How to configure EIGRP Authentication

0 vote

Routing protocols can be configured to prevent receiving false routing updates and EIGRP is no exception. If you don’t use authentication and you are running EIGRP someone could try to form an EIGRP neighbor adjacency with one of your routers and try to mess with your network…we don’t want that to happen right?

EIGRP only offers MD5 authentication, there’s no plaintext authentication.

What does authentication offer us?

  • Your router will authenticate the source of each routing update packet that it will receive.
  • Prevents false routing updates from sources that are not approved.
  • Ignore malicious routing updates.

A potential hacker could be sitting on your network with a laptop running GNS3 / Dynamips, boot up a Cisco router and try the following things:

  • Try to establish a neighbor adjacency with one of your routers and advertise junk routes.
  • Send malicious packets and see if you can drop the neighbor adjacency of one of your authorized routers.

In order to configure EIGRP authentication we need to do the following:

  • Configure a key-chain
    • Configure a key ID under the key-chain.
      • Specify a password for the key ID.
      • Optional: specify accept and expire lifetime for the key.

Let’s use two routers and see if we can configure EIGRP MD5 authentication:

EIGRP with keys
The configuration for both routers is very basic:

Jack(config)#interface fastEthernet 0/0
Jack(config-if)#ip address 192.168.12.1 255.255.255.0

Jack(config)#router eigrp 12
Jack(config-router)#network 192.168.12.0
John(config)#interface fastEthernet 0/0
John(config-if)#ip address 192.168.12.2 255.255.255.0

John(config)#router eigrp 12
John(config-router)#network 192.168.12.0

The first thing we need to configure is a key-chain:

EIGRP Keychain

I called mine “KingKong” but it can be different on both routers, it doesn’t matter. The Key ID is a value that has to match on both routers and the key-string is the password which has to match of course.

Jack(config)#key chain KingKong
Jack(config-keychain)#key 1
Jack(config-keychain-key)#key-string Banana
Jack(config)#interface fastEthernet 0/0
Jack(config-if)#ip authentication mode eigrp 12 md5 
Jack(config-if)#ip authentication key-chain eigrp 12 KingKong

First you have to create the keychain and then you need to activate it on the interface. The “12” is the AS number of EIGRP. The configuration on router John is exactly the same.

John#debug eigrp packets 
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)

John# EIGRP: FastEthernet0/0: ignored packet from 192.168.12.1, opcode = 5 (authentication off or key-chain missing)

You can check if your configuration is correct by using debug eigrp packets. You can see that we received a packet with MD5 authentication but I didn’t enable MD5 authentication yet on router John.

Let’s fix it:

John(config)#key chain KingKong
John(config-keychain)#key 1
John(config-keychain-key)#key-string Banana

John(config)#interface fastEthernet 0/0
John(config-if)#ip authentication mode eigrp 12 md5
John(config-if)#ip authentication key-chain eigrp 12 KingKong

Right away I can see that the EIGRP neighbor adjacency is working:



We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 439 Lessons. More Lessons Added Every Week!
  • Personal Support by Rene Molenaar (CCIE #41726)

 

 

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Digiprove sealCopyright protected by Digiprove © 2013 Rene Molenaar

Rate this Lesson:

Tags: , , , ,

7 Responses to “How to configure EIGRP Authentication”

  1. salis September 7, 2013 at 08:08 #

    hello thank you very much. you make CCNA look very easy. you talk me thank you once again

  2. milts September 15, 2013 at 21:14 #

    awesome lessons, simple and clearly documented.

  3. chandan May 23, 2014 at 18:28 #

    I really like the way you explain the things..its simple,clear and easy to understand.

  4. alok d April 26, 2015 at 05:28 #

    What is an AS number? Thanks.

    • Rene Molenaar April 26, 2015 at 16:35 #

      AS stands for Autonomous System.

      An AS is basically a network that falls under one administrative entity. On the Internet we use AS numbers and BGP for routing between autonomous systems. Within an AS, we typically use an IGP like OSPF or EIGRP.

      Here’s a list with AS numbers that are used on the Internet:

      http://bgp.potaroo.net/cidr/autnums.html

      Rene

      • alok d April 27, 2015 at 02:29 #

        I am familiar with Autonomous System, ASBR etc. it is made very clear in OSPF chapters.

        I got bit confused with how EIGRP uses AS numbers, whereas OSPF prefers process and area no. Etc.

        So AS number for EIGRP is not locally significant but it has to be same on all routers within an AS?

        Thanks,

        • Rene Molenaar April 28, 2015 at 11:43 #

          Hi AD,

          That’s right. EIGRP uses an “AS” number which has to be the same on all routers that run EIGRP.

          OSPF uses a process ID and has no concept of AS so it doesn’t matter what number you pick, it’s only used locally on the router.

          Rene

Leave a Reply