Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary enhanced distance vector routing protocol. EIGRP provides benefits like fast convergence, incremental updates and support for multiple network layer protocols. EIGRP only supports Message Digest 5 (MD5) authentication to prevent malicious and incorrect routing information from being introduced into the routing table of a router.
To configure EIGRP authentication, the keys used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication. Any interface that has authentication configured on it will not form neighbor relationships out that interface unless the neighbor passes the authentication process. The configuration of EIGRP message authentication is carried out in two steps:
The creation of a keychain and key:
Key chains consist of two necessary and two are optional components. The necessary components are key number and key string. Optionally it also include an accept-lifetime and a send-lifetime parameter.
Key chain configuration steps: A) First we need to configure key chain in global configuration mode. B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication. C) Once you configure key number you need to issue authentication string.
Example: Router#configure terminal Router(config)#key chain mykey //configure key chain name mykey Router(config-keychain)#key 1 // Specifies the key number Router(config-keychain-key)#key-string cisco //Specifies the authentication string for a key. Router(config-keychain-key)#end
The configuration of EIGRP authentication in interface to use that keychain and key.
Authentication is configured in interface configuration mode. To apply key chain authentication on an interface you must issue the following two commands in interface configuration mode: A) Enable authentication for EIGRP packets and to specify the set of keys to be used on an interface:
Syntax: ip authentication key-chain eigrp <as-number> <key-chain>
B) specify MD5 as the type of authentication to be used for EIGRP packets:
Syntax: ip authentication mode eigrp <as-number> md5
There is slight difference between configuring eigrp authentication on cisco router for ipv4 and ipv6, only command syntax changed under interface level.
Configuring EIGRP authentication for IP4 Configuring EIGRP authentication for IP6
Optionally, you can configure key management to automatically migrate from one authentication key to another by configuring following commands in key-chain key configuration mode using following command:
One of the biggest problems with using this sort of authentication system is that changing the keys can break eigrp neighborship in your network.The following example shows a way around for this problem. By configuring timed keys, you can roll out a new key throughout your network without disrupting service:
Example: Router(config)#key chain mykey Router(config-keychain)#key 1 Router(config-keychain-key)#key-string cisco Router(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2012 00:15:00 Nov 1 2012 Router(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2012 00:00:00 Nov 1 2012 Router(config-keychain-key)#key 2 Router(config-keychain-key)#key-string cisco@123 Router(config-keychain-key)#accept-lifetime 23:45:00 Oct 31 2012 infinite Router(config-keychain-key)#send-lifetime 00:00:00 Nov 1 2012 infinite Router(config-keychain-key)#end
In the above case, this router will accept the original key string, cisco, until 12:15 AM on November 1, 2012. It will send this same key string until 12:00 AM on the same date. And it will start accepting the new key string, cisco@123, at 11:45 PM on October 31, 2012. In this way, there is a safe 30-minute transition period that you can configure in advance throughout the network. Then, the next day or whenever it is convenient, you can remove the configuration for the old key string on all the affected routers. This process is very dependent on synchronized clocks between routers.
1) Key chain configuration verification: Router#sh key chain Key-chain mykey: key 1 -- text "cisco" accept lifetime (00:00:00 UTC Jan 1 2012) - (00:15:00 UTC Nov 1 2012) send lifetime (00:00:00 UTC Jan 1 2012) - (00:00:00 UTC Nov 1 2012) key 2 -- text "cisco@123" accept lifetime (23:45:00 UTC Oct 31 2012) - (infinite) send lifetime (00:00:00 UTC Nov 1 2012) - (infinite)
2) In key-string whitespaces counts as a character that can leads to key misconfiguration on router. Router#sh run | sec key chain key chain mykey key 10 key-string cisco Router#sh key chain Key-chain mykey: key 10 -- text "cisco " accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now]
3)You can see from the following debug trace that when the authentication fails, EIGRP simply ignores the routing updates: Router#debug eigrp packet EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) Router1# Mar 3 01:40:59.704: EIGRP: ignored packet from 10.1.1.1 opcode = 5 (invalid authentication)