One of the ways to secure your EIGRP configuration is using Authentication.
Let’s imagine a scenario where someone wants to sabotage the routes in your network to replace them with their own, or even to remove them entirely. Without any EIGRP Authentication, they are free to do so.
Let’s see how it works:
EIGRP Authentication essentially adds a tag to all EIGRP traffic which is unique and derived using a pre-configured phrase.
When enabled, any EIGRP packets received with a tag not matching the tag configured will be ignored and dropped.
This means that we can protect out network against any attacks designed to be carried out by peering with a malicious neighbour.
EIGRP Configuration is split into two main steps:
- Configure the Key on the Router
- Enable Key Authentication per Interface
Without further ado, let’s take a look at how we configure each stage:
Configure the Key
Here we make the key chain itself. Note that this is not the actual Key Phrase, but the name of the container which holds the Key Phrase information.
R(config)# key chain [NAME LABEL]
Within the Key Chain configuration, we then configure a Key ID to identify the specific Key Phrase within the Key Chain. This is due to the fact that we can configure many different Key Phrases within the same Key Chain.
R(config-keychain)# key [IDENTIFIER]
Lastly, we enter the Key Phrase itself. Note that the correct syntax for this is called the Key-String and we will be using this terminology from now on.
R(config-keychain-key)# key-string [ENCRYPT|HIDE|PLAINTEXT] [KEY PHRASE]
We also have the option here to encrypt the Key String on the device, hide it from the running configuration or to just type it in plain text. Here we will choose to store it in plain text for simplicity, but the choice is yours.
Now that we have configured the Key-String on the Router, all that is left is to apply some configuration on Interfaces that we wish to require the checking for this Key-String. It is not configured on any interfaces by default.
Apply the Authentication Keys on Desired Interfaces
There are 2 commands we must enter under each desired interface to turn Authentication on, let’s start:
R(config-if)# ip authentication mode eigrp [AS NUMBER] md5
This command effectively tells your EIGRP AS instance to use Authentication and check for a Key. If you are configuring this on an interface connected to an EIGRP peer which does not have Authentication configured, you will see the Neighbour Relationship drop.
R(config-if)# ip authentication key-chain eigrp [AS NUMBER] [NAME LABEL]
Here is where we reference the Key-Chain we configured on the Router earlier. Once this has been entered, we have told the Router Port to only accept EIGRP packets which are tagged in a similar fashion.
Thats it! Your EIGRP configuration is now more secure than before.