EIGRP Neighbor Authentication

There are a few steps needed to setup MD5 authentication between EIGRP neighbors. Authentication prevents a router from creating an adjacency with a rogue router trying to inject malicious routes. The pay load of the packets aren't encrypted.

First a key chain name is needed, then a key number, a key chain can have multiple keys. The key string command defines the password.

R1(config)#key chain EIGRPNEI
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string CCNP


Authentication is configured at the interface level, with two commands, ip authentication mode and ip authentication key chain. Adjacencies with neighbors will break and won't come back up until authentication is setup correctly on both sides.

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip authentication mode eigrp 51 md5

R1(config-if)#

*Mar  1 00:09:40.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 51: Neighbor 10.1.1.2 (FastEthernet0/0) is down: authentication mode changed

R1(config-if)#ip authentication key-chain eigrp 51 EIGRPNEI

The show key chain command can be used to verified the password and lifetime.

R1#show key chain

Key-chain EIGRPNEI:

    key 1 -- text "CCNP"

        accept lifetime (always valid) - (always valid) [valid now]

        send lifetime (always valid) - (always valid) [valid now]

R2(config)#key chain EIGRPNEI2

R2(config-keychain)#key 1

R2(config-keychain-key)#key-string CCNP

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip authentication key-chain eigrp 51 EIGRPNEI2

R2(config-if)#ip authentication mode eigrp 51 md5

R2(config-if)#

*Mar  1 00:16:25.033: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 51: Neighbor 10.1.1.1 (FastEthernet0/0) is up: new adjacency

R2(config-if)#do show key chain

Key-chain EIGRPNEI2:

    key 1 -- text "CCNP"

        accept lifetime (always valid) - (always valid) [valid now]

        send lifetime (always valid) - (always valid) [valid now]