EIGRP Authentication per Neighbor

Hi Hussein,

That’s right, the virtual template is like a template, it’s not a (virtual) interface so it’s possible.

I haven’t tried this with OSPF, it might work since the OSPF key is configured on the interface. Keep in mind this is just a crazy trick to get around a possible requirement that you could face on a CCIE lab :slight_smile:

Rene

1 Like

Hi Hussein,

That’s right, if your routers are on the same multi access segment then they will become neighbors if you use the same key. Routing protocols like RIP, OSPF or EIGRP don’t support any per-neighbor authentication (except for this crazy trick). BGP is one of the routing protocols that does support authentication per neighbor.

Rene

1 Like

Do you mean we can use this trick in ethernet network ? if yes, so how we can use "frame-relay interface-dlci DLCINUMBER ppp Virtual-Template NUMBER " command in fast ethernet or gigabit ethernet interfaces since frame-relay commands used only on serial interfaces ?

Hi Hussein,

Maybe if you would use sub-interfaces on an Ethernet interface and try to apply the virtual templates there but I think it won’t accept it.

Rene

1 Like

Hi Rene,

Thanks …Perfect explanation.

Adil

Hi Rene,

So virtual-template only applies to PPP links?

Rgds,

Shannon

Shannon,
I believe you are correct. The applications of Virtual Templates that I can think of are PPP related

1 Like

Hi Andrew,

Thank you for confirming!

Rgds,

Shannon

Maybe this whole lesson needs to be taken down.
No more frame relay on exam and I can’t see why they would ask this for DMVPN.
Besides I can’t think of how to do this on DMVPN :slight_smile:

Hello Rene
Hello NetworkLessions Team
i try today also the same topic with Ethernet Interfaces, but i didn’t understod why R3 will not make any Eigrp Neighborship.

-R1
key chain key1
key 1
key-string R1-R2

key chain key2
key 1
key-string R1-R3

interface Ethernet0/2
ip address 192.168.123.1 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key1

router eigrp 1
network 192.168.123.0


-R2
key chain key1
key 1
key-string R1-R2

interface Ethernet0/0
ip address 192.168.123.2 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key1

router eigrp 1
network 192.168.123.0


-R3
key chain key2
key 1
key-string R1-R3

interface Ethernet0/1
ip address 192.168.123.3 255.255.255.0
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 key2

router eigrp 1
network 192.168.123.0

Thanks also to this Fantastic learning Platform!

Mauri

Hello Maurizio

In this lesson, we have a hub and spoke frame relay topology. Both R2 and R3 must become EIGRP neighbors with R1. These neighbor adjacencies will both be made via the S0/0 interface of R1. If there is no authentication, then we’re OK. But if there is authentication, then we have a problem, the problem you are facing.

Because the authentication key is assigned to the interface, you can only have one authentication key. So you have assigned key1 to the interface on R1. This means that only R2 will be able to authenticate. R3 is using key2 while you have only configured key1 on R1.

In order to get around this, and to be able to assign both key chains to the single interface, you must use what are known as virtual templates. A virtual template is an entity you can create that contains a set of predefined configurations for interfaces. You can then assign one or more virtual templates to an interface.

In this case, you can create two virtual interfaces, assign each one a particular keychain, bind the virtual template to a particular DLCI, and assign them to the Serial 0/0 interface (in your case the Ethernet 0/2 interface)

For more information, take a look at the specific configuration in the lesson.

I hope this has been helpful!

Laz

1 Like

Hello,

As mentioned in a previous reply about DMVPN…(I know years ago). But can Virtual-Templates be implemented to work with DMVPN? I’ve tried to do a little bit of googling but I’ve not found any real example out there. I don’t need an entire lesson but just is this worth trying with DMVPN? Thanks!
Cordially,
Ronnie

Hello Ronald

I went in and tried labbing this one up to see if I could create virtual templates to be used in this manner, but there’s no way to apply them on the tunnel interface for each spoke. Although EIGRP authentication can be and is implemented over DMVPN topologies, it is not applied on a per spoke basis but using the same key for all EIGRP neighbors. I tried labbing up the latter and it worked fine.

I hope this has been helpful!

Laz

1 Like

Thanks for the response! very helpful to know it’s not worth trying do it!

1 Like

Can I do same for DMVPN. If yes can you please brief it.

I feel like the word frame relay and things pertaining to it should not be allowed to be mentioned anymore lol… I am ready to vote for marshal law on this item!

Hello Brian

I understand what you mean! It’s difficult to find networks where Frame Relay is still in use today. They do exist, but they are becoming rarer and rarer…

Even so, there are some features, especially of routing protocols, that can only be reviewed using non-broadcast technologies, such as EIGRP authentication per neighbor, as well as OSPF network types. For this reason, Frame Relay is still alive in Cisco certifications, because it is the most common non-broadcast technology, and it is also the easiest to emulate.

In a few years, however, even these features will be phased out of the certification exams, so patience… :slight_smile:

I hope this has been helpful!

Laz

Hi Rene, thanks for this lesson, I tried to make this lab but what is the configuration for the Frame relay device in the middle. ? All the 3 routers are serial connecting to which interfaces?

Hello Mustafa

The frame relay switch found at the center of the topology can only be simulated or emulated. If you’re using Cisco’s Packet Tracer, you must use the Cisco Packet Tracer Cloud, written as “Cloud-PT” to simulate the frame relay switch.

image
As you can see in the image above, it is found within the group indicated by the cloud icon.

For GNS3, it has a built-in frame relay switch that you can use. You can find it under the “all devices” category as shown below:
image

Other emulators have similar methods of emulating frame relay switches. Now if you’re using real physical equipment, then you will need a router that supports frame relay to act as a FR switch, such as the 7200 series with the appropriate IOS. However, it is typically difficult to obtain such devices to serve this purpose, mostly due to their cost.

I hope this has been helpful!

Laz

Hello Mustafa

One more thing. You can see in this lesson how to configure a Cisco IOS router to act as a Frame-Relay switch:

I hope this has been helpful!

Laz