EIGRP neighbor formation is the bedrock of any EIGRP deployment — without it, routes never exchange, and your network stays dark. The CCNA 200-301 exam (objective 3.5) frequently tests your ability to diagnose why an EIGRP neighbor won't form, using show commands and knowledge of timers, authentication, and network statements. In the real world, a single mismatched K-value or ACL blocking multicast 224.0.0.10 can take down an entire branch office; mastering this troubleshooting flow saves hours of head-scratching.
Jump to a section
Imagine a club of hikers who use walkie-talkies to stay connected. To join the club, a new hiker must tune to the correct channel (224.0.0.10), speak the same language (AS number), and use the same radio settings (K-values). If the new hiker's radio is set to a different sub-channel (mismatched subnet), the others hear static but ignore it. If one hiker uses a secret code (MD5 authentication) and the other doesn't, the message is garbled and discarded. Even if all settings match, if the new hiker is too far away (max-hop count exceeded) or their battery is weak (passive interface), they never get a response. The club has a strict rule: every member must shout 'Hello!' every 5 seconds (Hello timer), and if they don't hear a 'Hello' back within 15 seconds (Hold timer), they assume the other member left. If one hiker shouts every 5 seconds but the other expects a shout every 10 seconds (mismatched timers), the faster shouter's messages arrive too early and are ignored? Actually, EIGRP doesn't reject Hellos due to timer mismatch; it simply adjusts. But if the Hold timer on one side expires before the next Hello arrives, the neighbor is declared dead. This analogy directly maps: Hello packets are the shouts, the AS number is the language, K-values are radio settings, and passive interfaces are like telling the hiker 'don't use your radio at all.' When troubleshooting, you check each of these layers to find the broken link.
What is EIGRP Neighbor Formation and Why Does It Fail?
EIGRP (Enhanced Interior Gateway Routing Protocol) is a Cisco-proprietary distance-vector routing protocol that uses a neighbor discovery mechanism based on periodic Hello messages. For two routers to become EIGRP neighbors, they must exchange Hello packets successfully and agree on several parameters. When a neighbor fails to form, the root cause almost always lies in one of a handful of areas: Layer 1/2 connectivity, IP addressing, EIGRP configuration (AS number, network statements, passive interfaces), authentication mismatch, K-value mismatch, or ACLs blocking EIGRP traffic.
The exam objective 3.5 (Troubleshoot EIGRP) expects you to methodically isolate the issue using show commands. Cisco's troubleshooting methodology is layered: start with physical connectivity, then Layer 3 reachability, then EIGRP-specific parameters.
Step-by-Step Mechanism of Hello Exchange
EIGRP routers send Hello packets to the multicast address 224.0.0.10 every 5 seconds on most LAN interfaces (default Hello timer). On low-speed NBMA links (e.g., Frame Relay with bandwidth less than 1.544 Mbps), the default Hello timer is 60 seconds. The Hold timer is by default three times the Hello timer: 15 seconds for LAN, 180 seconds for low-speed NBMA.
The process: 1. Router A sends a Hello packet with its K-values, AS number, authentication data (if configured), and a list of neighbors it already knows. 2. Router B receives the Hello. It checks:
- The source IP must be on the same subnet as Router B's interface. - The AS number must match. - The K-values must match (though Cisco IOS by default uses 'metric weights 0 1 0 1 0 0', which is K1=1, K2=0, K3=1, K4=0, K5=0; any deviation must match exactly). - If authentication is configured, the key and algorithm (MD5 or SHA-256) must match. 3. If all checks pass, Router B adds Router A to its neighbor table and sends its own Hello back. 4. Both routers then transition to the INIT state, then to TWO-WAY (if they see their own Router ID in the other's Hello), and finally to FULL after exchanging topology tables via Update packets.
Key States and Timers
Down: No Hello received.
Init: Hello received but not two-way (no self-RID in neighbor's Hello).
Two-way: Bidirectional communication established.
Exstart/Exchange: Master/slave negotiation and topology exchange.
Loading: Requesting missing routes.
Full: Fully converged.
Troubleshooting focuses on the first two states. If you never see a neighbor reach 'Init', the problem is likely at Layer 1/2, ACL, or passive interface. If you see Init but not Two-way, check authentication or mismatched parameters.
IOS CLI Verification Commands
The primary command is show ip eigrp neighbors. Example output:
R1# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.2 GigabitEthernet0/0 12 00:01:23 1 100 0 5Key fields: Hold (remaining hold time), Uptime (time since neighbor became FULL). If no neighbors appear, EIGRP is not receiving Hellos.
