EIGRP Authentication

Anggara
Network Warrior
Published in
3 min readApr 15, 2017

Here’s a simple lab about EIGRP authentication. With authentication, routers are sending and receiving authentication packets before EIGRP adjacency performed.

Configuration of R1 :

R1(config)#interface e0/0
R1(config-if)#ip address 100.100.100.1 255.255.255.252
R1(config-if)#no shut
R1(config)#interface loopback 0
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#no shut
R1(config)#router eigrp 10
R1(config-router)#network 100.100.100.1 0.0.0.0
R1(config-router)#network 1.1.1.1 0.0.0.0
R1(config-router)#no auto-summary
R1(config)#key chain cisco
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string eigrp
R1(config)#interface e0/0
R1(config-if)#ip authentication key-chain eigrp 10 cisco
R1(config-if)#ip authentication mode eigrp 10 md5

Configuration of R2 :

R2(config)#interface e0/0
R2(config-if)#ip address 100.100.100.2 255.255.255.252
R2(config-if)#no shut
R2(config)#interface loopback 0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#no shut
R2(config)#interface loopback 1
R2(config-if)#ip address 22.22.22.22 255.255.255.255
R2(config-if)#no shut
R2(config)#router eigrp 10
R2(config-router)#network 100.100.100.2 0.0.0.0
R2(config-router)#network 2.2.2.2 0.0.0.0
R2(config-router)#network 22.22.22.22 0.0.0.0
R2(config-router)#no auto-summary
R2(config)#key chain cisco
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string eigrp
R2(config)#interface e0/0
R2(config-if)#ip authentication key-chain eigrp 10 cisco
R2(config-if)#ip authentication mode eigrp 10 md5

Let’s verify from R1 :

R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Jan 13 06:52:04.560: EIGRP: Sending HELLO on Et0/0 — paklen 60
*Jan 13 06:52:04.560: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jan 13 06:52:05.355: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 13 06:52:05.355: EIGRP: Received HELLO on Et0/0 — paklen 60 nbr 100.100.100.2
*Jan 13 06:52:05.356: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
–output omitted–

R1 received authentication packet, then adjacency performed :

R1#sh ip route eigrp
–output omitted–
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/409600] via 100.100.100.2, 00:05:06, Ethernet0/0
22.0.0.0/32 is subnetted, 1 subnets
D 22.22.22.22 [90/409600] via 100.100.100.2, 00:05:06, Ethernet0/0

OK, what if the configuration of authentication is not match with the opposite router?

Let’s try to change configuration on R2 :

R2(config)#interface e0/0
R2(config-if)#no ip authentication key-chain eigrp 10
R2(config-if)#ip authentication key-chain eigrp 10 eigrp

The key-chain from “cisco” has changed to “eigrp”, now let’s take a look on R1 :

R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Jan 13 07:07:22.324: EIGRP: Et0/0: ignored packet from 100.100.100.2, opcode = 5 (missing authentication)
R1#
*Jan 13 07:07:23.973: EIGRP: Sending HELLO on Et0/0 — paklen 60
*Jan 13 07:07:23.973: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R1#
*Jan 13 07:07:26.604: EIGRP: Et0/0: ignored packet from 100.100.100.2, opcode = 5 (missing authentication)
R1#

Hmmm.. there are messages “ignored packet…”

R1#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
R1#sh ip route eigrp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop override

See… nothing shown by “ show ip eigrp neighbors” , which means adjacency process is not performed.

Since the authentication is failed, the adjacency process will not performed.

Please hit the ♥ button if you liked this post. You’ll help others find it. Thanks!

--

--

Anggara
Network Warrior

An ordinary person who has extraordinary life | a traveler | a seeker