Authenticate Cisco EIGRP routers

Contributed by Al Banks  
Tagged: Cisco router  

To help prevent unauthorized routing updates, EIGRP can be configured to authenticate peers.

For this example, two routers, A and B, are directly connected with Fast Ethernet. IP network is 10.1.1.0/24

Enter the appropriate passwords, then enter configuration mode:conf t

Address the interfaces.

Router A:interface FastEthernet 0/0
ip address 10.1.1.1 255.255.255.0

Router B:interface FastEthernet 0/0
ip address 10.1.1.2 255.255.255.0

Configure EIGRP (same on both routers):router eigrp 100
network 10.0.0.0

Then, create keychains in both routers.

Router A:key chain rtrA
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005

Router B:key chain rtrB
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005

Now, configure authentication. EIGRP Autonomous System number is 100.

Router A:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrA

Router B:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrB

Now the routers should be verifying the MD5 hash of EIGRP packets, dropping any that do not pass the verification.

In the key configuration, the “infinite” keyword can be used to make non-expiring keys. I would recommend the last keypair be non-expiring, to prevent network downtime if the administrator forgets to update the keys before they expire!