Configuring EIGRP Authentication


Wed, 10/24/2012 - 13:04
Jun 22nd, 2009


Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary enhanced distance vector routing protocol. EIGRP provides benefits like fast convergence, incremental updates and support for multiple network layer protocols. EIGRP only supports Message Digest 5 (MD5) authentication to prevent malicious and incorrect routing information from being introduced into the routing table of a router.

Configuration overview:

To configure EIGRP authentication, the keys used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication. Any interface that has authentication configured on it will not form neighbor relationships out that interface unless the neighbor passes the authentication process.
The configuration of EIGRP message authentication is carried out in two steps:

The creation of a keychain and key:

Key chains consist of two necessary and two are optional components. The necessary components are key number and key string. Optionally it also include an accept-lifetime and a send-lifetime parameter.

Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string. 

Router#configure terminal
Router(config)#key chain mykey                         //configure key chain name mykey
Router(config-keychain)#key 1                          // Specifies the key number 
Router(config-keychain-key)#key-string cisco  //Specifies the authentication string for a key.          

The configuration of EIGRP authentication in interface to use that keychain and key.

Authentication is configured in interface configuration mode. To apply key chain authentication on an interface you must issue the following two commands in interface configuration mode:
A) Enable authentication for EIGRP packets and to specify the set of keys to be used on an interface:

Syntax: ip authentication key-chain eigrp <as-number> <key-chain>

B) specify MD5 as the type of authentication to be used for EIGRP packets:

Syntax: ip authentication mode eigrp <as-number> md5 

There is slight difference between configuring eigrp authentication on cisco router for ipv4 and ipv6, only command syntax changed under interface level.


Configuring EIGRP authentication for IP4Configuring EIGRP authentication for IP6
Router(config)#interface fa0/0
Router(config-if)#ip authentication mode eigrp 1 md5
Router(config-if)#ip authentication key-chain eigrp 1 mykey
Router(config)#interface fa0/0
Router(config-if)#ipv6 authentication mode eigrp 1 md5
Router(config-if)#ipv6 authentication key-chain eigrp 1 mykey

Accept-lifetime and Send-lifetime:

Optionally, you can configure key management to automatically migrate from one authentication key to another by configuring following commands in key-chain key configuration mode using following command:

1) accept-lifetime <start-time> {infinite | end-time | duration seconds}
2) send-lifetime <start-time> {infinite | end-time | duration seconds}

One of the biggest problems with using this sort of authentication system is that changing the keys can break eigrp neighborship in your network.The following example shows a way around for this problem. By configuring timed keys, you can roll out a new key throughout your network without disrupting service:

Router(config)#key chain mykey
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string cisco
Router(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2012 00:15:00 Nov 1 2012
Router(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2012 00:00:00 Nov 1 2012
Router(config-keychain-key)#key 2
Router(config-keychain-key)#key-string cisco@123
Router(config-keychain-key)#accept-lifetime 23:45:00 Oct 31 2012 infinite
Router(config-keychain-key)#send-lifetime 00:00:00 Nov 1 2012 infinite 

In the above case, this router will accept the original key string, cisco, until 12:15 AM on November 1, 2012. It will send this same key string until 12:00 AM on the same date. And it will start accepting the new key string, cisco@123, at 11:45 PM on October 31, 2012. In this way, there is a safe 30-minute transition period that you can configure in advance throughout the network. Then, the next day or whenever it is convenient, you can remove the configuration for the old key string on all the affected routers. This process is very dependent on synchronized clocks between routers.

Verification commands

1) Key chain configuration verification:
Router#sh key chain
Key-chain mykey:
    key 1 -- text "cisco"
        accept lifetime (00:00:00 UTC Jan 1 2012) - (00:15:00 UTC Nov 1 2012)
        send lifetime (00:00:00 UTC Jan 1 2012) - (00:00:00 UTC Nov 1 2012)
    key 2 -- text "cisco@123"
        accept lifetime (23:45:00 UTC Oct 31 2012) - (infinite)
        send lifetime (00:00:00 UTC Nov 1 2012) - (infinite)

2) In key-string whitespaces counts as a character that can leads to key misconfiguration on router.
Router#sh run | sec key chain
key chain mykey
key 10
   key-string cisco
Router#sh key chain
Key-chain mykey:
    key 10 -- text "cisco "
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

3)You can see from the following debug trace that when the authentication fails, EIGRP simply ignores the routing updates:
Router#debug eigrp packet
EIGRP Packets debugging is on
Mar  3 01:40:59.704: EIGRP: ignored packet from opcode = 5                (invalid authentication)

EIGRP Message Authentication Configuration Example

Configuring IPv6 EIGRP Authentication

Configuring IP Enhanced IGRP


Base Initial configuration:


This Document

Related Content