Authenticate Cisco EIGRP Routers

To help prevent unauthorized routing updates, EIGRP can be configured to authenticate peers. The following tech-recipe explains how this is done.


For this example, two routers, A and B, are directly connected with Fast Ethernet. The IP network is 10.1.1.0/24.

Enter the appropriate passwords, and then enter the following configuration mode:conf t

Address the interfaces.

Router A:interface FastEthernet 0/0
ip address 10.1.1.1 255.255.255.0

Router B:interface FastEthernet 0/0
ip address 10.1.1.2 255.255.255.0

Configure EIGRP (the same on both routers):router eigrp 100
network 10.0.0.0

Then, create keychains in both routers.

Router A:key chain rtrA
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005

Router B:key chain rtrB
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005

Now, configure authentication. The EIGRP Autonomous System number is 100.

Router A:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrA

Router B:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrB

Now, the routers should be verifying the MD5 hash of EIGRP packets, dropping any that do not pass the verification.

In the key configuration, the “infinite” keyword can be used to make non-expiring keys. I would recommend the last keypair be non-expiring to prevent network downtime if the administrator forgets to update the keys before they expire.

The Conversation

Follow the reactions below and share your own thoughts.

One Response to “Authenticate Cisco EIGRP Routers”

  1. January 03, 2011 at 12:04 pm, Seit Mehmeti said:

    Is this the only version of EIGRP authentication with MD5.
    How do you authenticate EIGRP MD5 when two routers are vconnected via a 2620XM router acting like a FR Switch on a Packet Tracer and there is a backup route to the next router which it does work without MD5, but not from the router simulating FR Switch.
    in addition the commands are slightly different.

    Reply

Leave a Reply