I have R1, R2, and R3, and I want to configure EIGRP with MD5 authentication with rotating keys based on time. Additionally, I want to redistribute RIP into EIGRP. I want to follow up the redistribution by summarizing a default route from R1, and then leak a single network along with the default route.
(All interfaces have already been assigned)
I'll start by configuring RIPv2 on R1
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config-if)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#net 10.10.1.1
R1(config-router)#net 10.11.1.1
R1(config-router)#do show ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Loopback10 2 2
Loopback11 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
Next, I'll configure EIGRP with autonomous system 1
R1(config)#router eigrp 1
R1(config-router)#network 10.1.12.1 0.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#do show ip protocols
<...RIPv2 output supressed>
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.1.12.1/32
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170
I'll configure EIGRP 1 for R2 and R3.
R2(config)#router eigrp 1
R2(config-router)#network 10.1.12.2 0.0.0.0
R2(config-router)#network
*Mar 1 00:39:46.683: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#network 10.1.23.2 0.0.0.0
R2(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.1.12.2/32
10.1.23.2/32
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170
R3(config)#router eigrp 1
R3(config-router)#network 10.1.23.3 0.0.0.0
R3(config-router)#
*Mar 1 00:40:44.511: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency
R3(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.1.23.3/32
Routing Information Sources:
Gateway Distance Last Update
10.1.23.2 90 00:00:06
Distance: internal 90 external 170
Now, I'll look at the routing tables of each device.
R1#show ip route | exclude -
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 4 subnets
C 10.11.1.0 is directly connected, Loopback11
C 10.10.1.0 is directly connected, Loopback10
C 10.1.12.0 is directly connected, FastEthernet0/0
D 10.1.23.0 [90/307200] via 10.1.12.2, 00:02:22, FastEthernet0/0
R2#sh ip route | exclude -
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
C 10.1.23.0 is directly connected, FastEthernet0/1
R2#
R3#show ip route | exclude -
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
D 10.1.12.0 [90/307200] via 10.1.23.2, 00:02:24, FastEthernet0/0
C 10.1.23.0 is directly connected, FastEthernet0/0
R3#
I notice that R2 and R3 neither have access to the loopback networks of R1. I also notice that there is no Gateway of last resort set for any router.
Next, I'll look at the routing information base of each device
R1#show ip rip database
10.0.0.0/8 auto-summary
10.1.12.0/24 directly connected, FastEthernet0/0
10.10.1.0/24 directly connected, Loopback10
10.11.1.0/24 directly connected, Loopback11
R1#show ip eigrp topology | exclude -
P 10.1.12.0/24, 1 successors, FD is 281600
via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 307200
via 10.1.12.2 (307200/281600), FastEthernet0/0
R2#show ip eigrp topology | exclude -
P 10.1.12.0/24, 1 successors, FD is 281600
via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
via Connected, FastEthernet0/1
R3#show ip eigrp topology | exclude -
P 10.1.12.0/24, 1 successors, FD is 307200
via 10.1.23.2 (307200/281600), FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
via Connected, FastEthernet0/0
R3#
Now I'll verify EIGRP neighbors; Ensuring that the queue count is zero. If this value was not zero, I would need to troubleshoot the cause of an increasing queue count.
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.2 Fa0/0 13 07:35:11 31 5000 0 4
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 14 07:34:22 56 336 0 4
0 10.1.12.1 Fa0/0 12 07:35:19 1027 5000 0 3
R3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.23.2 Fa0/0 11 07:34:33 61 366 0 7
Something I've seen asked several times is; what does the H value mean? From Cisco's 12.4T EIGRP command reference
Now that the EIGRP neighbor relationship, topology and routing tables are displaying expected results, I want to configure MD5 authentication for EIGRP. Since I will be doing key rotation based on time, I will configure R2 as the NTP master with a stratum of 1, and point R1 and R3 there for time.
R2#show clock
08:25:26.269 UTC Fri Mar 1 2002
R2#clock set 00:40:00 17 Jan 2012
R2#
.Jan 17 00:40:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 08:27:01 UTC Fri Mar 1 2002 to 00:40:00 UTC Tue Jan 17 2012, configured from console by console.
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ntp master 1
R2(config)#do sh ntp associations
address ref clock st when poll reach delay offset disp
*~127.127.7.1 .LOCL. 1 9 64 377 0.0 0.00 0.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R2(config)#
R1#sh clock
*08:26:22.657 UTC Fri Mar 1 2002
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ntp server 10.1.12.2
R1(config)#do show ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.12.2 .LOCL. 1 0 64 77 23.9 10.05 10.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1(config)#do sh clock
00:46:45.522 UTC Tue Jan 17 2012
R3#show clock
*08:34:33.645 UTC Fri Mar 1 2002
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp server 10.1.23.2
R3(config)#do show ntp associations
address ref clock st when poll reach delay offset disp
*~10.1.23.2 .LOCL. 1 0 64 7 11.9 -15.88 3878.0
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
R3(config)#do sh clock
00:48:26.877 UTC Tue Jan 17 2012
R3(config)#
Now with time syncronized across the devices, I'll create a key chain two keys on each device. The first key will remain valid for use for the next 12 hours. At that point, the new key will become vaild, and will remain as such. Note that a space in a key string is a valid character.
