Configuring EIGRP authentication

Posted: January 24, 2016 in CISCO

EIGRP message authentication is used when we want to prevent injecting incorrect routes into routers,it also prevents purposely or accidentally adding another router to the network which can seriously cripple our network.

Untitled

R1:

!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.248
!
interface Serial1/2
ip address 172.16.13.1 255.255.255.248
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 security
serial restart-delay 0
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0

R2:

!
interface Loopback0
ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.248
!
interface Serial1/1
ip address 172.16.23.2 255.255.255.248
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.2.0

R3:

!
interface Loopback0
ip address 192.168.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
!
interface Serial1/1
ip address 172.16.23.3 255.255.255.248
!
interface Serial1/2
ip address 172.16.13.3 255.255.255.248
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0

 

EIGRP only supports Message Digest 5 (MD5) authentication.

Configuring key chain named security:

R1(config)#key chain security
R2(config)#key chain security
R3(config)#key chain security

Under key chain we configure key which needs to math on all routers in topology

R1(config-keychain)#key 1
R2(config-keychain)#key 1
R3(config-keychain)#key 1

 

Specifying the authentication string (cisco) for key 1 (configured in previous step):

R1(config-keychain-key)#key-string cisco
R2(config-keychain-key)#key-string cisco
R3(config-keychain-key)#key-string cisco
EIGRP authentication in interfaces
R1(config t)#int s1/0 
!Enable EIGRP message authentication.The 1 is the autonomous system number of the !network.md5 is hash to be used for authentication.
R1(config-if)#ip authentication mode eigrp 1 md5
!The keychain that is to be used for authentication.1 is the autonomous system num!ber. security is key chain created in key-chain command
R1(config-if)#ip authentication key-chain eigrp 1 security
R1(config t)#int f0/0
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#ip authentication key-chain eigrp 1 security
R1(config t)#int s1/2
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#ip authentication key-chain eigrp 1 security

R2(config t)#int f0/0
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security
R2(config t)#int s1/0
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security
R2(config t)#int s1/1
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security

R3(config t)#int f0/0
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security
R3(config t)#int s1/0
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security
R3(config t)#int s1/1
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security

 

R1#sh ip eigrp interfaces detail
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 0 0/0 0/0 0 0/0 1120 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 5/0
Hello’s sent/expedited: 1458/3
Un/reliable mcasts: 0/3 Un/reliable ucasts: 8/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 2 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “security”

Enable debugging on router (R3 in this example)

R3#debug eigrp packets

R3#debug eigrp packets
*Jan 24 17:38:24.043: EIGRP: Sending HELLO on Se1/2 – paklen 60
*Jan 24 17:38:24.047: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jan 24 17:38:24.207: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 24 17:38:24.207: EIGRP: Received HELLO on Fa0/0 – paklen 60 nbr 10.1.1.2
*Jan 24 17:38:24.211: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#no debug eigrp packets
EIGRP Packet debugging is off
R3#
*Jan 24 17:38:25.123: EIGRP: Fa0/0: ignored packet from 10.1.1.1, opcode = 5 (missing authentication)
*Jan 24 17:38:26.023: EIGRP: Sending HELLO on Fa0/0 – paklen 60
*Jan 24 17:38:26.027: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R3#
*Jan 24 17:38:26.203: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 24 17:38:26.203: EIGRP: Received HELLO on Se1/2 – paklen 60 nbr 172.16.13.1
*Jan 24 17:38:26.207: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s