Preventing unwanted EIGRP neighbors!

There are two ways to prevent unwanted EIGRP neighbors, one is using passive interface command and other is enabling EIGRP authentication method. However, there may be some other ways also, which I don’t at the moment!! But if the EIGRP k values are not same on the routers than neighbor ship is not possible as well.

1. (The passive interface command)

With EIGRP the passive interface command will neither send or nor receive any route updates. The door is absolute closed!!

When we configure EIGRP routing protocol on the interfaces with the network command, the network command does two things:

  1. Attempt to find potential neighbors by sending Hello to the multicast address
  2. Advertises about the knows subnet connected to that interface

Hence, we enable passive interface on the interfaces where no legitimate EIGRP neighbors exist or from security point of view. This stops not only routing updates from being advertised, but it also suppresses incoming routing updates. Otherwise, with most routing protocols, the passive-interface command restricts outgoing.


|R1(config)#router eigrp 1

|R1(config-router)#passive-interface s0/1


When the passive-interface command is used in EIGRP, the router cannot form neighbor adjacencies on the interface, or send or receive routing updates. But, if you want the outgoing routing updates alone be suppressed but the inbound updates continue to be received (and the routers still continue to be neighbors), then use the distribute-list command:


|R1(config)#access-list 20 deny any

|R1(config)#router eigrp 1

|R1(config-router)#no passive-interface serial 0/1

|R1(config-router)#distribute-list 20 out serial 0/1


2. EIGRP authentication method

EIGRP authentication causes routers to authenticate every EIGRP messages. The mechanism is:

  • EIGRP routers should use the same PSK (per shared key), generating an MD5 digest for each EIGRP message based on that PSK
  • If a router configured for EIGRP authentication receives an EIGRP message and the message’s MD5 digest doesn’t pass the authentication checking based on the local copy of the key, the router discards the message
  • As a result, when authentication fails two routers cannot become neighbors.

 EIGRP authentication configuration steps:

1. Key Chain:- Create key chain and give it a name. The name do not have to match on the neighboring routers.

R1(config)#key chain name

2. Key number:- Create one or more key numbers, the numbers do not have to match on the neighboring routers.

R1(config)#key  number

3. Key-String:- Define authentication key’s value. The key-string must match on all neighboring routers. Key-string is like a password!

R1(config)#key-sting  sting

4. Enable EIGRP MD5 authentication on an interface, for a particular AS number.

|R1(config)# int s0/0

|R1(config-if)# ip authentication mode eigrp 1 md5

|R1(config-if)# ip authentication key-chain eigrp 1 chain_name