06-22-2009 05:38 PM - edited 03-01-2019 04:14 PM
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary enhanced distance vector routing protocol. EIGRP provides benefits like fast convergence, incremental updates and support for multiple network layer protocols. EIGRP only supports Message Digest 5 (MD5) authentication to prevent malicious and incorrect routing information from being introduced into the routing table of a router.
To configure EIGRP authentication, the keys used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication. Any interface that has authentication configured on it will not form neighbor relationships out that interface unless the neighbor passes the authentication process.
The configuration of EIGRP message authentication is carried out in two steps:
Key chains consist of two necessary and two are optional components. The necessary components are key number and key string. Optionally it also include an accept-lifetime and a send-lifetime parameter.
Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string.
Example:
Router#configure terminal
Router(config)#key chain mykey //configure key chain name mykey
Router(config-keychain)#key 1 // Specifies the key number
Router(config-keychain-key)#key-string cisco //Specifies the authentication string for a key.
Router(config-keychain-key)#end
Authentication is configured in interface configuration mode. To apply key chain authentication on an interface you must issue the following two commands in interface configuration mode:
A) Enable authentication for EIGRP packets and to specify the set of keys to be used on an interface:
Syntax: ip authentication key-chain eigrp <as-number> <key-chain>
B) specify MD5 as the type of authentication to be used for EIGRP packets:
Syntax: ip authentication mode eigrp <as-number> md5
There is slight difference between configuring eigrp authentication on cisco router for ipv4 and ipv6, only command syntax changed under interface level.
Example:
Configuring EIGRP authentication for IP4 Configuring EIGRP authentication for IP6
Router(config)#interface fa0/0 Router(config-if)#ip authentication mode eigrp 1 md5 Router(config-if)#ip authentication key-chain eigrp 1 mykey Router(config-if)#end | Router(config)#interface fa0/0 Router(config-if)#ipv6 authentication mode eigrp 1 md5 Router(config-if)#ipv6 authentication key-chain eigrp 1 mykey Router(config-if)#end |
Optionally, you can configure key management to automatically migrate from one authentication key to another by configuring following commands in key-chain key configuration mode using following command:
1) accept-lifetime <start-time> {infinite | end-time | duration seconds}
2) send-lifetime <start-time> {infinite | end-time | duration seconds}
One of the biggest problems with using this sort of authentication system is that changing the keys can break eigrp neighborship in your network.The following example shows a way around for this problem. By configuring timed keys, you can roll out a new key throughout your network without disrupting service:
Example:
Router(config)#key chain mykey
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string cisco
Router(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 2012 00:15:00 Nov 1 2012
Router(config-keychain-key)#send-lifetime 00:00:00 Jan 1 2012 00:00:00 Nov 1 2012
Router(config-keychain-key)#key 2
Router(config-keychain-key)#key-string cisco@123
Router(config-keychain-key)#accept-lifetime 23:45:00 Oct 31 2012 infinite
Router(config-keychain-key)#send-lifetime 00:00:00 Nov 1 2012 infinite
Router(config-keychain-key)#end
In the above case, this router will accept the original key string, cisco, until 12:15 AM on November 1, 2012. It will send this same key string until 12:00 AM on the same date. And it will start accepting the new key string, cisco@123, at 11:45 PM on October 31, 2012. In this way, there is a safe 30-minute transition period that you can configure in advance throughout the network. Then, the next day or whenever it is convenient, you can remove the configuration for the old key string on all the affected routers. This process is very dependent on synchronized clocks between routers.
1) Key chain configuration verification:
Router#sh key chain
Key-chain mykey:
key 1 -- text "cisco"
accept lifetime (00:00:00 UTC Jan 1 2012) - (00:15:00 UTC Nov 1 2012)
send lifetime (00:00:00 UTC Jan 1 2012) - (00:00:00 UTC Nov 1 2012)
key 2 -- text "cisco@123"
accept lifetime (23:45:00 UTC Oct 31 2012) - (infinite)
send lifetime (00:00:00 UTC Nov 1 2012) - (infinite)
2) In key-string whitespaces counts as a character that can leads to key misconfiguration on router.
Router#sh run | sec key chain
key chain mykey
key 10
key-string cisco
Router#sh key chain
Key-chain mykey:
key 10 -- text "cisco "
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
3)You can see from the following debug trace that when the authentication fails, EIGRP simply ignores the routing updates:
Router#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
Router1#
Mar 3 01:40:59.704: EIGRP: ignored packet from 10.1.1.1 opcode = 5 (invalid authentication)
EIGRP Message Authentication Configuration Example
Configuring IPv6 EIGRP Authentication
Base Initial configuration:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: