Secure EIGRP

EIGRP message authentication ensures that routers only accept routing messages from other routers that know the same pre-shared key. Without authentication configured, if an unauthorized person introduces another router with different or conflicting route information on the network, the routing tables on the legitimate routers can become corrupt and a DoS attack may ensue.

EIGRP supports routing protocol authentication using MD5. The configuration of EIGRP message authentication consists of two steps:

  1. The creation of a keychain and key
    Before authentication can be enabled, create a keychain and at least one key.a. In global configuration mode, create the keychain. Although multiple keys can be configured, this section focuses on the use of a single key.Router(config)# key chain name-of-chain b. Specify the key ID. The key ID is the number used to identify an authentication key within a keychain. The range of keys is from 0 to 2,147,483,647. It is recommended that the key number be the same on all routers in the configuration.Router(config-keychain)# key key-id

    c. Specify the key string for the key. The key string is similar to a password. Routers exchanging authentication keys must be configured using the same key string.

    Router(config-keychain-key )# key-string key-string-text

  2. configuration of EIGRP authentication to use that keychain and key.
    a. In global configuration mode, specify the interface on which to configure EIGRP message authentication.Router(config)# interface type number b. Enable EIGRP message authentication. The md5 keyword indicates that the MD5 hash is to be used for authentication.Router(config-if)# ip authentication mode eigrp as-number md5 c. Specify the keychain that should be used for authentication. The name-of-chain argument specifies the keychain that was created in Step 1.

    Router(config-if)# ip authentication key-chain eigrp as-number name-of-chain

    Each key has its own key ID, which is stored locally. The combination of the key ID and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use. The keychain and the routing update are processed using the MD5 algorithm to produce a unique signature.

Configuring EIGRP for IPv6 Authentication

The algorithms and the configuration to authenticate EIGRP for IPv6 messages are the same as EIGRP for IPv4. The only difference is the interface configuration mode commands use ipv6, instead of ip.

Verify the Authentication

After EIGRP message authentication is configured on one router, any adjacent neighbors that have not yet been configured for authentication are no longer EIGRP neighbors. For example, when R1’s Serial 0/0/0 interface was configured for MD5 authentication, but R2 had not yet been configured, the following IOS message appeared on R1:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor (Serial0/0/0) is down: authentication mode changed

When the adjacent Serial 0/0/0 interface on R2 is configured, the adjacency is re-established and the following IOS message is displayed on R1:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor (Serial0/0/0) is up: new adjacency

Similar messages are also displayed on R2.

Adjacencies are only formed when both connecting devices have authentication configured. To verify that the correct EIGRP adjacencies were formed after being configured for authentication, use the show ip eigrp neighbors command on each router.

To verify the neighbor adjacencies EIGRP for IPv6, use the show ipv6 eigrp neighbors command.


Troubleshooting EIGRP
Neighbor issues:

Neighbor adjacency might not be formed for a number of reasons, including the following:

  • The interface between the devices is down.
  • The two routers have mismatching EIGRP autonomous system numbers (process IDs).
  • Proper interfaces are not enabled for the EIGRP process.
  • An interface is configured as passive.

Some issues that may cause a connectivity problem for EIGRP include:

  • Proper networks are not being advertised on remote routers.
  • An incorrectly-configured passive interface, or an ACL, is blocking advertisements of remote networks.
  • Automatic summarization is causing inconsistent routing in a discontiguous network.

If all of the required routes are in the routing table, but the path that traffic takes is not correct, verify the interface bandwidth values.

Show command

show ip eigrp interfaces command displays which interfaces are enabled for EIGRP. If connected interfaces are not enabled for EIGRP, then neighbors do not form an adjacency.

The “Routing for Networks” section of the show ip protocols command indicates which networks have been configured.

If the network is not present in this section, use show running-config to ensure that the proper network command was configured.

IP Routing is NSF aware” refers to Nonstop Forwarding (NSF). This capability allows the EIGRP peers of a failing router to retain the routing information that it has advertised, and to continue using this information until the failed router resumes normal operation and is able to exchange routing information. For more information refer to:


Unequal Cost Path Load balancing: