EIGRP Authentication

Yesterday at work I was playing around with EIGRP authentication. It turns out it’s surprisingly easy to do. I’m almost embarrassed I’ve never done it before. Here’s a little config template I whipped up for it:

! EIGRP authentication can be used to prevent the introduction of
! unauthorized routing information.
! EIGRP authentication uses an md5 hash of a pre-shared key string
! to authenticate routing information.  The key string is *NOT* used
! to encrypt the routing information, all EIGRP messages are still
! in plain text and can be sniffed.  The md5 hash is only used for
! authentication.
! key chain eigrpkeys key 1 key-string !! ! interface Ethernet0/0 ip address ip authentication mode eigrp 6 md5 ip authentication key-chain eigrp 6 eigrpkeys half-duplex !
******************************************** ! ! Key rotation seems to be kind of tricky. Just replacing the ! key string on both routers causes authentication to fail. ! ! Instead, add the new key, then add ! a send-lifetime (and optionally an accept lifetime) ! the old key so that it will gracefully expire. If you use an ! accept lifetime, make certain it doesn't expire until after ! the expiration of the send lifetime on the neighbor router! ! ! After the send lifetime for the old key has passed on ! both routers, then the old key can safely be removed. ! ! If multiple keys are present in the keychain, they are tried ! in ascending numerical order. ! *************************************************** ! key chain eigrpkeys key 1 key-string !! accept-lifetime 01:00:00 Feb 2 2004 2:00:00 Feb 2 2004 send-lifetime 01:00:00 Feb 2 2004 01:15:00 Feb 2 2004 key 2 key-string !! !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s