How to configure EIGRP Authentication

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(system) #2

hello thank you very much. you make CCNA look very easy. you talk me thank you once again

(system) #3

awesome lessons, simple and clearly documented.

(Chandan K) #4

I really like the way you explain the things…its simple,clear and easy to understand.

(alok d) #5

What is an AS number? Thanks.

(Rene Molenaar) #6

AS stands for Autonomous System.

An AS is basically a network that falls under one administrative entity. On the Internet we use AS numbers and BGP for routing between autonomous systems. Within an AS, we typically use an IGP like OSPF or EIGRP.

Here’s a list with AS numbers that are used on the Internet:


(alok d) #7

I am familiar with Autonomous System, ASBR etc. it is made very clear in OSPF chapters.

I got bit confused with how EIGRP uses AS numbers, whereas OSPF prefers process and area no. Etc.

So AS number for EIGRP is not locally significant but it has to be same on all routers within an AS?


(Rene Molenaar) #8

Hi AD,

That’s right. EIGRP uses an “AS” number which has to be the same on all routers that run EIGRP.

OSPF uses a process ID and has no concept of AS so it doesn’t matter what number you pick, it’s only used locally on the router.


(Victor R) #9

Hi Rene,

Can you talk about the other EIGRP authentication using SHA under EIGRP named mode?

Thank you


(Rene Molenaar) #10

Hi Victor,

Sure, I’ll add a configuration example for this in a few days. I’ll let you know once it’s done.


(Victor R) #11

Hi Rene,

  Great thank you.

(husam s) #12

Dear Rene ,

i enabled the eigrp auth without selecting the mode in both router
and it is working .
after i issue the mode command in one router it refuse ,
that mean its by default using clear text auth , or different than MD5 could you check that .

(Rene Molenaar) #13

Hi Husam,

If you don’t specify the mode then the router doesn’t use EIGRP authentication.


(Makara N) #14

Dear Rene,

In case we have many interfaces advertised prefixes, is it possible to process Authentication globally without running authentication at each interface level?

If yes, can you please show how to configure it.



Makara Ngy

(Rene Molenaar) #15

Dear Makara,

It would be very useful but unfortunately EIGRP doesn’t support this. Authentication is always enabled on the interface level.


(shaun y) #16

hi rene if I was trouble shooting a failed eigrp neighbour is there a show command to see if the key chains are configured ok or do I just have to look at the debug output for this thanks keep up the good work as i’m almost ready to sit my ccnp route exam because of you easy to understand site

(Rene Molenaar) #17

Hi Shaun,

There is a “show key chain” command but personally I never use it. The debug will help you to figure out there is an authentication problem. The quickest method to fix it is to check the key chain in the running-config, make sure you use the same keys on both routers. Also check the interface if EIGRP authentication has been enabled.

Good luck with the exam!


(Dan Y) #18


Is there any way to hide or restrict users from viewing the KEY (other than by assigning views or privilege levels) ?



(Lazaros Agapides) #19

Hello Dan

The service password-encryption command will do what you need. According to Cisco:

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

_(emphasis mine)_

I hope this has been helpful!


(Hussein Samir) #20

Hi again Rene,

Why cisco decided to use this “ip authentication mode eigrp AS_NUM md5” command for enabling eigrp authentication instead of using “ip eigrp AS_NUM authentication mode md5” ??

In the other word what is the wisdom of using “ip authentication mode eigrp AS_NUM md5” command instead of the “ip authentication eigrp AS_NUM mode md5” command where it seems more clearly ??