Other vital commands:
- show ip eigrp interfaces – shows interfaces on which EIGRP is active.
- show ip eigrp topology – shows route entries.
- debug eigrp packets – use with caution in production; shows Hello, Update, Query, Reply packets.
- show ip protocols – displays AS number, router ID, networks, passive interfaces, K-values.
Example output of show ip protocols:
R1# show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP-IPv4 Protocol for AS(100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 10.0.0.1
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
Interfaces:
GigabitEthernet0/0
GigabitEthernet0/1
Redistribution:
NoneInteraction with Related Protocols
EIGRP uses RTP (Reliable Transport Protocol) for Updates, Queries, and Replies, but Hello packets are sent unreliably via multicast. ACLs that deny 224.0.0.10 will block Hellos. Additionally, if a switchport has port security or VLAN mismatch, Layer 2 frames carrying EIGRP packets may be dropped. EIGRP also relies on the IP routing table for reachability; if a neighbor's interface is down, the route is removed.
Verify Layer 1/2 Connectivity
Start with the basics: can the routers ping each other? Use `ping` from each router to the other's interface IP. If ping fails, check cable, interface status (show ip interface brief), and VLAN configuration. Ensure both interfaces are up/up. A common trap: the interface is administratively down or the cable is faulty. Also verify that the switchports connecting the routers are in the correct VLAN and not blocked by spanning-tree. If Layer 2 is broken, EIGRP never receives Hellos.
Verify IP Subnet Match
EIGRP requires that the two routers' interfaces be on the same subnet. Use `show ip interface brief` and `show running-config interface` to confirm IP addresses and subnet masks. If one router has /24 and the other has /25 on the same network, they may not see each other as on the same subnet. For example, 192.168.1.1/24 and 192.168.1.2/25: the /25 router considers the subnet 192.168.1.0/25, but the /24 router considers 192.168.1.0/24; they do not match, so Hellos are ignored. This is a frequent exam trap.
Verify EIGRP AS Number and Network Statements
Run `show ip protocols` and check the AS number. Both routers must use the same AS number in the `router eigrp <AS>` command. Also verify that the interface is included in a `network` statement. EIGRP uses classful or wildcard-mask matching. For example, `network 192.168.1.0` includes all interfaces in the 192.168.1.0/24 subnet. If the network statement is missing, EIGRP will not send Hellos on that interface. Check `show ip eigrp interfaces` to see which interfaces are active. If the interface does not appear, the network statement is missing or the interface is passive.
Check for Passive Interface Configuration
A passive interface in EIGRP prevents both sending and receiving Hellos (unlike OSPF where passive only stops sending). Use `show ip protocols` to see if the interface is listed as passive. If it is, remove it with `no passive-interface <interface>`. This is a classic misconfiguration: someone sets passive-interface default and forgets to enable the specific interface. The neighbor will never form because Hellos are suppressed.
Verify Authentication Settings
If authentication is configured, both sides must use the same key, key ID, and algorithm (MD5 or SHA-256). Use `show key chain` and `show running-config | section key chain` to inspect. Common mistakes: mismatched key strings, different key IDs, or one side has authentication enabled while the other does not. Use `debug eigrp packets` (with caution) to see if authentication failures are logged. If authentication fails, the routers will remain in Init state.
Inspect ACLs and Firewall Rules
ACLs applied to the interface (inbound or outbound) can block EIGRP traffic. EIGRP uses protocol number 88 and multicast address 224.0.0.10. Check with `show ip access-lists` and `show running-config | include access-list`. An ACL that denies 224.0.0.10 or protocol 88 will silently drop Hellos. Also check for VACLs on switches. This is a common exam scenario: after applying an ACL, EIGRP neighbors drop.
Check K-Value and Metric Weights
By default, EIGRP uses K1=1, K2=0, K3=1, K4=0, K5=0. If either router has non-default K-values (via `metric weights`), they must match exactly. Use `show ip protocols` to compare. Mismatched K-values cause Hellos to be ignored. This is rare but appears on the exam as a trick. The routers will not form adjacency; they remain in Down state.
In enterprise networks, EIGRP is often used in data center or campus environments where Cisco gear dominates. A typical scenario: a branch router connects to a headquarters router via a WAN link. The branch router is newly deployed, and the EIGRP neighbor won't form. The engineer starts with show ip eigrp neighbors on both ends — empty. Then show ip interface brief shows both interfaces up/up. Pings succeed. show ip protocols reveals that the branch router has a different AS number (100 vs 200) — the first misconfiguration. After correcting the AS, still no neighbor. show ip eigrp interfaces shows the WAN interface is not listed — the network statement uses a wildcard that doesn't match the interface subnet. Fixing the network statement brings the neighbor up.
Another scenario: a security team implements an ACL on the WAN edge router to block non-essential traffic. They copy a standard ACL that denies any any inbound, but forget to permit EIGRP. Suddenly, all EIGRP neighbors go down. The engineer uses show ip eigrp neighbors and sees nothing, then debug eigrp packets reveals no Hellos received. Checking the ACL with show ip access-lists shows the deny statement. Adding permit eigrp any any before the deny fixes it.
Performance considerations: EIGRP scales well up to hundreds of routers, but neighbor formation can be slow if the Hello timer is increased (e.g., on satellite links). The default timers are fine for most links. Misconfigurations like passive interface on a transit link are common when using passive-interface default and forgetting to enable the necessary interface. In production, always verify neighbor formation after any configuration change using show ip eigrp neighbors and monitor uptime.
The CCNA 200-301 exam tests EIGRP troubleshooting under objective 3.5. Expect scenario-based questions where you are given show command outputs and must identify why a neighbor is not forming. The most common wrong answers:
'Mismatched Hello timers' — Candidates often think mismatched Hellos break adjacency. In reality, EIGRP does not require Hello timers to match; each router uses its own. However, if the Hold timer on one side is less than the Hello interval of the other, the neighbor may time out. But the exam rarely tests this as a cause; instead, they test mismatched K-values or AS numbers.
'The interface is down' — Sometimes the output shows the interface is up/up, but candidates still choose this because they didn't read carefully. Always verify the interface status in the output.
'Authentication type mismatch' — EIGRP supports MD5 and SHA-256; if one side uses MD5 and the other SHA-256, they won't form adjacency. Candidates may think any authentication works. The exam may show a debug output with 'authentication failure'.
'The network statement is missing' — This is a valid cause, but candidates sometimes miss that the network statement uses a wildcard mask that does not include the interface IP. For example, network 10.0.0.0 0.0.0.255 does not include 10.1.1.1/24.
Specific values to memorize: default Hello 5 sec (LAN), 60 sec (low-speed NBMA); default Hold 15 sec (LAN), 180 sec (NBMA). K-values default: K1=1, K2=0, K3=1, K4=0, K5=0. AS number must match. Router ID is highest loopback or highest active interface IP.
Decision rule: When given a 'neighbor not forming' scenario, first check Layer 1/2 (ping), then Layer 3 (subnet match), then EIGRP-specific (AS, network, passive, authentication, K-values). Eliminate options that contradict the show output.
EIGRP Hello packets are sent to multicast 224.0.0.10 every 5 seconds by default on LAN interfaces.
Hold timer default is 15 seconds on LAN (3x Hello); on low-speed NBMA, Hello=60s, Hold=180s.
K-values must match between neighbors; default is metric weights 0 1 0 1 0 0 (K1=1, K2=0, K3=1, K4=0, K5=0).
Passive interface in EIGRP suppresses both sending and receiving Hellos (unlike OSPF).
Use 'show ip eigrp neighbors' to view neighbor state; if empty, no Hellos are being exchanged.
Use 'show ip protocols' to verify AS number, K-values, passive interfaces, and network statements.
Authentication (MD5 or SHA-256) must match exactly; mismatched key strings or missing authentication break adjacency.
These come up on the exam all the time. Here's how to tell them apart.
EIGRP Neighbor Formation
Uses multicast 224.0.0.10 for Hellos.
Default Hello timer 5 sec (LAN), 60 sec (low-speed NBMA).
Hold timer default 15 sec (LAN), 180 sec (NBMA).
No requirement for Hello/Dead timer match; only Hold timer must be > Hello interval.
Passive interface suppresses both sending and receiving Hellos.
K-values must match; default K1=1, K2=0, K3=1, K4=0, K5=0.
OSPF Neighbor Formation
Uses multicast 224.0.0.5 (all OSPF routers) and 224.0.0.6 (DR/BDR).
Default Hello timer 10 sec (broadcast), 30 sec (NBMA).
Dead timer default 40 sec (broadcast), 120 sec (NBMA).
Requires matching Hello and Dead intervals to form adjacency.
Passive interface only stops sending Hellos; still receives them.
No K-values; uses cost based on bandwidth (default reference bandwidth 100 Mbps).
Mistake
EIGRP neighbors require matching Hello timers to form adjacency.
Correct
EIGRP does not require Hello timers to match; each router uses its own Hello timer. However, the Hold timer must be greater than the Hello interval of the neighbor, or the neighbor may time out. Mismatched Hold timers can cause flapping, but not failure to form.
