I received comment from Pushpasis Sarkar from Cisco on my previous post about lack of EIGRP authentication on ASR9k. It made me wonder if I missed something during deployment? I remember we were testing it hardly in lab and documentation stated clearly it’s not supported. I’m pretty sure, but 100%, that we were testing key chains both with and without defined lifetime and cryptographic-algorithm, because we were having some issues with IS-IS and key chains too. And it never worked.
So I started my new research looking at documentation. And surprise – now documentation says that authentication is supported! But no information in changelog that this feature was introduced, no new release of documentation. Nothing. And both 3.9 and 4.0 IOS XR versions documents were changed. For 3.9 routing chapter is still revision OL-20378-01 from December 2009, but current document have 496 pages and document downloaded on August 2010 is 488 long. So something had changed indeed.
On page 138 in both documents there is section “Restrictions for Implementing EIGRP”. This is how it is now:
And that’s how it looked like few months ago:
So definitely one restriction has been removed. And whole new section “Configuring an EIGRP Authentication Keychain” has been introduced.
But is authentication is really working? Surprisingly yes. I implemented this simple configuration on two ASR9000 I have now (it’s release 4.0.1, don’t have 3.9 to test on it right now, but my previous tests were performed on both 3.9 and 4.0.1 releases)
!! IOS XR Configuration 4.0.1 key chain test key 1 accept-lifetime 00:00:00 january 01 2010 infinite key-string password 00554155500E send-lifetime 00:00:00 january 01 2010 infinite cryptographic-algorithm MD5 ! ! router eigrp 65000 address-family ipv4 interface GigabitEthernet0/3/0/0 authentication keychain test ! ! ! end
And what we can see now neighborship relation is established properly and authentication is used
RP/0/RSP0/CPU0:ASR-9010(config)#do sh eigrp interfaces gigabitEthernet 0/3/0/0$ Sat Apr 23 10:49:57.433 UTC IPv4-EIGRP interfaces for AS(65000) Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi0/3/0/0 1 0/0 12 0/10 50 0 Hello interval is 5 sec, hold time is 15 sec Next xmit serial Un/reliable mcasts: 0/3 Un/reliable ucasts: 4/3 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 2 Retransmissions sent: 0 Out-of-sequence rcvd: 1 Bandwidth percent is 50 Total packets received: 713 Authentication mode: MD5 Key chain: test Current active key id: 1 Valid authenticated packets received: 391 Packets dropped due to wrong keychain config: 0 Packets dropped due to missing authentication: 245 Packets dropped due to invalid authentication: 0 Effective Metric: Bandwidth: 1000000, Delay: 1, Reliability: 255, Load: 1, MTU: 1500
So there is slight chance that i missed something during my tests. But the question also is why Cisco is changing documentation without notice and is it also changing software without notice? I understand there might be mistakes in documents like that but why to hide fact that something was changed? Not really nice :/