EIGRP message authentication ensures that routers only accept routing messages from other routers that know the same pre-shared key. Without authentication configured, if an unauthorized person introduces another router with different or conflicting route information on the network, the routing tables on the legitimate routers can become corrupt and a DoS attack may ensue. Thus, when authentication is added to the EIGRP messages sent between routers, it prevents someone from purposely, or accidentally, adding another router to the network and causing a problem.
EIGRP supports routing protocol authentication using MD5. The configuration of EIGRP message authentication consists of two steps: the creation of a keychain and key, and the configuration of EIGRP authentication to use that keychain and key.
Step 1. Create a Keychain and Key
Routing authentication requires a key on a keychain to function. Before authentication can be enabled, create a keychain and at least one key.
a. In global configuration mode, create the keychain. Although multiple keys can be configured, this section focuses on the use of a single key.
Router(config)# key chain name-of-chain
b. Specify the key ID. The key ID is the number used to identify an authentication key within a keychain. The range of keys is from 0 to 2,147,483,647. It is recommended that the key number be the same on all routers in the configuration.
Router(config-keychain)# key key-id
c. Specify the key string for the key. The key string is similar to a password. Routers exchanging authentication keys must be configured using the same key string.
Router(config-keychain-key )# key-string key-string-text
Step 2. Configure EIGRP Authentication Using Keychain and Key
Configure EIGRP to perform message authentication with the previously defined key. Complete this configuration on all interfaces enabled for EIGRP.
a. In global configuration mode, specify the interface on which to configure EIGRP message authentication.
Router(config)# interface type number
b. Enable EIGRP message authentication. The md5 keyword indicates that the MD5 hash is to be used for authentication.
Router(config-if)# ip authentication mode eigrp as-number md5
c. Specify the keychain that should be used for authentication. The name-of-chain argument specifies the keychain that was created in Step 1.
Router(config-if)# ip authentication key-chain eigrp as-number name-of-chain
Each key has its own key ID, which is stored locally. The combination of the key ID and the interface associated with the message uniquely identifies the authentication algorithm and MD5 authentication key in use. The keychain and the routing update are processed using the MD5 algorithm to produce a unique signature.