IP Routing: EIGRP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
IP EIGRP Route Authentication
Download this chapter
IP EIGRP Route AuthenticationIP EIGRP Route Authentication
Download the complete book
IP Routing: EIGRP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)IP Routing: EIGRP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) (PDF - 830 KB)
 Feedback

Contents

IP EIGRP Route Authentication

Last Updated: November 30, 2012

The IP Enhanced IGRP Route Authentication feature provides MD5 authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About IP EIGRP Route Authentication

EIGRP Route Authentication

EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and the MD5 authentication key in use.

You can configure multiple keys with specific lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in the order from lowest to highest, and uses the first valid key that it encounters. Note that the device needs to know the time to configure keys with lifetimes.

How to Configure IP EIGRP Route Authentication

Defining an Autonomous System for EIGRP Route Authentication

Before You Begin

Before you configure EIGRP route authentication, you must enable EIGRP. In this task, EIGRP is defined with an autonomous system number.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    interface type number

4.    ip authentication mode eigrp autonomous-system md5

5.    ip authentication key-chain eigrp autonomous-system key-chain

6.    exit

7.    key chain name-of-chain

8.    key key-id

9.    key-string text

10.    accept-lifetime start-time {infinite | end-time | duration seconds}

11.    send-lifetime start-time {infinite | end-time | duration seconds}

12.    end


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
interface type number


Example:

Device(config)# interface gigabitethernet 0/0/1

 

Configures an interface type and enters interface configuration mode.

 
Step 4
ip authentication mode eigrp autonomous-system md5


Example:

Device(config-if)# ip authentication mode eigrp 1 md5

 

Enables MD5 authentication in EIGRP packets.

 
Step 5
ip authentication key-chain eigrp autonomous-system key-chain


Example:

Device(config-if)# ip authentication key-chain eigrp 1 keychain1

 

Enables authentication of EIGRP packets.

 
Step 6
exit


Example:

Device(config-if)# exit

 

Exits to global configuration mode.

 
Step 7
key chain name-of-chain


Example:

Device(config)# key chain keychain1

 

Identifies a key chain and enters key chain configuration mode.

 
Step 8
key key-id


Example:

Device(config-keychain)# key 1

 

Identifies the key number and enters key chain key configuration mode.

 
Step 9
key-string text


Example:

Device(config-keychain-key)# key-string 0987654321

 

Identifies the key string.

 
Step 10
accept-lifetime start-time {infinite | end-time | duration seconds}


Example:

Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite

 

(Optional) Specifies the time period during which the key can be received.

 
Step 11
send-lifetime start-time {infinite | end-time | duration seconds}


Example:

Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite

 

(Optional) Specifies the time period during which the key can be sent.

 
Step 12
end


Example:

Device(config-keychain-key)# end

 

Exits key chain key configuration mode and returns to privileged EXEC mode.

 

Defining a Named Configuration for EIGRP Route Authentication

Before You Begin

Before you configure EIGRP route authentication, you must enable EIGRP. In this task, EIGRP is defined with a virtual instance name.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    router eigrp virtual-instance-name

4.   Enter one of the following:

  • address-family ipv4 [multicast] [unicast] [vrf vrf-name] autonomous-system autonomous-system-number
  • address-family ipv6 [unicast] [vrf vrf-name] autonomous-system autonomous-system-number

5.    network ip-address [wildcard-mask]

6.    af-interface {default | interface-type interface-number}

7.    authentication key-chain name-of-chain

8.    authentication mode {hmac-sha-256 encryption-type password | md5}

9.    exit-af-interface

10.    exit-address-family

11.    exit

12.    key chain name-of-chain

13.    key key-id

14.    key-string text

15.    accept-lifetime start-time {infinite | end-time | duration seconds}

16.    send-lifetime start-time {infinite | end-time | duration seconds}

17.    end


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
router eigrp virtual-instance-name


Example:

Device(config)# router eigrp virtual-name1

 

Enables an EIGRP routing process and enters router configuration mode.

