Tuesday, January 17, 2012

EIGRP - Authentication and Summarization with Leak-Maps


I have R1, R2, and R3, and I want to configure EIGRP with MD5 authentication with rotating keys based on time. Additionally, I want to redistribute RIP into EIGRP. I want to follow up the redistribution by summarizing a default route from R1, and then leak a single network along with the default route.


(All interfaces have already been assigned)


I'll start by configuring RIPv2 on R1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config-if)#router rip    
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#net 10.10.1.1
R1(config-router)#net 10.11.1.1
R1(config-router)#do show ip protocols
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 0 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Redistributing: rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    FastEthernet0/0       2     2                                  
    Loopback10            2     2                                  
    Loopback11            2     2                                  
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    10.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 120)

Next, I'll configure EIGRP with autonomous system 1

R1(config)#router eigrp 1
R1(config-router)#network 10.1.12.1 0.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#do show ip protocols
<...RIPv2 output supressed>
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.12.1/32
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170

I'll configure EIGRP 1 for R2 and R3.

R2(config)#router eigrp 1
R2(config-router)#network 10.1.12.2 0.0.0.0
R2(config-router)#network
*Mar  1 00:39:46.683: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#network 10.1.23.2 0.0.0.0
R2(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.12.2/32
    10.1.23.2/32
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170


R3(config)#router eigrp 1
R3(config-router)#network 10.1.23.3 0.0.0.0
R3(config-router)#
*Mar  1 00:40:44.511: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency
R3(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.23.3/32
  Routing Information Sources:
    Gateway         Distance      Last Update
    10.1.23.2             90      00:00:06
  Distance: internal 90 external 170

Now, I'll look at the routing tables of each device.

R1#show ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 4 subnets
C       10.11.1.0 is directly connected, Loopback11
C       10.10.1.0 is directly connected, Loopback10
C       10.1.12.0 is directly connected, FastEthernet0/0
D       10.1.23.0 [90/307200] via 10.1.12.2, 00:02:22, FastEthernet0/0


R2#sh ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/1
R2#


R3#show ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 2 subnets
D       10.1.12.0 [90/307200] via 10.1.23.2, 00:02:24, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
R3#

I notice that R2 and R3 neither have access to the loopback networks of R1. I also notice that there is no Gateway of last resort set for any router.
Next, I'll look at the routing information base of each device

R1#show ip rip database
10.0.0.0/8    auto-summary
10.1.12.0/24    directly connected, FastEthernet0/0
10.10.1.0/24    directly connected, Loopback10
10.11.1.0/24    directly connected, Loopback11


R1#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 307200
        via 10.1.12.2 (307200/281600), FastEthernet0/0


R2#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/1


R3#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 307200
        via 10.1.23.2 (307200/281600), FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
R3#


Now I'll verify EIGRP neighbors; Ensuring that the queue count is zero. If this value was not zero, I would need to troubleshoot the cause of an increasing queue count.

R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.12.2               Fa0/0             13 07:35:11   31  5000  0  4


R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   10.1.23.3               Fa0/1             14 07:34:22   56   336  0  4
0   10.1.12.1               Fa0/0             12 07:35:19 1027  5000  0  3


R3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.23.2               Fa0/0             11 07:34:33   61   366  0  7


Something I've seen asked several times is; what does the H value mean? From Cisco's 12.4T EIGRP command reference, this column lists the order in which a peering session was established with the specified neighbor. The order is specified with sequential numbering starting with 0.


Now that the EIGRP neighbor relationship, topology and routing tables are displaying expected results, I want to configure MD5 authentication for EIGRP. Since I will be doing key rotation based on time, I will configure R2 as the NTP master with a stratum of 1, and point R1 and R3 there for time.
R2#show clock
08:25:26.269 UTC Fri Mar 1 2002
R2#clock set 00:40:00 17 Jan 2012
R2#
.Jan 17 00:40:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 08:27:01 UTC Fri Mar 1 2002 to 00:40:00 UTC Tue Jan 17 2012, configured from console by console.
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ntp master 1
R2(config)#do sh ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~127.127.7.1      .LOCL.            1     9    64  377     0.0    0.00     0.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R2(config)#

R1#sh clock
*08:26:22.657 UTC Fri Mar 1 2002
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ntp server 10.1.12.2
R1(config)#do show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.12.2        .LOCL.            1     0    64   77    23.9   10.05    10.5
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1(config)#do sh clock
00:46:45.522 UTC Tue Jan 17 2012

R3#show clock
*08:34:33.645 UTC Fri Mar 1 2002
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ntp server 10.1.23.2
R3(config)#do show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.23.2        .LOCL.            1     0    64    7    11.9  -15.88  3878.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R3(config)#do sh clock
00:48:26.877 UTC Tue Jan 17 2012
R3(config)#

Now with time syncronized across the devices, I'll create a key chain two keys on each device. The first key will remain valid for use for the next 12 hours. At that point, the new key will become vaild, and will remain as such. Note that a space in a key string is a valid character.

