Configuring EIGRP on Cisco IOS XE is straightforward once you understand the two configuration modes (classic and named) and a few production patterns that should be standard. This article walks through the minimum viable config, the differences between classic and named mode, the network statement, passive interfaces, summarization, authentication, and the verification commands that close the loop.
If you are configuring EIGRP for the first time, migrating from classic to named mode, or auditing an inherited configuration for production hygiene, this is the operator's walkthrough.
Classic Mode: The Legacy Pattern
Classic-mode EIGRP is what you see in most existing Cisco deployments. It is what the CCNA exam tests on and what older documentation assumes:
R1(config)# router eigrp 100
R1(config-router)# network 10.0.0.0 0.0.255.255
R1(config-router)# network 192.168.1.0 0.0.0.255
R1(config-router)# passive-interface default
R1(config-router)# no passive-interface GigabitEthernet0/0/0
R1(config-router)# no passive-interface GigabitEthernet0/0/1
R1(config-router)# no auto-summary
R1(config-router)# eigrp router-id 1.1.1.1Three things to notice:
- AS number (100) is locally significant in EIGRP. All neighbors must use the same AS number to form adjacency, but you choose any number 1-65535.
- Wildcard mask in
networkis inverted from a regular subnet mask.0.0.255.255matches/16;0.0.0.255matches/24;0.0.0.0matches a single address. passive-interface defaultfollowed by selectiveno passive-interfaceis the safe pattern - prevents accidentally forming EIGRP adjacencies on user-facing interfaces.
Named Mode: The Modern Pattern
IOS 15.x introduced named-mode EIGRP. It cleanly separates IPv4 and IPv6 address families, supports multi-AS deployments, and is what new Cisco labs and exams expect:
R1(config)# router eigrp PROD
R1(config-router)# address-family ipv4 unicast autonomous-system 100
R1(config-router-af)# network 10.0.0.0 0.0.255.255
R1(config-router-af)# af-interface default
R1(config-router-af-interface)# passive-interface
R1(config-router-af-interface)# exit-af-interface
R1(config-router-af)# af-interface GigabitEthernet0/0/0
R1(config-router-af-interface)# no passive-interface
R1(config-router-af-interface)# exit-af-interface
R1(config-router-af)# topology base
R1(config-router-af-topology)# eigrp router-id 1.1.1.1
R1(config-router-af-topology)# exit-af-topology
R1(config-router-af)# exit-address-familyNamed mode advantages:
- Multiple AS numbers per router (one per address-family)
- IPv4 and IPv6 in the same router config
- Per-interface configuration via
af-interfacesub-mode (cleaner than scatteredpassive-interfacecommands) - Topology-base abstraction for future multi-topology support
Named mode is operationally heavier (more config) but scales better. New deployments should use named mode; existing classic-mode configs can stay as is or be migrated.
The Network Statement
The network statement does two things in EIGRP (and in most IGPs):
- Activates EIGRP on matching interfaces - the router will send and receive EIGRP packets on those interfaces.
- Originates connected networks into EIGRP - the matching interface's IP is advertised as a route.
The wildcard mask matches the interface IP, not the subnet:
! Match an entire /16
network 10.0.0.0 0.0.255.255
! Match a specific /24
network 192.168.10.0 0.0.0.255
! Match a single interface (most precise)
network 10.0.12.1 0.0.0.0The single-interface form is most precise but requires updating the EIGRP config every time a new interface is added. Most production deployments use broader masks and rely on passive-interface default for safety.
passive-interface: The Safety Net
Without passive-interface, any interface matching the network statement starts sending EIGRP Hellos. If that interface connects to user devices or the public internet, EIGRP packets leak where they should not.
The pattern:
router eigrp 100
passive-interface default
no passive-interface GigabitEthernet0/0/0 ! WAN to other routers
no passive-interface GigabitEthernet0/0/1 ! Internal to other routersDefault-passive plus selective active is the safe pattern. Forgetting passive-interface default is the most common production EIGRP mistake.
For named mode:
router eigrp PROD
address-family ipv4 unicast autonomous-system 100
af-interface default
passive-interface
exit-af-interface
af-interface GigabitEthernet0/0/0
no passive-interface
exit-af-interfaceRouter ID
EIGRP's router ID identifies the router uniquely in DUAL queries and is used for tiebreaking. Set it explicitly:
router eigrp 100
eigrp router-id 1.1.1.1Without explicit configuration, EIGRP picks the highest IP on a loopback (or highest physical interface IP if no loopback). That works but is unpredictable - a new loopback can change the router ID and reset adjacencies. Always set explicitly to a stable address (typically Loopback0).