 
Step 4
Enter one of the following:
  • address-family ipv4 [multicast] [unicast] [vrf vrf-name] autonomous-system autonomous-system-number
  • address-family ipv6 [unicast] [vrf vrf-name] autonomous-system autonomous-system-number


Example:

Device(config-router)# address-family ipv4 autonomous-system 45000

Device(config-router)# address-family ipv6 autonomous-system 45000

 

Enters address family configuration mode to configure an EIGRP IPv4 or IPv6 routing instance.

 
Step 5
network ip-address [wildcard-mask]


Example:

Device(config-router-af)# network 172.16.0.0

 

Associates networks with an EIGRP routing process.

 
Step 6
af-interface {default | interface-type interface-number}


Example:

Device(config-router-af)# af-interface ethernet 0/0

 

Enters address family interface configuration mode and configures interface-specific EIGRP commands.

 
Step 7
authentication key-chain name-of-chain


Example:

Device(config-router-af-interface)# authentication key-chain SITE1

 

Specifies an authentication key chain for EIGRP.

 
Step 8
authentication mode {hmac-sha-256 encryption-type password | md5}


Example:

Device(config-router-af-interface)# authentication mode md5

 

Specifies the type of authentication used in an EIGRP address family for the EIGRP instance.

 
Step 9
exit-af-interface


Example:

Device(config-router-af-interface)# exit-af-interface

 

Exits address family interface configuration mode.

 
Step 10
exit-address-family


Example:

Device(config-router-af)# exit-address-family

 

Exits address family configuration mode.

 
Step 11
exit


Example:

Device(config-router)# exit

 

Exits router configuration mode and returns to global configuration mode.

 
Step 12
key chain name-of-chain


Example:

Device(config)# key chain keychain1

 

Identifies a key chain and enters key chain configuration mode.

 
Step 13
key key-id


Example:

Device(config-keychain)# key 1

 

Identifies the key number and enters key chain key configuration mode.

 
Step 14
key-string text


Example:

Device(config-keychain-key)# key-string 0987654321

 

Identifies the key string.

 
Step 15
accept-lifetime start-time {infinite | end-time | duration seconds}


Example:

Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite

 

(Optional) Specifies the time period during which the key can be received.

 
Step 16
send-lifetime start-time {infinite | end-time | duration seconds}


Example:

Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite

 

(Optional) Specifies the time period during which the key can be sent.

 
Step 17
end


Example:

Device(config-keychain-key)# end

 

Exits key chain key configuration mode and returns to privileged EXEC mode.

 

Configuration Examples for IP EIGRP Route Authentication

Example: EIGRP Route Authentication--Autonomous System Definition

The following example shows how to enable MD5 authentication on EIGRP packets in autonomous system 1.

Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all EIGRP packets with key 2.

Router B will accept key 1 or key 2 and will use key 1 to send MD5 authentication because key 1 is the first valid key of the key chain. Key 1 is not valid after December 4, 2006. After this date, key 2 is used to send MD5 authentication, and this key is valid until January 4, 2007.

The figure below shows the scenario.

Figure 1EIGRP Route Authentication Scenario


Router A Configuration

Device> enable
Device(config)# configure terminal
Device(config)# router eigrp 1
Device(config-router)# exit
Device(config)# interface ethernet 1/0 
Device(config-if)# ip authentication mode eigrp 1 md5
Device(config-if)# ip authentication key-chain eigrp 1 key1
Device(config-if)# exit
Device(config)# key chain key1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 0987654321
Device(config-keychain-key)# accept-lifetime 04:00:00 Dec 4 2006 infinite
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 04:48:00 Dec 4 1996
Device(config-keychain-key)# exit
Device(config-keychain)# key 2
Device(config-keychain-key)# key-string 1234567890
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
Device(config-keychain-key)# send-lifetime 04:45:00 Jan 4 2007 infinite

