3.1.1.1 Configure EIGRP Authentication on all EIGRP Routing Devices

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

You can configure authentication between neighbors for EIGRP

Rationale:

You can configure EIGRP authentication for the EIGRP process or for individual interfaces. Interface EIGRP authentication configuration overrides the EIGRP process-level authentication configuration.

Because EIGRP is a multicast protocol, any device can advertise EIGRP capabilities and routes, and by default all connected EIGRP devices will honor those advertisements. This means that a malicious actor can advertise bogus routes to valid hosts or networks, allowing the interception and modification of traffic intended for those hosts or subnets.

For this reason it is important that EIGRP endpoints authenticate to each other, ensuring that only valid routers can participate in the exchange of routes.

Solution

Ensure that you have enabled the EIGRP feature.
Ensure that all neighbors for an EIGRP process share the same authentication configuration, including the shared authentication key.
Create the key-chain for this authentication configuration. See the Cisco NX-OS Security Configuration Guide.
Ensure that you are in the correct VDC (or use the switchto vdc command)
Configure authentication:

switch(config)# router eigrp [instance-tag]
switch(config-router)# address-family {ipv4 | ipv6} unicast
switch(config-router)# authentication key-chain [key-chain]
switch(config-router)# authentication mode md5

Next assign the interface:

switch(config)# interface [interface-type slot/port]
switch(config-if)# router eigrp [instance-tag]
switch(config-if)# authentication key-chain eigrp [instance-tag key-chain]
switch(config-if)# authentication mode eigrp [instance-tag] md5

Every EIGRP routeable interface should be set to either passive-interface, or be configured with authentication keys.

Default Value:

EIGRP is not configured by default

If configured, EIGRP authentication is not configured by default.

By default, if configured, EIGRP both advertises on and listens on all interfaces that fall into the subnets defined in the 'network' statements.

See Also

https://workbench.cisecurity.org/files/3102