL effect

278
Ahmed Nabil
Timers :
Hello & dead timers
(config-if)# ip hello-interval eigrp <AS> <sec>
(config-if)# ip hold-time eigrp <AS> <sec>

Stuck In Active timer

(config-router)# timers active-time {<no. in sec> / disable}
• EIGRP load sharing:
(config-router)# traffic share-balance
To support unequal loadbalancing
(config-router)# variance <multiplier>
, default multiplier = 1, There can be up to four entries in
the routing table for the same destination
(config-router)# maximum-paths maximum-path
Default 4, max 16 or more
.

• Router E chooses router C to get to network Z because

FD = 20
• With a variance of 2, router E chooses router B to get to
network Z (20 + 10 = 30) < [2 x (FD) = 40].
• Router D is not used to get to network Z (45 > 40).
Note: If the variance multiplier matched a path, that does
not mean that it can be used for load-sharing, due to the
new route must satisfy the feasibility condition also
(AD (FS)<FD (S)) 279
Ahmed Nabil
Offset Lists

EIGRP Offset Lists, the final tool for manipulating the EIGRP
metrics , allow an engineer to simply add a value–an offset, if
you will-to the calculated integer metric for a given prefix. To
do so, an engineer can create and enable an EIGRP Offset
List that defines the value to add to the metric, plus some
rules regarding which routes should be matched and
therefore have the value added to their computed FD.
An Offset List can perform the following functions:
■ Match prefixes/prefix lengths using an IP ACL, so that the
offset is applied only to routes matched by the ACL with a
permit clause
■ Match the direction of the Update message, either sent
(out) or received (in)
■ Match int interface on which the Update is sent or received
■ Set the integer metric added to the calculation for both the
FD and RD calculations for the route
The configuration itself uses the following command in
EIGRP configuration mode, in addition to any referenced IP
ACLs:
(config-roiuter)#offset-list {access-list-number | access-list-
name} {in | out} offset [interfacetype interface-number]

Example:
WAN1(config)#access-list 11 permit 10.11.1.0
WAN1(config)#router eigrp 1
WAN1(config-router)#offset-list 11 in 3 Serial0/0/0.1
WAN1(config-router)#end
Mar 2 11:34:36.667: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1:
Neighbor 10.1.1.2
(Serial0/0/0.1) is resync: peer graceful-restart
280
Ahmed Nabil
Before using the offset list
WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172416/28160), Route is Internal

After applying offset-list:

WAN1#show ip eigrp topo 10.11.1.0/24
IP-EIGRP (AS 1): Topology entry for 10.11.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is
2172416
Routing Descriptor Blocks:
10.1.1.2 (Serial0/0/0.1), from 10.1.1.2, Send flag is 0x0
Composite metric is (2172419/28163), Route is Internal
Vector metric:
Minimum bandwidth is 1544 Kbit
Total delay is 20100 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
! output omitted for brevity

The offset-list 11 in 3 s0/0/0.1 command tells Router WAN1 to

examine all EIGRP Updates received on S0/0/0.1,
and if prefix 10.11.1.0 is found, add 3 to the computed FD and
RD for that prefix.

Ahmed Nabil
• Convergence /Query problem:
- The router has to get all the replies from the neighbors with
an outstanding query before the router calculates the
successor information
- If any neighbor fails to reply to the query the network will
(Stuck in Active)
- Contrary to popular belief, queries are not bounded by AS
boundaries. Queries from AS 1 are propagated to AS 2
- Finally Query problem can affect convergence (slower)

Solutions (Avoid slow convergence and Query limiting)

1- SIA timer ( 3 min.)
If the router Stuck In Active by a neighbor, it will wait 3 min. then:
a) Reset its neighbor relationship.
b) Re-establish the neighborship process.
This method in some cases is considered rude.
New EIGRP messages are introduced SIA query & SIA reply.
Active Process Enhancement
Before After
Router A resets relationship to Router A sends an SIA-Query at
router B when the normal half of the normal active timer.
active timer expires. However, Router B acknowledges the
the problem is the link query there by keeping the
between router B and C. relationship up.

282
Ahmed Nabil
The previous figure on the left illustrates what would
happen before this feature was introduced. Router A
sends a query for network 10.1.1.0/24 to router B.
Router B has no entry for this network, so it queries
router C. If problems exist between router B and C, the
reply packet from router C to router B may be delayed
or lost. Router A has no visibility of downstream
progress and
assumes that the lack of response indicates problems
with router B. After the router A 3-minute active timer
expires, the neighbor relationship with router B is
reset, along with all known routes from router B.
By contrast, with the active process enhancement
feature, router A queries downstream router B (with an
SIA-Query) at the midway point of the active timer (1.5
minutes by default) about the status of the route.
Router B responds (with an SIA-Reply) that it is
searching for a replacement route. Upon receiving this
SIA-Reply response packet, router A validates the
status of router B and does not terminate the neighbor
relationship.
Meanwhile router B sends up to three SIA-Queries to
router C. If they go unanswered, router B
terminates the neighbor relationship with router C.
Router B then updates router A with an
SIA-Reply indicating that the network 10.1.1.0/24 is
unreachable. Routers A and B remove the
active route from their topology tables. The neighbor
relationship between routers A and B
remains intact.
283
Ahmed Nabil
2- Using summarization
(config-if)# ip summary-address eigrp <AS> <address> <mask>

You have just given

me the summary, so
I don‘t know the specific
Subnet 172.30.1.0/24

284
Ahmed Nabil
 3- Defining stub networks
If network 10.1.1.0/24 in a topology like the one shown below
fails, all routers will Stuck In waiting for each others replies

Configure the routers as stub, so the queries will send to

non stub only.
(config-router)#eigrp stub [receive only
|connected|static|summary]
• receive-only: Prevents the stub from sending any type of
route.
• connected: Permits stub to send connected routes
(may still need to redistribute).
• static: Permits stub to send static routes (must still
redistribute).
• summary: Permits stub to send summary routes.
• Default is connected and summary.

285
Ahmed Nabil
Example: eigrp stub Parameters

If stub connected is
configured:
• B will advertise
10.1.2.0/24 to A.
• B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
• B will advertise
10.1.2.0/23 to A.
• B will not advertise
10.1.2.0/24, 10.1.3.0/24,
or 10.1.4.0/24.

If stub static is
configured:
• B will advertise
10.1.4.0/24 to A.
• B will not advertise
10.1.2.0/24, 10.1.2.0/23,
or 10.1.3.0/24.
If stub receive-only is
configured:
• B will not advertise
anything
to A, so A needs to have a
static route to the
networks
behind B to reach them. 286
Ahmed Nabil
• Configuration:
(config)# router eigrp <AS no.>
! Up to 32 process (AS) can be configured on the same
router !
(config-router)# network <ip> [<w.c.m>]

Example 1

Example 2

287
Ahmed Nabil
Named EIGRP
Configuring EIGRP for a simple topology that needs few if any
parameters changed from their default settings is a fairly simple task.
However, consider a router that needs one EIGRP instance to support
IPv4 networks and another EIGRP instance to support IPv6 networks.
Also, imagine that you want to adjust the default timers, configure the
variance option, summarize addresses, and specify a router ID.
Suddenly, EIGRP configuration becomes much more challenging, and
you are required to jump back and forth between different configuration
modes (that is, interface configuration mode, EIGRP for IPv4
configuration mode, and EIGRP for IPv6 configuration mode).
Fortunately, Named EIGRP consolidates all of these disparate
commands under a single hierarchical structure,. By having all EIGRP-
related commands in one place, not only is configuration simplified, but
troubleshooting is also more efficient.

The Named EIGRP Hierarchical Structure Although Named EIGRP is

configured very differently from traditional EIGRP, the configurations
are compatible, meaning that an EIGRP-speaking router configured with
the traditional approach can form a neighborship with an EIGRP-
speaking router configured with the Named approach. Named EIGRP’s
hierarchical structure consists of three primary configuration modes.
Table 6-4 identifies and describes these modes.
288
Ahmed Nabil
Normal Configuration
R1# conf term
R1(config)# router eigrp 1
R1(config-router)# network 0.0.0.0
!Router R2
Configuration
R2# conf term
R2(config)# router eigrp 1
R2(config-router)# network 0.0.0.0

Named Configration
R1# conf term
R1(config)# router eigrp TE1
R1(config-router)# address-family ipv4 autonomous-system 1
R1(config-router-af)# network 0.0.0.0
!R2 Router Configuration
R2# conf term
R2(config)# router eigrp TE2
R2(config-router)# address-family ipv4 autonomous-system 1

289
Ahmed Nabil
 Auto and Manual summary:
(config-router)# no auto-summary
(config-if)# ip summary-address eigrp <AS> <ip> <mask>
[admin distance]

172.16.2.0

• Summarization is configurable on a per-interface basis

in any router within a network.
• When summarization is configured on an interface, the
router immediately creates a route pointing to null0.
– Loop-prevention mechanism
• When the last specific route of the summary goes away,
the summary is deleted.
• The minimum metric of the specific routes is used as
the metric of the summary route.
RouterC#show ip route
<output omitted>
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:00:04, Null0
D 172.16.1.0/24 [90/156160] via 10.1.1.2, 00:00:04, FastEthernet0/0
D 172.16.2.0/24 [90/20640000] via 10.2.2.2, 00:00:04, Serial0/0/1
C 192.168.4.0/24 is directly connected, Serial0/0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.2.2.0/24 is directly connected, Serial0/0/1
C 10.1.1.0/24 is directly connected, FastEthernet0/0
D 10.0.0.0/8 is a summary, 00:00:05, Null0
290
Ahmed Nabil
By default EIGRP uses 50% of the link BW for its updates.
EIGRP supports different WAN links:

• Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the real BW, using
(config-if)#bandwidth <BW in units of kbps>

• NBMA
- Point-to-point links
Treats bandwidth as T1 by default, so it is better to
manually configure bandwidth as the CIR of the PVC
-Multipoint links (Frame Relay, ATM)
EIGRP uses the bandwidth on the main interface divided
by the number of neighbors on that interface to get the
bandwidth information per neighbor,
So for Multipoint interfaces with non-uniform CIRs
Convert to point-to-point configuration or
manually configure bandwidth by multiplying the lowest
CIR by the number of PVCs
291
Ahmed Nabil
 NBMA point to point links, need to configure BW of PVC
on each subinterface

NBMA multipoint links with non uniform CIRs for PVCs

So
Configure lowest CIR VC as point-to-point,specify BW = CIR
Configure higher CIR VCs as multipoint, combine CIRs

To change BW percentage to be used by updates

(config-if)# ip bandwidth-percent eigrp <AS> <percentage>
, default percent=50 292
Ahmed Nabil
Router Authentication
• Many routing protocols support authentication such that a
router authenticates the source of each routing update
packet that it receives.
• Simple password authentication is supported by:
– IS-IS
– OSPF
– RIPv2
• MD5 authentication is supported by:
– OSPF
– RIPv2
– BGP
– EIGRP
Simple Password vs. MD5 Authentication
• Simple password authentication:
– Router sends packet and key.
– Neighbor checks whether key matches its key.
– Process not secure.
• MD5 authentication:
– Configure a key (password) and key ID; router generates a
message digest, or hash, of the key, key ID and message.
– Message digest is sent with packet; key is not sent.
– Process OS secure.
EIGRP MD5 authentication:
• Router generates a message digest, or hash, of the key,
key ID, and message.
• EIGRP allows keys to be managed using key chains.
• Specify key ID (number), key, and lifetime of key.
• First valid activated key, in order of key numbers, is used.

293
Ahmed Nabil
Configuring EIGRP MD5 Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
• Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
• Enables authentication of EIGRP packets using key in the
Keychain

Router(config)# key chain name-of-chain

• Enters configuration mode for the keychain
Router(config-keychain)# key key-id
• Identifies key and enters configuration mode for the keyid
Router(config-keychain-key)# key-string text
• Identifies key string (password)

Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key will be accepted for received
packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
• Optional: Specifies when key can be used for sending packets

Note If the service password-encryption command is not used when

implementing EIGRP authentication, the key string will be stored as
plaintext in the router configuration. If you configure the service
password-encryption command, the key string will be stored and
displayed in an encrypted form; when it is displayed, there will be an
encryption type of 7 specified before the encrypted key string.

294
Ahmed Nabil
EIGRP Authentication Configuration Checklist
The EIGRP authentication configuration process requires several
commands, which are summarized as follows:
Step 1. Create an (authentication) key chain:
Create the chain and give it a name with the key chain name global
command (also puts the user into key chain config mode). The name
does not have to match on the neighboring routers.
Create one or more key numbers using the key number command in
key chain configuration mode. The key numbers do not have to
match on the neighboring routers.
Define the authentication key‘s value using the key-string value
command in key configuration mode. The key strings must match on
the neighboring routers.
(Optional) Define the lifetime (time period) for both sending and
accepting each key string.
Step 2. Enable EIGRP MD5 authentication on an interface, for a
particular EIGRP ASN, using the ip authentication mode eigrp asn
md5 interface subcommand.
Step 3. Refer to the correct key chain to be used on an interface
using the ip authentication key-chain eigrp asn name-of-chain
interface subcommand.
The configuration at Step 1 is fairly detailed, but Steps 2 and 3 are
relatively simple. Essentially, IOS configures the key values
separately (Step 1) and then requires an interface subcommand
to refer to the key values. To support the ability to have multiple
keys, and even multiple sets of keys, the configuration includes the
concept of a key chain and multiple keys on each key chain.
Key Chain Time-Based Logic The key chain configuration concept,
as outlined in Step 1, allows the engineer to migrate from one key
value to another over time. Just like a real key chain that has
multiple keys, the IOS key chain concept allows the configuration of
multiple keys—each identified with a number. If no lifetime has been
configured for a key, it is considered to be
valid during all time frames. However, when a key has been
defined with a lifetime, the key is valid only during the valid
lifetime.
The existence of multiple keys in a key chain, and the existence
of valid lifetimes for each key, can cause some confusion about
when the keys are used. The rules can be summarized
as follows:
■ Sending EIGRP messages: Use the lowest key number among
all currently valid keys.
■ Receiving EIGRP message: Check the MD5 digest using ALL
currently valid keys.

For example, consider the case shown in Figure. The figure

represents the logic in a single router, Router R1, both when
receiving and sending EIGRP messages on the right.
The figure shows a key chain with four keys. All the keys have
lifetimes configured. Key 1‘s lifetime has passed, making it
invalid. Key 4‘s lifetime has yet to begin, making it invalid.
However, keys 2 and 3 are both currently valid.

Figure shows that the EIGRP

message sent by Router R1
uses key 2, and key 2 only.
Keys 1 and 4 are ignored
because they are currently
invalid; R1 then simply
chooses the lowest-
numbered key among the two
valid keys. The figure also
shows that R1 processes the
received EIGRP message
using both key 2 and key 3,
because both are currently
valid.
Example MD5 Authentication Configuration

