To help prevent unauthorized routing updates, EIGRP can be configured to authenticate peers. The following tech-recipe explains how this is done.
For this example, two routers, A and B, are directly connected with Fast Ethernet. The IP network is 10.1.1.0/24.
Enter the appropriate passwords, and then enter the following configuration mode:conf t
Address the interfaces.
Router A:interface FastEthernet 0/0
ip address 10.1.1.1 255.255.255.0
Router B:interface FastEthernet 0/0
ip address 10.1.1.2 255.255.255.0
Configure EIGRP (the same on both routers):router eigrp 100
network 10.0.0.0
Then, create keychains in both routers.
Router A:key chain rtrA
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
Router B:key chain rtrB
key 1
key-string 123
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
exit
key 2
key-string abc
accept-lifetime infinite
send-lifetime 00:00:01 1 Jan 2004 23:59:59 1 Jan 2005
Now, configure authentication. The EIGRP Autonomous System number is 100.
Router A:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrA
Router B:interface FastEthernet 0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 rtrB
Now, the routers should be verifying the MD5 hash of EIGRP packets, dropping any that do not pass the verification.
In the key configuration, the “infinite” keyword can be used to make non-expiring keys. I would recommend the last keypair be non-expiring to prevent network downtime if the administrator forgets to update the keys before they expire.
