EIGRP SHA Authentication

EIGRP originally only supported MD5 authentication but since IOS 15.1(2)S and 15.2(1)T we can also use SHA-256 authentication. Nowadays, this form of authentication is far more secure than MD5.

MD5 authentication can be configured in classic mode or named mode, SHA authentication can only be configured in named mode. When you configure SHA authentication, you can choose if you want to use an interface password only or if you want to include a key chain. The advantage of using a password only is that it’s simpler to configure (there’s only one command). The disadvantage, however, is that when you want to change the password, your neighbor adjacency will drop as soon as you change the password on one of your routers.

When you use a key chain, you can use rotating keys which allows us to switch passwords without dropping the neighbor adjacency. In this lesson, I’ll show you how to configure both options.

Configuration

Here’s the topology we will use:

R1 R2 Gigabit Links

We only need two routers for this example.

Teaser


Password Authentication

Let’s start with the single password option. We have to configure EIGRP named mode and look under the address-family interface configuration:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#network 192.168.12.0
R1(config-router-af)#af-interface GigabitEthernet 0/1

R1(config-router-af-interface)#authentication mode ?
  hmac-sha-256  HMAC-SHA-256 Authentication
  md5           Keyed message digest

Above you can see that we can choose the authentication mode. Let’s pick hmac-sha-256 and set a password:

R1(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all there is to it. SHA authentication is now enabled on the GigabitEthernet0/1 interface of R1 with password “SECRET_KEY”.

Let’s configure R2 as well:

R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 autonomous-system 12
R2(config-router-af)#network 192.168.12.0
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication mode hmac-sha-256 SECRET_KEY

That’s all we have to do. Let’s verify our work:

R1#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.2            Gi0/1                    14 00:03:19    9   100  0  4
R2#show eigrp address-family ipv4 neighbors 
EIGRP-IPv4 VR(R1_R2) Address-Family Neighbors for AS(12)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   192.168.12.1            Gi0/1                    11 00:03:32    8   150  0  4

It seems we have a neighbor adjacency. Is authentication enabled? Let’s find out:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is not set

This confirms that authentication is enabled.

EIGRP SHA Authentication

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Key Chain Authentication

Besides the password, we will also add a key chain with a single key ID and key string. Let’s start with the key chain:

R1 & R2
(config)#key chain R1_R2_CHAIN
(config-keychain)#key 1
(config-keychain-key)#key-string OUR_SECRET
(config-keychain-key)#exit

Note that the key string (OUR_SECRET) is different than the password I previously used (SECRET_KEY).

Let’s configure EIGRP to use this key-chain:

R1(config)#router eigrp R1_R2
R1(config-router)#address-family ipv4 unicast autonomous-system 12
R1(config-router-af)#af-interface GigabitEthernet 0/1
R1(config-router-af-interface)#authentication key-chain R1_R2_CHAIN
R2(config)#router eigrp R1_R2
R2(config-router)#address-family ipv4 unicast autonomous-system 12
R2(config-router-af)#af-interface GigabitEthernet 0/1
R2(config-router-af-interface)#authentication key-chain R1_R2_CHAIN

EIGRP will now use the key chain for authentication. We can verify this with the following command:

R1#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"
R2#show eigrp address-family ipv4 interfaces detail Gi0/1 | include Auth
  Authentication mode is HMAC-SHA-256, key-chain is "R1_R2_CHAIN"

Above you can see that we are using the key chain. That’s all there is to it.

In the examples above I configured everything on the Gigabit interface. It’s also possible to configure SHA authentication globally by using the default interface (af-interface default).

EIGRP SHA Key Chain Authentication

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

R2

hostname R2
!
ip cef
!
key chain R1_R2_CHAIN
 key 1
  key-string OUR_SECRET
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp R1_R2
 !
 address-family ipv4 unicast autonomous-system 12
  !
  af-interface GigabitEthernet0/1
   authentication mode hmac-sha-256 SECRET_KEY
   authentication key-chain R1_R2_CHAIN
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 192.168.12.0
 exit-address-family
!
end

Conclusion

  • EIGRP supports SHA authentication since IOS 15.1(2)S and 15.2(1)T.
  • SHA authentication is more secure than MD5 so if possible, use this.
  • MD5 authentication can be configured in classic or named mode. SHA authentication is only available in named mode.
  • You can choose if you want to use a single password or include a key chain.
  • The advantage of the key chain is that you can change passwords without resetting the neighbor adjacency.

Forum Replies

  1. Hi William,

    Under topology base you will find commands that have to do with the EIGRP topology table. Stuff like redistribution, filtering, etc. Here’s an overview of all commands:

    R1(config-router)#router eigrp TEST                               
    R1(config-router)#address-family ipv4 unicast autonomous-system 1 
    R1(config-router-af)#topology base                                  
    R1(config-router-af-topology)#?
    Address Family Topology configuration commands:
      auto-summary         Enable automatic network number summarization
      cts                  EIGRP Trust
    ... Continue reading in our forum

  2. Hi Lagapides ,

    Thanks …Well understand this explanation…

  3. Hello Vinod

    The main differences between named and classic modes are the way in which they are implemented (globally for named while both globally and in interface mode for classic) as well as the addition of a sixth K value for the metric.

    On the back end, that is, concerning the way that the routers interpret and operate in EIGRP, very little has changed. So a named mode EIGRP router can communicate with a classic EIGRP router. Since you configure the AS number under the EIGRP name configuration, if the AS is the same, they will communicate.

    Now the only re

    ... Continue reading in our forum

  4. Hello Network

    EIGRP named mode supports what is known as the Wide Metrics feature. This feature supports 64-bit metric calculations as opposed to EIGRP classic mode that use 32-bit calculations. This results in varying metric values between the two.

    Wide metrics was introduced in order to accommodate high-bandwidth interfaces and Ethernet channels. The increase in available speeds has resulted in incorrect or inconsistent routing behavior with the classic EIGRP routing metrics. The lowest delay that can be configured for an interface is 10 microseconds. As a

    ... Continue reading in our forum

  5. Hi Rene and staff

    i just look at EIGRP named to configure a lab in another lesson
    So i explore the commands of the configuration modes; in the labs i did, i only used the topology mode base

    //cdn-forum.networklessons.com/uploads/default/original/2X/8/87a71f721e6599edd2950c22c1f353b41646ecbf.jpeg

    I tried to test (just for fun) the command with EIGRP that i suppose to set Multi-Topology Routing

    //cdn-forum.networklessons.com/uploads/default/original/2X/c/caea5318bdc479a90f5e217502cbdd6967531566.jpeg

    As you see, IOS answer “VIDEO does not exist”
    Could you give me

    ... Continue reading in our forum

21 more replies! Ask a question or join the discussion by visiting our Community Forum