R1 R2
<output omitted> <output omitted>
key chain R1chain key chain R2chain
key 1 key 1
key-string firstkey key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
04:01:00 Jan 1 2006 infinite
key 2 key 2
key-string secondkey key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 accept-lifetime 04:00:00 Jan 1 2006
infinite infinite
send-lifetime 04:00:00 Jan 1 2006 send-lifetime 04:00:00 Jan 1 2006
infinite infinite
<output omitted> <output omitted>
interface FastEthernet0/0 interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0 ip address 172.17.2.2 255.255.255.0
! !
interface Serial0/0/1 interface Serial0/0/1
bandwidth 64 bandwidth 64
ip address 192.168.1.101 ip address 192.168.1.102 255.255.255.224
255.255.255.224 ip authentication mode eigrp 100 md5
ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100
ip authentication key-chain eigrp 100 R2chain
R1chain !
! router eigrp 100
router eigrp 100 network 172.17.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255 network 192.168.1.0
network 192.168.1.0 auto-summary
auto-summary
Note: R1 key id 1 will expire after 1 minute for sent updates
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
Note: R1 key id 1 will expired for sent updates so it will use key id 2,
that‘s why R2 will deal with key 2 297
 R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102
(Serial0/0/1) is up: new adjacency

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:31:31, Null0
C 172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.96/27 is directly connected, Serial0/0/1
D 192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

R1(config-if)#key chain R1chain

R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey

R2#debug eigrp packets

EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure

R2#show ip eigrp neighbors

IP-EIGRP neighbors for process 100
R2#

298
Ahmed Nabil
• Troubleshooting:
#show ip route

RouterA# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP,

D - EIGRP, EX - EIGRP external, O - OSPF,
(text omitted)
* - candidate default,
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/10639872] via 10.1.2.2, 06:04:01, Serial0/0
10.0.0.0/24 is subnetted, 4 subnets
D 10.1.3.0 [90/10514432] via 10.1.2.2, 05:54:47, Serial0/0
D 10.3.1.0 [90/10639872] via 10.1.2.2, 06:19:41, Serial0/0
C 10.1.2.0 is directly connected, Serial0/0
C 10.1.1.0 is directly connected, Ethernet0/0

#show ip eigrp topology [all-links]

RouterA# show ip eigrp topology

IP-EIGRP Topology Table for AS(100)/ID(10.1.2.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.1.3.0/24, 1 successors, FD is 10514432
via 10.1.2.2 (10514432/28160), Serial0/0
P 10.3.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0
P 10.1.2.0/24, 1 successors, FD is 10511872
via Connected, Serial0/0
P 10.1.1.0/24, 1 successors, FD is 2190
via Connected, Ethernet0/0
P 172.16.1.0/24, 1 successors, FD is 10639872
via 10.1.2.2 (10639872/384000), Serial0/0

299
Ahmed Nabil
#show ip protocols
RouterA# show ip protocols

Routing Protocol is "eigrp 100"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.1.0.0/16
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.2.2 90 05:50:13
Distance: internal 90 external 170

#show ip eigrp neighbors

#show ip eigrp traffic

#debug eigrp packet [query / reply / update]
#debug ip eigrp
300
Ahmed Nabil
 Verifying EIGRP Operations:
Stable Network

RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

01:57:23: IP-EIGRP: Processing incoming UPDATE packet

01:57:23: IP-EIGRP: Int 172.16.1.0/24 M 10639872 -
9999872 640000
SM 384000 - 256000 128000

– Router A receives an update packet from router B that

contains internal (int) network 172.16.1.0/24.
– Feasible distance = router A cost to get to 172.16.1.0/24.
10639872 = 9999872 + 640000
– Advertised distance = the metric router B sent to router A
to reach 172.16.1.0/24.
SM (source metric) = 384000 = 256000 + 128000
– EIGRP metric (10639872) = bandwidth (9999872) + delay
(640000).

301
Ahmed Nabil
 Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

• Shutdown an EIGRP neighbor interface for network

172.16.1.1/24.
• Router A receives a query looking for a lost pathway from
Router B.

01:56:57: IP-EIGRP: Processing incoming QUERY packet

01:56:57: IP-EIGRP: Int 172.16.1.0/24 M 4294967295 - 0
4294967295 SM 4294967295 - 0 4294967295

• The metric of 42949672295 is the highest possible value for

a metric. It signifies that router B is telling router A that
network 172.16.1.0/24 is no longer reachable through router
B, and checks if router A has an alternate pathway to that
network.

01:56:57: IP-EIGRP: 172.16.1.0/24 routing table not

updated
01:56:57: IP-EIGRP: 172.16.1.0/24 - not in IP
routing table
• Router A realizes that if it cannot use B for 172.16.1.0/24, it
does not have an entry in the routing table to get to that
network.

01:56:57: IP-EIGRP: Int 172.16.1.0/24 metric

4294967295 - 0 4294967295

• Router A sends an update to router B saying it does not know

how to reach that route either.

302
Ahmed Nabil
 Verifying EIGRP Operations:
Unstable Network
RouterA# debug ip eigrp

IP-EIGRP Route Events debugging is on

• Shutdown an EIGRP neighbor interface for network

172.16.1.1/24.
• Router A receives a query looking for a lost pathway from
Router B.

01:56:57: IP-EIGRP: Processing incoming QUERY packet

01:56:57: IP-EIGRP: Int 172.16.1.0/24 M 4294967295 - 0
4294967295 SM 4294967295 - 0 4294967295

• The metric of 42949672295 is the highest possible value for

a metric. It signifies that router B is telling router A that
network 172.16.1.0/24 is no longer reachable through router
B, and checks if router A has an alternate pathway to that
network.

01:56:57: IP-EIGRP: 172.16.1.0/24 routing table not

updated
01:56:57: IP-EIGRP: 172.16.1.0/24 - not in IP
routing table
• Router A realizes that if it cannot use B for 172.16.1.0/24, it
does not have an entry in the routing table to get to that
network.

01:56:57: IP-EIGRP: Int 172.16.1.0/24 metric

4294967295 - 0 4294967295

• Router A sends an update to router B saying it does not know

how to reach that route either.

303
Ahmed Nabil
EIGRP for IPv6
Cisco originally created EIGRP to advertise routes for IPv4, IPX, and
AppleTalk. This original EIGRP architecture easily allowed for yet
another Layer 3 protocol, IPv6, to be added. As a result, Cisco did
not have to change EIGRP significantly to support IPv6, so
many similarities exist between the IPv4 and IPv6 versions of EIGRP.

Note: Many documents, including this chapter, refer to the IPv6

version of EIGRP as EIGRP for IPv6. However, some documents at
www.cisco.com also refer to this protocol as EIGRPv6, not because
it is the sixth version of the protocol, but because it implies a
relationship with IPv6.

As with the previous section ―RIP Next Generation (RIPng),‖ this

section begins with a discussion of the similarities and differences
between the IPv4 and IPv6 versions of EIGRP. The remaining
coverage of EIGRP focuses on the changes to EIGRP configuration
and verification in support of IPv6.

EIGRP for IPv4 and IPv6–Theory and Comparisons

For the most part, EIGRP for IPv4 and for IPv6 have many
similarities. The following list outlines some of the key differences:
■ EIGRP for IPv6 advertises IPv6 prefixes/lengths, rather than IPv4
subnet/mask information.
■ EIGRP for IPv6 uses the neighbor‘s link local address as the next-
hop IP address.
■ EIGRP for IPv6 encapsulates its messages in IPv6 packets, rather
than IPv4 packets.
■ Like RIPng and OSPFv3, EIGRP for IPv6 authentication relies on
IPv6‘s built-in authentication and privacy features.
■ EIGRP for IPv6 has no concept of classful networks, so EIGRP for
IPv6 cannot perform any automatic summarization.
■ EIGRP for IPv6 does not require neighbors to be in the same IPv6
subnet as a requirement to become neighbors.
Other than these differences, most of the details of EIGRP for IPv6
works like EIGRP for IPv4.
304
 FF02::A