Router B Configuration

Device> enable
Device(config)# configure terminal
Device(config)# router eigrp 1
Device(config-router)# exit
Device(config)# interface ethernet 1/0 
Device(config-if)# ip authentication mode eigrp 1 md5
Device(config-if)# ip authentication key-chain eigrp 1 key2
Device(config-if)# exit
Device(config)# key chain key2
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 0987654321
Device(config-keychain-key)# accept-lifetime 04:00:00 Dec 4 2006 infinite
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config-keychain-key)# exit
Device(config-keychain)# key 2
Device(config-keychain-key)# key-string 1234567890
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
Device(config-keychain-key)# send-lifetime 04:45:00 Jan 4 2007 infinite

Example: EIGRP Route Authentication--Named Configuration

The following example shows how to enable MD5 authentication on EIGRP packets in a named configuration.

Router A will accept and attempt to verify the MD5 digest of any EIGRP packet with a key equal to 1. It will also accept a packet with a key equal to 2. All other MD5 packets will be dropped. Router A will send all EIGRP packets with key 2.

Router B will accept key 1 or key 2 and will use key 1 to send MD5 authentication because key 1 is the first valid key of the key chain. Key 1 is not valid after December 4, 2006. After this date, key 2 will be used to send MD5 authentication because it is valid until January 4, 2007.

Router A Configuration

Device> enable
Device# configure terminal
Device(config)# router eigrp virtual-name1
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# network 172.16.0.0
Device(config-router-af)# af-interface ethernet 0/0
Device(config-router-af-interface)# authentication key-chain SITE1
Device(config-router-af-interface)# authentication mode md5
Device(config-router-af-interface)# exit-af-interface
Device(config-router-af)# exit-address-family
Device(config-router)# exit
Device(config)# key chain SITE1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 0987654321
Device(config-keychain-key)# accept-lifetime 04:00:00 Dec 4 2006 infinite
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite
Device(config-keychain-key)# exit
Device(config-keychain)# key 2
Device(config-keychain-key)# key-string 1234567890
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
Device(config-keychain-key)# send-lifetime 04:45:00 Jan 4 2007 infinite

Router B Configuration

Device> enable
Device# configure terminal
Device(config)# router eigrp virtual-name2
Device(config-router)# address-family ipv4 autonomous-system 45000
Device(config-router-af)# network 172.16.0.0
Device(config-router-af)# af-interface ethernet 0/0
Device(config-router-af-interface)# authentication key-chain SITE2
Device(config-router-af-interface)# authentication mode md5
Device(config-router-af-interface)# exit-af-interface
Device(config-router-af)# exit-address-family
Device(config-router)# exit
Device(config)# key chain SITE2
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 0987654321
Device(config-keychain-key)# accept-lifetime 04:00:00 Jan 4 2007 infinite
Device(config-keychain-key)# send-lifetime 04:00:00 Dec 4 2006 infinite

The following example shows how to configure advanced SHA authentication with password password1 and several key strings that will be rotated as time passes: 

!
key chain chain1
 key 1 
  key-string securetraffic
  accept-lifetime 04:00:00 Dec 4 2006 infinite
  send-lifetime 04:00:00 Dec 4 2010 04:48:00 Dec 4 2008
 !
 key 2
  key-string newertraffic
  accept-lifetime 01:00:00 Dec 4 2010 infinite
  send-lifetime 03:00:00 Dec 4 2010 infinite
 exit
!
router eigrp virtual-name
  address-family ipv6 autonomous-system 4453
    af-interface ethernet 0
       authentication mode hmac-sha-256 0 password1
       authentication key-chain key1
  !
!

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

EIGRP commands

Cisco IOS IP Routing: EIGRP Command Reference

EIGRP FAQ

EIGRP Frequently Asked Questions

EIGRP Technology White Papers

Enhanced Interior Gateway Routing Protocol

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IP EIGRP Route Authentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for IP EIGRP Route Authentication
Feature Name Releases Feature Information

IP Enhanced IGRP Route Authentication

Cisco IOS XE Release 2.1

EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.

The following commands were introduced or modified:

ip authentication key-chain eigrp, ip authentication mode eigrp, show ip eigrp interfaces.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012-2013 Cisco Systems, Inc. All rights reserved.