Manual Summarization
EIGRP supports per-interface summary advertising. The summary's metric defaults to the lowest metric among the summarized routes:
! Classic mode
interface GigabitEthernet0/0/0
ip summary-address eigrp 100 10.0.0.0 255.255.0.0
! Named mode
router eigrp PROD
address-family ipv4 unicast autonomous-system 100
af-interface GigabitEthernet0/0/0
summary-address 10.0.0.0 255.255.0.0Useful for:
- Reducing routing table size at administrative boundaries
- Implementing stub-area-style behavior at distribution layer
- Creating black-hole-free summarization (Cisco automatically installs a Null0 route to the summary so transit traffic for unmatched specifics is dropped, not forwarded)
Always no auto-summary first; manual summarization gives you control over what is summarized where.
Authentication
MD5 authentication for EIGRP uses key chains:
! Define a key chain
key chain EIGRP-KEYS
key 1
key-string Cisco123!
cryptographic-algorithm hmac-sha-256
! Apply to interface (classic mode)
interface GigabitEthernet0/0/0
ip authentication mode eigrp 100 hmac-sha-256
ip authentication key-chain eigrp 100 EIGRP-KEYS
! Named mode
router eigrp PROD
address-family ipv4 unicast autonomous-system 100
af-interface GigabitEthernet0/0/0
authentication mode hmac-sha-256
authentication key-chain EIGRP-KEYSModern recommendation: HMAC-SHA-256 over the older HMAC-MD5. Both ends of every authenticated adjacency must have the same key. Use key chains with multiple keys for non-disruptive rotation.
Stub Routing
For hub-and-spoke deployments, configure spokes as stubs to limit query propagation:
! On a spoke router (classic mode)
router eigrp 100
eigrp stub connected summary
! Named mode
router eigrp PROD
address-family ipv4 unicast autonomous-system 100
eigrp stub connected summaryStub options:
| Option | Spoke advertises |
|---|---|
connected | Directly connected networks |
summary | Summary routes (manual or auto-summarization) |
static | Static routes redistributed into EIGRP |
redistributed | Routes redistributed from other protocols |
receive-only | Nothing - spoke listens but does not advertise |
Most production hub-and-spoke designs use connected summary. See EIGRP Stub Routing.
Verification
! Neighbors
Router# show ip eigrp neighbors
! Topology table (DUAL state)
Router# show ip eigrp topology
! Routing table (best paths only)
Router# show ip route eigrp
! Per-interface EIGRP state
Router# show ip eigrp interfaces
! Per-AS protocol info
Router# show ip protocols
! Detailed for one prefix
Router# show ip eigrp topology 10.10.10.0/24For named mode replace with show eigrp address-family ipv4 ... equivalents. Most show commands accept both classic and named-mode syntax.
A Production Configuration Example
! Named mode for new deployments
router eigrp PROD
address-family ipv4 unicast autonomous-system 100
network 10.0.0.0 0.0.255.255
af-interface default
passive-interface
authentication mode hmac-sha-256
authentication key-chain EIGRP-KEYS
exit-af-interface
af-interface GigabitEthernet0/0/0
no passive-interface
summary-address 10.0.0.0 255.255.0.0
exit-af-interface
af-interface GigabitEthernet0/0/1
no passive-interface
exit-af-interface
topology base
eigrp router-id 1.1.1.1
maximum-paths 4
exit-af-topology
exit-address-family
key chain EIGRP-KEYS
key 1
key-string SecurePassword!
cryptographic-algorithm hmac-sha-256This config: passive-interface default with explicit no-passive on the two router-facing interfaces, summarization at the WAN boundary, HMAC-SHA-256 authentication via key chain, explicit router-id, and ECMP up to 4 paths.
Anti-Patterns
- No
passive-interface default. EIGRP packets leak to wherever your network statement matches. - Auto-summary enabled. Default in legacy IOS; breaks VLSM. Always
no auto-summary. - Different K values across AS. Neighbor relationships fail. Never change K values.
- Implicit router ID. Adding a loopback later can change the router ID and reset all adjacencies.
- Mixing classic and named mode in the same AS. Supported but confusing. Standardize on one.
- Passwords in plaintext in key chains. Use
service password-encryptionat minimum; consider type-7 key chains.
Summary
EIGRP configuration on modern Cisco IOS XE is one of two modes (classic or named), the right pattern is passive-interface default plus selective no-passive, mandatory no auto-summary, explicit router-id, manual summarization at boundaries, and HMAC-SHA-256 authentication on every adjacency.
The full pattern fits in one screen of configuration. Master it, run it through a lab, and you have the production template you need. Bookmark this article alongside the EIGRP cluster pillar and the DUAL deep-dive.