EIGRP Authentication, Passive-Interface, Summarization

Description

In this guide, we will configure authentication keys for our EIGRP neighbors to be used on a yearly basis. We will also configure the "passive-interface" command for any interfaces that do not need to participate in sending EIGRP Hello packets. We will also configure summarization for contiguous networks.

Configuration

1. First, we will configure authentication.

2. Second, we will configure our passive-interfaces

3. Lastly, we will configure summarization from R1 to R2/R3

First, let's configure our clock and our authentication keys. (typically, in a live network, we would use NTP for clock synchronization)

R1#clock set HH:MM:SS DAY MON YEAR # This command will statically set the clock for the router.

R1(config)#key chain [NAME] # This command will create the key chain and bring you into the "Key Chain" sub-configuration mode

R1(config-keychain)#key 1 This command creates an actual key to be used to authenticate. this is creating the PSK but is not the actual "Key" or "password" that will be used.

R1(config-keychain-key)#key-string [password] # This command will set the actual password to be used for authentication.

R1(config-keychain-key)#send-lifetime 00:00:00 1 Mar 2022 00:00:00 28 Feb 2023 # This command will set the length of time the key can be sent.

R1(config-keychain-key)#accept-lifetime 00:00:00 1 Mar 2022 00:00:00 28 Feb 2023 # This command will set the length of time a key can be accepted

The full configuration is below.

R1 Configuration

R2 Configuration

R3 Configuration

EIGRP Authentication Configuration

Now let's go into our EIGRP sub-configuration and apply our Key-chain

R1(config-router-af)#af-interface default # This command will allow you to configure all interfaces that are participating in EIGRP

R1(config-router-af-interface)#authentication mode md5 # This command will set the hash method for the Pre-shared key that will be sent in the EIGRP hello packet

R1(config-router-af-interface)#authentication key-chain {name} # This command will set the key-chain to be used on the EIGRP-enabled interface

Full configuration below

This configuration will be applied to all routers

Verification

R1#show key chain # This command will show all the valid key-chain and their lifetimes.

Hello packet with the authentication parameter

Passive Interface Configuration

The passive-interface configuration will turn off EIGRP messages being sent out to the configured interfaces. We will put every interface into "passive-interface," and then we will go into our individual interfaces that are needed for EIGRP neighbors and turn off the "passive-interface" command.

R1(config-router-af)#af-interface default # This command will allow you to configure all interfaces that are participating in EIGRP

R1(config-router-af-interface)#passive-interface # This command will turn off EIGRP messages for any interface

R1(config-router-af-interface)#no passive-interface # This command will turn off the passive-interface command and enable EIGRP messages to be sent out to the interface

Full configuration below

Verification

R1#show run | section router eigrp # This command will show us the running configuration for just our EIGRP configuration.

R1#show ip eigrp interfaces # This command will show us all the interfaces that are participating in EIGRP

Wireshark capture of the interface facing the LAN. Notice there are no EIGRP Hello Messages.

Summarization

For this step, we will first look at the EIGRP learned routes on R2.

We should see 3 172.16.X.X that can be summarized. Since they are contiguous, the routes can be summarized with a /22. We will need to do this configuration for both interfaces from R1-->R2 and R1-->R3.

Configuration

First, we will enter into our EIGRP named mode configuration.

R1(config-router-af)#af-interface eth0/0 # This command will enter the sub-configuration for a specific EIGRP-enabled interface

R1(config-router-af-interface)#summary-address 172.16.0.0/22 # This command will allow you to send a summarized route update for all the prefixes that fall within the range.

Full Configuration Below

Verification

Now let's run our show ip route command again and see what it looks like.

Now we can only see the /22 route that is being advertised to us. Let's take a look at the EIGRP update message via Wireshark.

Conclusion

After going through these steps, we have successfully accomplished implementing some security on our EIGRP-enabled links.

PreviousEIGRP Named Mode NextEIGRP Stub Routing, Leak-Maps

Last updated 3 years ago

hashtagDescription

hashtagConfiguration

hashtag1. First, we will configure authentication.

hashtag2. Second, we will configure our passive-interfaces

hashtag3. Lastly, we will configure summarization from R1 to R2/R3

hashtagFirst, let's configure our clock and our authentication keys. (typically, in a live network, we would use NTP for clock synchronization)

hashtagThe full configuration is below.

hashtagR1 Configuration

hashtagR2 Configuration

hashtagR3 Configuration

hashtagEIGRP Authentication Configuration

hashtagNow let's go into our EIGRP sub-configuration and apply our Key-chain

hashtagFull configuration below

hashtagThis configuration will be applied to all routers

hashtagVerification

hashtagHello packet with the authentication parameter

hashtagPassive Interface Configuration

hashtagFull configuration below

hashtagVerification

hashtagWireshark capture of the interface facing the LAN. Notice there are no EIGRP Hello Messages.

hashtagSummarization

hashtagFor this step, we will first look at the EIGRP learned routes on R2.

hashtagWe should see 3 172.16.X.X that can be summarized. Since they are contiguous, the routes can be summarized with a /22. We will need to do this configuration for both interfaces from R1-->R2 and R1-->R3.

hashtagConfiguration

hashtagFirst, we will enter into our EIGRP named mode configuration.

hashtagFull Configuration Below

hashtagVerification

hashtagNow let's run our show ip route command again and see what it looks like.

hashtagNow we can only see the /22 route that is being advertised to us. Let's take a look at the EIGRP update message via Wireshark.

hashtagConclusion

hashtagAfter going through these steps, we have successfully accomplished implementing some security on our EIGRP-enabled links.

Description

Configuration

1. First, we will configure authentication.

2. Second, we will configure our passive-interfaces

3. Lastly, we will configure summarization from R1 to R2/R3

First, let's configure our clock and our authentication keys. (typically, in a live network, we would use NTP for clock synchronization)

The full configuration is below.

R1 Configuration

R2 Configuration

R3 Configuration

EIGRP Authentication Configuration

Now let's go into our EIGRP sub-configuration and apply our Key-chain

Full configuration below

This configuration will be applied to all routers

Verification

Hello packet with the authentication parameter

Passive Interface Configuration

Full configuration below

Verification

Wireshark capture of the interface facing the LAN. Notice there are no EIGRP Hello Messages.

Summarization

For this step, we will first look at the EIGRP learned routes on R2.

We should see 3 172.16.X.X that can be summarized. Since they are contiguous, the routes can be summarized with a /22. We will need to do this configuration for both interfaces from R1-->R2 and R1-->R3.

Configuration

First, we will enter into our EIGRP named mode configuration.

Full Configuration Below

Verification

Now let's run our show ip route command again and see what it looks like.

Now we can only see the /22 route that is being advertised to us. Let's take a look at the EIGRP update message via Wireshark.

Conclusion

After going through these steps, we have successfully accomplished implementing some security on our EIGRP-enabled links.