Candidates confuse EIGRP with OSPF, which does require matching Hello/Dead intervals.
Mistake
If an interface is passive under EIGRP, the router can still receive Hellos but not send them.
Correct
In EIGRP, a passive interface prevents both sending and receiving Hellos. This is different from OSPF, where a passive interface only stops sending Hellos but can still receive them.
The term 'passive' is interpreted differently in OSPF vs EIGRP.
Mistake
EIGRP neighbors must be in the same subnet to exchange routes, but they can form adjacency across different subnets if the router has a route to the neighbor.
Correct
EIGRP requires that the two interfaces be on the same IP subnet. Hellos are only processed if the source IP address matches the subnet configured on the receiving interface. A route to the neighbor is not sufficient.
Candidates think routing protocols can form adjacencies across subnets like BGP, but EIGRP is fundamentally link-local.
Mistake
If an ACL blocks EIGRP traffic, you will see the neighbor in Init state.
Correct
If an ACL blocks Hellos, the neighbor will never appear in the neighbor table at all, not even in Init state. Init state requires receiving a Hello. The neighbor will be in Down state.
Candidates confuse the effect of ACLs with authentication failures, which can leave the neighbor in Init.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Ping success confirms Layer 1-3 connectivity, but EIGRP requires additional parameters to match. Common causes: mismatched AS number, missing or incorrect network statement, passive interface configuration, or ACL blocking multicast 224.0.0.10 or protocol 88. Use 'show ip protocols' to verify AS and network statements, and 'show ip eigrp interfaces' to see if the interface is active. Also check for authentication or K-value mismatch. The neighbor table will only populate after successful Hello exchange.
No. EIGRP requires that the interfaces be on the same IP subnet. The Hello packet's source IP must match the subnet configured on the receiving interface. If the subnet masks differ, the routers may not consider themselves on the same subnet. For example, 10.1.1.1/24 and 10.1.1.2/25: both are in 10.1.1.0/24, but the /25 router thinks its subnet is 10.1.1.0/25, so it will accept Hellos from 10.1.1.1 (since it's within 10.1.1.0/25). However, the /24 router will accept Hellos from 10.1.1.2. So it might work. But if the addresses are 10.1.1.1/24 and 10.1.2.1/24, they are on different subnets and will not form adjacency.
In EIGRP, a passive interface suppresses both sending and receiving Hellos, effectively disabling neighbor formation on that interface. In OSPF, a passive interface only stops sending Hellos but still allows receiving Hellos and forming adjacencies (though the router will not send Hellos, so neighbors may not discover it). This is a common exam trap: candidates assume EIGRP behaves like OSPF. Always remember: EIGRP passive = no Hellos in or out.
Use 'show key chain' to list key chains and their keys. Use 'show running-config | section key chain' to see the configuration. On the interface, use 'show running-config interface <int>' to verify 'ip authentication mode eigrp <as> md5' or 'sha256' and 'ip authentication key-chain eigrp <as> <name>'. Also use 'debug eigrp packets' to see if authentication failures are logged. If authentication fails, the neighbor will remain in Init state.
On most LAN interfaces (including Ethernet, FastEthernet, GigabitEthernet), the default Hello timer is 5 seconds and the Hold timer is 15 seconds. On low-speed NBMA interfaces (e.g., Frame Relay with bandwidth less than 1.544 Mbps), the default Hello timer is 60 seconds and Hold timer is 180 seconds. These timers can be changed with 'ip hello-interval eigrp <as> <seconds>' and 'ip hold-time eigrp <as> <seconds>'. Note that mismatched Hello timers do not prevent adjacency, but mismatched Hold timers can cause flapping if one side's Hold expires before the next Hello from the other side.
Init state means your router has received a Hello from the neighbor, but the Hello does not contain your router's Router ID. This indicates one-way communication. Common causes: authentication mismatch (e.g., one side has authentication configured, the other doesn't, or keys differ), or K-value mismatch. The neighbor receives your Hello but cannot process it due to mismatch, so it does not include your RID in its Hello. Check 'show ip protocols' for K-values and authentication settings.
Yes. EIGRP uses protocol number 88 and multicast address 224.0.0.10. An ACL that permits the neighbor's IP but denies protocol 88 or denies 224.0.0.10 will block Hellos. For example, 'access-list 100 deny eigrp any any' will drop all EIGRP packets regardless of source/destination IP. Always check ACLs for protocol and multicast entries. Use 'show ip access-lists' to inspect.
You've just covered Troubleshoot: EIGRP Neighbor Won't Form — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?