23 Apr

Secret changes in Cisco documentation (follow up on “No EIGRP neighbor authentication on ASR9K” post)

I received comment from Pushpasis Sarkar from Cisco on my previous post about lack of EIGRP authentication on ASR9k. It made me wonder if I missed something during deployment? I remember we were testing it hardly in lab and documentation stated clearly it’s not supported. I’m pretty sure, but 100%, that we were testing key chains both with and without defined lifetime and cryptographic-algorithm, because we were having some issues with IS-IS and key chains too. And it never worked.

So I started my new research looking at documentation. And surprise – now documentation says that authentication is supported! But no information in changelog that this feature was introduced, no new release of documentation. Nothing. And both 3.9 and 4.0 IOS XR versions documents were changed. For 3.9 routing chapter is still revision OL-20378-01 from December 2009, but current document have 496 pages and document downloaded on August 2010 is 488 long. So something had changed indeed.

On page 138 in both documents there is section “Restrictions for Implementing EIGRP”. This is how it is now:

And that’s how it looked like few months ago:

So definitely one restriction has been removed. And whole new section “Configuring an EIGRP Authentication Keychain” has been introduced.

But is authentication is really working? Surprisingly yes. I implemented this simple configuration on two ASR9000 I have now (it’s release 4.0.1, don’t have 3.9 to test on it right now, but my previous tests were performed on both 3.9 and 4.0.1 releases)

!! IOS XR Configuration 4.0.1
key chain test
 key 1
  accept-lifetime 00:00:00 january 01 2010 infinite
  key-string password 00554155500E
  send-lifetime 00:00:00 january 01 2010 infinite
  cryptographic-algorithm MD5
 !
!
router eigrp 65000
 address-family ipv4
  interface GigabitEthernet0/3/0/0
   authentication keychain test
  !
 !
!
end

And what we can see now neighborship relation is established properly and authentication is used

RP/0/RSP0/CPU0:ASR-9010(config)#do sh eigrp interfaces gigabitEthernet 0/3/0/0$
Sat Apr 23 10:49:57.433 UTC

IPv4-EIGRP interfaces for AS(65000)

                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi0/3/0/0          1        0/0        12       0/10          50           0
  Hello interval is 5 sec, hold time is 15 sec
  Next xmit serial 
  Un/reliable mcasts: 0/3  Un/reliable ucasts: 4/3
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 2
  Retransmissions sent: 0  Out-of-sequence rcvd: 1
  Bandwidth percent is 50
  Total packets received: 713
  Authentication mode: MD5  Key chain: test
  Current active key id: 1
  Valid authenticated packets received: 391
  Packets dropped due to wrong keychain config: 0
  Packets dropped due to missing authentication: 245
  Packets dropped due to invalid authentication: 0
  Effective Metric:
    Bandwidth: 1000000, Delay: 1, Reliability: 255, Load: 1, MTU: 1500

So there is slight chance that i missed something during my tests. But the question also is why Cisco is changing documentation without notice and is it also changing software without notice? I understand there might be mistakes in documents like that but why to hide fact that something was changed? Not really nice :/

Leave a Reply

%d bloggers like this: