Authentication
Here’s how to configure authentication keys for each router participating in the EIGRP routing process:
R1 # conf t
R1(config)# key chain EIGRP-KEYS
R1(config-keychain)# key 1
R1 (config-keychain-key) # key-string cisco
A2 # conf t
R2 (config) # key chain EIGRP-KEYS
R2 (config-keychain) key # 1
R2 (config-keychain-key) # key-string cisco
Key verification
R1 # show key chain
Key-chain EIGRP-KEYS:
key 1 - text “cisco”
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Now that our keys are configured in the router, you must apply to each interface on which you want to authenticate.
R1 # conf t
R1 (config) # interface serial 1 / 0
! ip authentication key-chain eigrp as_number key_chain_label.
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
! The following command sends a MD5 Hash keys instead of sending in the clear .. is more secure.
R1 (config-if) # ip authentication mode eigrp 1 md5
R2# conf
R2(config)# interface serial 1/0
R2(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
R2(config-if)# ip authentication mode eigrp 1 md5
Small configuration check:
R1 # show ip interface detail eigrp
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 4 0 / 12 50 0
Hello interval is 5 sec
A / reliable MCAST: 0 / 0 Un / reliable ucasts: 10/28
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 5
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast
And a little debugging to see the authentication packets arrive on interface:
R1 # debug eigrp packets
EIGRP Packets debugging Is On
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
*Oct 4 16:10:51.090: EIGRP: Sending HELLO on Serial0/0/1
* October 4 16:10:51.090: AS 1, Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0
* October 4 16:10:51.190: EIGRP: received packet with MD5 authentication, key id = 1
*Oct 4 16:10:51.190: EIGRP: Received HELLO on Serial0/0/1 nbr 172.16.13.3
* October 4 16:10:51.190: AS 1 Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0 peerQ a / Rely 0 / 0
* October 4 16:10:51.854: EIGRP: received packet with MD5 authentication, key id = 1
*Oct 4 16:10:51.854: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.1.2
* October 4 16:10:51.854: AS 1, Flags 0×0, Seq 0 / 0 idbQ 0 / 0 iidbQ a / Rely 0 / 0 peerQ a / Rely 0 / 0
* October 4 16:10:53.046: EIGRP: received packet with MD5 authentication, key id = 1
EIGRP Timers
We can see the Hello timers here:
R1 # show ip eigrp interfaces detail
IP-EIGRP interfaces for process 1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 17 10 / 380 448 0
Hello interval is 5 sec
Next xmit serial
Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 A /
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 6
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast
By default, the HELLO timers are 5 seconds, and the HOLD-TIME 15.
But we’ll see how to change them.
R1 # conf t
R1 (config) # interface serial 1 / 0
! Change the value of intervals between HELLO to 2 seconds
R1 (config-if) # ip hello-interval eigrp 1 February
! Change the value of hold-time to 8 seconds
R1 (config-if) # ip hold-time eigrp 1 August
R2 # conf t
R2 (config) # interface serial 1 / 0
R2 (config-if) # ip hello-interval eigrp 1 February
R2 (config-if) # ip hold-time eigrp 1 August
Early check our changes:
R1 # show ip eigrp interfaces detail a serial 1 / 0
IP-EIGRP interfaces for process 1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un / Reliable SRTT Un / Reliable Flow Timer Routes
Se0/0/0 1 0 / 0 0 17 10 / 380 448
Hello interval is 2 sec
Next xmit serial
A / reliable MCAST: 0 / 0 Un / reliable ucasts: 17/37
MCAST exceptions: 0 CR packets: 0 ACKs suppressed: 6
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication IS mode md5 key-chain is “EIGRP-KEYS”
Use unicast
R1 # show ip eigrp Neighbors
IP-EIGRP Neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
Se0/0/0 172.16.12.2 0 6 01:23:39 17 2280 0 73