R1(config)#key chain EIGRP-NOW
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string CISCO-NOW
R1(config-keychain-key)#send-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#accept-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#key 2
R1(config-keychain-key)#key-string CISCO-LATER
R1(config-keychain-key)#send-lifetime 12:40:00 17 Jan 2012 infinite
R1(config-keychain-key)#accept-lifetime 12:40:00 17 Jan 2012 infinite
R2(config)#key chain KC_EIGRP_1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO-NOW
R2(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012
R2(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012
R2(config-keychain-key)#key 2
R2(config-keychain-key)#key-string CISCO-LATER
R2(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R2(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite
R3(config)#key chain KC_EIGRP_1
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO-NOW
R3(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012
R3(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012
R3(config-keychain-key)#key 2
R3(config-keychain-key)#key-string CISCO-LATER
R3(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R3(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite
Verify the key chain
R1#show key chain
Key-chain KC_EIGRP_1:
key 1 -- text "CISCO-NOW"
accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
key 2 -- text "CISCO-LATER"
accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite)
send lifetime (12:40:00 UTC Jan 17 2012) - (infinite)
With the keys configured on each device, I will configure the interfaces for EIGRP authentication.
R1(config)#interface fa0/0
R1(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#
Jan 17 01:11:53.746: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: keychain changed
Jan 17 01:11:53.982: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is up: new adjacency
Jan 17 01:11:54.418: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: authentication mode changed
R2(config)#interface fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:07.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency
R2(config-if)#interface fa0/1
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:37.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.3 (FastEthernet0/1) is down: keychain changed
R3(config)#interface fa0/0
R3(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#
Jan 17 01:14:20.018: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency
I'll verify that EIGRP authentication is working properly with Key 1. I will check later to verify that the key change occurs at the correct time.
R1#debug eigrp packets hello
EIGRP Packets debugging is on
(HELLO)
R1#
Jan 17 01:23:19.207: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:23:19.207: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.2
Jan 17 01:23:19.207: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#debug eigrp packets hello
EIGRP Packets debugging is on
(HELLO)
R2#
Jan 17 01:24:46.795: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:46.795: EIGRP: Received HELLO on FastEthernet0/1 nbr 10.1.23.3
Jan 17 01:24:46.795: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Jan 17 01:24:48.975: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:48.975: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.1
Jan 17 01:24:48.979: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#debug eigrp packet hello
EIGRP Packets debugging is on
(HELLO)
R3#
Jan 17 03:36:41.447: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 03:36:41.451: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.23.2
Jan 17 03:36:41.451: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Now I'll redistribute the RIP routes into EIGRP and verify visibility of the RIP networks on R3
R1(config)#router eigrp 1
R1(config-router)#redistribute rip metric 10000 1 255 1 1500
R3#sh ip route | ex -
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 4 subnets
D EX 10.11.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D EX 10.10.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D 10.1.12.0 [90/307200] via 10.1.23.2, 03:09:18, FastEthernet0/0
C 10.1.23.0 is directly connected, FastEthernet0/0
Now I'll summarize a default route from R1 to R2's interface and view the results on R3
R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
R1(config-if)#
Jan 17 03:52:10.316: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured
R3#sh ip route | ex -
Gateway of last resort is 10.1.23.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
D 10.1.12.0 [90/307200] via 10.1.23.2, 03:11:34, FastEthernet0/0
C 10.1.23.0 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:49, FastEthernet0/0
R3#ping 10.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/60 ms
R3#ping 10.11.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/41/60 ms
I see that the gateway of last resort is now set, and I still have reachability to the loopback networks on R1. Although I don't need the loopback networks in R3s routing table for reachability, I still want to meet my requirement of leaking a single network through with the default route with a leak-map
R1(config)#ip prefix-list LM_LEAK permit 10.10.1.0/24
R1(config)#route-map RM_LEAK permit 10
R1(config-route-map)#match ip address prefix LM_LEAK
R1(config-route-map)#exit
R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0 leak-map RM_LEAK
R1(config-if)#
Jan 17 03:59:20.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured
Now on R3, I should see the 10.10.1.0/24 network leaked from the summary route.
R3#show ip route | ex -
Gateway of last resort is 10.1.23.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 3 subnets
D EX 10.10.1.0 [170/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0
D 10.1.12.0 [90/307200] via 10.1.23.2, 03:18:52, FastEthernet0/0
C 10.1.23.0 is directly connected, FastEthernet0/0
D* 0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0
At this point, I'll set the NTP master clock to 11:40, and see what happens after lunch!
R2#show key chain
Key-chain KC_EIGRP_1:
key 1 -- text "CISCO-NOW"
accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
key 2 -- text "CISCO-LATER"
accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]
send lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.23.3 Fa0/1 14 10:06:05 77 462 0 20
0 10.1.12.1 Fa0/0 11 10:06:08 68 408 0 44
R2#
Looks as expected.
The key-chain KC_EIGRP_1 was not configured on R1 even though you seem to successfully invoke it under the interface? I am sure i am missing something, can you clarify please?
ReplyDeleteThe 192.168.10.1 TP-Link Archer C2300 is the best spending Wi-Fi router, on account of its amazing presentation and broad list of capabilities, just as its incredibly moderate cost. For an even more affordable alternative, the TP-Link Archer A7 offers strong execution and range without holding back on highlights, for example, parental controls.
ReplyDeleteTo ensure an entire house brimming with associated gadgets, the best security-centered 10.0.0.0.1 router is the Netgear Nighthawk AC2300 (RS400), which accompanies three years of simple to-oversee assurance from Bitdefender Total Security programming.
The TP-Link Archer C5400X is our preferred 192.168.1.1 gaming router. This tri-band 802.11AC router conveys extraordinary Wi-Fi speed and inclusion, alongside gamer-arranged improvement and security highlights.
Also, if customization is all the more intriguing to you, the best router around for power clients is the Linksys EA8300 Max Stream, which lets you change your router for ideal execution with devices for distributing bandwidth, mechanizing highlights, setting up parental controls and that's just the beginning.