Configuring EIGRP for IPv6

EIGRP for IPv6 follows the same basic configuration style as for
RIPng, plus a few additional steps, as follows:
Step 1. Enable IPv6 routing with the ipv6 unicast-routing global
command.
Step 2. Enable EIGRP using the ipv6 router eigrp {1 – 65535} global
configuration command.
Step 3. Enable IPv6 on the interface, typically with one of these two
methods:
Configure an IPv6 unicast address on each interface, using the ipv6
address address/prefix-length [eui-64] interface command.
Configure the ipv6 enable command, which enables IPv6 and causes
the router to derive its link local address.
Step 4. Enable EIGRP on the interface with the ipv6 eigrp asn
interface subcommand (where the name matches the ipv6 router
eigrp asn global configuration command).
Step 5. Enable EIGRP for IPv6 with a no shutdown command while in
EIGRP configuration mode.
Step 6. If no EIGRP router ID has been automatically chosen, due to
not having at least one working interface with an IPv4 address,
configure an EIGRP router ID with the eigrp router-id rid command in
EIGRP configuration mode.
305
Ahmed Nabil
R1# show running-config
! output is edited to remove lines not pertinent to this example
! Configuration step 1: enabling IPv6 routing
ipv6 unicast-routing
! Next, configuration steps 3 and 4, on 5 different interfaces
interface FastEthernet0/0.1
ipv6 address 2012::1/64
ipv6 eigrp 9
!
interface FastEthernet0/0.2
ipv6 address 2017::1/64
ipv6 eigrp 9
!
interface FastEthernet0/1.18
ipv6 address 2018::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.3
ipv6 address 2013::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.4
ipv6 address 2014::1/64
ipv6 eigrp 9
!
interface Serial0/0/0.5
ipv6 address 2015::1/64
ipv6 eigrp 9
!
! Configuration steps 2, 5, and 6
ipv6 router eigrp 9
no shutdown
router eigrp 10.10.34.3

306
#sh ip route
D 2005::/64 [90/2684416]
via FE80::11FF:FE11:1111, Serial0/0/0.1
via FE80::22FF:FE22:2222, Serial0/0/0.2
D 2012::/64 [90/2172416]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2014::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
D 2015::/64 [90/2681856]
via FE80::11FF:FE11:1111, Serial0/0/0.1
! lines omitted for brevity...
D 2099::/64 [90/2174976]
via FE80::22FF:FE22:2222, Serial0/0/0.2
via FE80::11FF:FE11:1111, Serial0/0/0.1

! show ipv6 protocols displays less info than its IPv4 cousin.
R3# show ipv6 protocols
IPv6 Routing Protocol is ―eigrp 9‖
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
FastEthernet0/0
Serial0/0/0.1
Serial0/0/0.2
Redistribution:
None
Maximum path: 16
Distance: internal 90 external 170

R3# show ipv6 eigrp neighbors

IPv6-EIGRP neighbors for process 9
H Address Interface Hold Uptime SRTT RTO Q Seq
1 Link-local address: Se0/0/0.2 14 01:50:51 3 200 0 82
FE80::22FF:FE22:2222
307
R3# show ipv6 eigrp topology
IPv6-EIGRP Topology Table for AS(9)/ID(10.10.34.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 2005::/64, 2 successors, FD is 2684416
via FE80::11FF:FE11:1111 (2684416/2172416), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2684416/2172416), Serial0/0/0.2
P 2012::/64, 2 successors, FD is 2172416
via FE80::11FF:FE11:1111 (2172416/28160), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2172416/28160), Serial0/0/0.2
P 2013::/64, 1 successors, FD is 2169856
via Connected, Serial0/0/0.1
! lines omitted for brevity
P 2099::/64, 2 successors, FD is 2174976
via FE80::11FF:FE11:1111 (2174976/30720), Serial0/0/0.1
via FE80::22FF:FE22:2222 (2174976/30720), Serial0/0/0.2

308