R1(config)#key chain EIGRP-NOW
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string CISCO-NOW
R1(config-keychain-key)#send-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#accept-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#key 2
R1(config-keychain-key)#key-string CISCO-LATER
R1(config-keychain-key)#send-lifetime 12:40:00 17 Jan 2012 infinite
R1(config-keychain-key)#accept-lifetime 12:40:00 17 Jan 2012 infinite


R2(config)#key chain KC_EIGRP_1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO-NOW
R2(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012  
R2(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012    
R2(config-keychain-key)#key 2
R2(config-keychain-key)#key-string CISCO-LATER
R2(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R2(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite


R3(config)#key chain KC_EIGRP_1
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO-NOW
R3(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012  
R3(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012    
R3(config-keychain-key)#key 2
R3(config-keychain-key)#key-string CISCO-LATER
R3(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R3(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite


Verify the key chain

R1#show key chain
Key-chain KC_EIGRP_1:
    key 1 -- text "CISCO-NOW"
        accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
        send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
    key 2 -- text "CISCO-LATER"
        accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite)
        send lifetime (12:40:00 UTC Jan 17 2012) - (infinite)


With the keys configured on each device, I will configure the interfaces for EIGRP authentication.

R1(config)#interface fa0/0
R1(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#
Jan 17 01:11:53.746: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: keychain changed
Jan 17 01:11:53.982: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is up: new adjacency
Jan 17 01:11:54.418: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: authentication mode changed


R2(config)#interface fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:07.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency


R2(config-if)#interface fa0/1
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:37.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.3 (FastEthernet0/1) is down: keychain changed


R3(config)#interface fa0/0
R3(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#
Jan 17 01:14:20.018: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency


I'll verify that EIGRP authentication is working properly with Key 1. I will check later to verify that the key change occurs at the correct time.

R1#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R1#
Jan 17 01:23:19.207: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:23:19.207: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.2
Jan 17 01:23:19.207:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


R2#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R2#
Jan 17 01:24:46.795: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:46.795: EIGRP: Received HELLO on FastEthernet0/1 nbr 10.1.23.3
Jan 17 01:24:46.795:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Jan 17 01:24:48.975: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:48.975: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.1
Jan 17 01:24:48.979:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


R3#debug eigrp packet hello
EIGRP Packets debugging is on
    (HELLO)
R3#
Jan 17 03:36:41.447: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 03:36:41.451: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.23.2
Jan 17 03:36:41.451:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


Now I'll redistribute the RIP routes into EIGRP and verify visibility of the RIP networks on R3

R1(config)#router eigrp 1
R1(config-router)#redistribute rip metric 10000 1 255 1 1500


R3#sh ip route | ex -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.11.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D EX    10.10.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:09:18, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0


Now I'll summarize a default route from R1 to R2's interface and view the results on R3

R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
R1(config-if)#
Jan 17 03:52:10.316: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured


R3#sh ip route | ex -


Gateway of last resort is 10.1.23.2 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 2 subnets
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:11:34, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
D*   0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:49, FastEthernet0/0
R3#ping 10.10.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/60 ms
R3#ping 10.11.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/41/60 ms


I see that the gateway of last resort is now set, and I still have reachability to the loopback networks on R1. Although I don't need the loopback networks in R3s routing table for reachability, I still want to meet my requirement of leaking a single network through with the default route with a leak-map

R1(config)#ip prefix-list LM_LEAK permit 10.10.1.0/24
R1(config)#route-map RM_LEAK permit 10
R1(config-route-map)#match ip address prefix LM_LEAK
R1(config-route-map)#exit
R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0 leak-map RM_LEAK
R1(config-if)#
Jan 17 03:59:20.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured


Now on R3, I should see the 10.10.1.0/24 network leaked from the summary route.

R3#show ip route | ex -


Gateway of last resort is 10.1.23.2 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 3 subnets
D EX    10.10.1.0 [170/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:18:52, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
D*   0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0


At this point, I'll set the NTP master clock to 11:40, and see what happens after lunch!

R2#show key chain
Key-chain KC_EIGRP_1:
    key 1 -- text "CISCO-NOW"
        accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
        send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
    key 2 -- text "CISCO-LATER"
        accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]
        send lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]


R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   10.1.23.3               Fa0/1             14 10:06:05   77   462  0  20
0   10.1.12.1               Fa0/0             11 10:06:08   68   408  0  44
R2#


Looks as expected.

1 comment:

  1. The key-chain KC_EIGRP_1 was not configured on R1 even though you seem to successfully invoke it under the interface? I am sure i am missing something, can you clarify please?

    ReplyDelete