Cisco Support Community
Community Member

EIGRP Password String on Live Network



I want to use an EIGRP password between routers and layer 3 switches in our environment. Is it possible to implement a EIGRP string on a live environment without any downtime?


Thank you

Everyone's tags (1)
VIP Super Bronze

Hi Pat,I would not do that in

Hi Pat,

I would not do that in live network without having a maintenance window:

see below:

Caution: When EIGRP message authentication is added to the Dallas interfaces, it stops receiving routing messages from its peers until they are also configured for message authentication. This does interrupt routing communications on your network.




Community Member

I would certainly do it

I would certainly do it during a maintenance window. Just wondering if it is possible to do on a live network with out any downtime. 


For instance, apply the passstring but don't let it become valid until a certain time.


Although NTP better be working...



VIP Super Bronze

You can probably use the

You can probably use the accept-lifetime and send-lifetime to set a time frame, but if there is any time issue and things don't happen the way they supposed to, you will have people and management screaming at you.smiley


Community Member

Oh Well I'm hoping for an

Oh Welldevil


I'm hoping for an elegant solution though



VIP Purple

HelloYou can certainly create


You can certainly create the key chain , However depending on if you apply an authentication mode will determine how much outage to the adjacency will be incurred.


I have found applying just the authentication key chain drops to the first interface drops the adjacency for no more than 3 seconds, then applying it to the other side of the peer has no effect.


however when also applying the authentication node the adjacency will drop until the other side of the peering is also configured with the same authentication mode.

See results:

R1 / R2
Key-chain TST:
    key 1 -- text "TEST"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

R2(config)#int fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 TST
*Mar  1 00:05:00.031: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Fast               Ethernet0/0) is down: keychain changed
*Mar  1 00:05:03.139: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Fast               Ethernet0/0) is up: new adjacency



R2(config-if)#ip authentication mode eigrp 1 md5

*Mar  1 00:15:22.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (FastEthernet0/0) is down: authentication mode changed


*Mar  1 00:15:23.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (FastEther                net0/0) is down: Auth failure............






Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Thanks Paul - How about if I

Thanks Paul -


How about if I were to configure a send time that was sooner than the accept time. That way, both routers would be sending when the accept time arrived...assuming NTP was working


does the configuration of EIGRP authentication on a router interface require a the other router to send a pass string regardless of the accept time?



VIP Purple

HelloIt doesn't seem to mater


It doesn't seem to matter, as soon as you apply authentication to the first interface in the peering, the adjacency is interrupted.




Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

This is kind of what I'm

This is kind of what I'm referring to. Set the routers with an accept and send-time but, have not end time.

key chain <name_of_keychain>



key <#>
key-string <string_used_for_PSK>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>


Copied this from  

CreatePlease to create content