Posts Tagged ‘eigrp’
EIGRP Authentication
Written by jlgaddis on July 4, 2009 – 2:03 pm -Here’s another quick little lab, using the same topology as last time:
Two routers, R1 and R2, directly connected via their serial 0/0 interfaces. In the previous lab, we were using RIP. This time we’ll use EIGRP and authenticate our routing updates.
Basic configuration
Just like last time, let’s bring up a loopback interface, our serial 0/0 interfaces and verify connectivity:
R1# configure terminal R1(config)# interface loopback 0 R1(config-if)# ip address 1.1.1.1 255.255.255.255 R1(config-if)# interface serial 0/0 R1(config-if)# ip address 172.16.12.1 255.255.255.252 R1(config-if)# no shutdown R1(config-if)# end
R2# configure terminal R2(config)# interface loopback 0 R2(config-if)# ip address 2.2.2.2 255.255.255.255 R2(config-if)# interface serial 0/0 R2(config-if)# ip address 172.16.12.2 255.255.255.252 R2(config-if)# no shutdown R2(config-if)# end
R1# ping 172.16.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/18/36 ms R1#
Configure EIGRP
Now that we have connectivity, let’s get EIGRP up and running on R1 and R2 (without authentication, at first). We just want to make sure they’re exchanging EIGRP routing updates at this point.
R1# configure terminal R1(config)# router eigrp 42 R1(config-router)# no auto-summary R1(config-router)# network 172.16.12.1 0.0.0.0 R1(config-router)# network 1.1.1.1 0.0.0.0 R1(config-router)# end
R2# configure terminal R2(config)# router eigrp 42 R2(config-router)# no auto-summary R2(config-router)# network 2.2.2.2 0.0.0.0 R2(config-router)# network 172.16.12.2 0.0.0.0 R2(config-router)# end
Very quickly (EIGRP is *FAST*), we should see an adjacency come up (ignore the timestamps, they’re obviously not correct!):
On R1:
*Mar 1 00:13:12.243: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.2 (Serial0/0) is up: new adjacency
On R2:
*Mar 1 00:12:47.935: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.1 (Serial0/0) is up: new adjacency
Verify EIGRP
On R1:
R1# sh ip route eigrp
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2297856] via 172.16.12.2, 00:01:26, Serial0/0
On R2:
R2# sh ip route eigrp
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/2297856] via 172.16.12.1, 00:02:00, Serial0/0
We can see that the loopbacks are being advertised by both routers. If we want, we can ping R2’s loopback from R1’s loopback just for good measure:
R1# ping 2.2.2.2 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
Configure EIGRP authentication
Now that we have full reachability and “basic” EIGRP working, it’s time to configure MD5 authentication.
Just like RIP authentication, we need to create a key chain, key identifier, and key string that will be used for authentication. We’ll use the same values as last time, except that we’ll call our key chain “EIGRP” instead of “RIP”:
R1# configure terminal R1(config)# key chain EIGRP R1(config-keychain)# key 1 R1(config-keychain-key)# key-string RGjtl5ANYa R1(config-keychain-key)# end
R2# configure terminal R2(config)# key chain EIGRP R2(config-keychain)# key 1 R2(config-keychain-key)# key-string RGjtl5ANYa R2(config-keychain-key)# end
We have two steps left to complete on each router: we have to specify the keychain that we want to use for authentication, then we enabled EIGRP authentication. Both of these are done in interface configuration mode under (in our case) the serial 0/0 interfaces. Let’s configure R1 first:
R1# configure terminal R1(config)# interface serial 0/0 R1(config-if)# ip authentication key-chain eigrp 42 EIGRP R1(config-if)# *Mar 1 00:21:51.919: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.2 (Serial0/0) is down: keychain changed *Mar 1 00:21:52.567: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.2 (Serial0/0) is up: new adjacency R1(config-if)# ip authentication mode eigrp 42 md5 R1(config-if)# end R1# *Mar 1 00:22:06.083: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.2 (Serial0/0) is down: authentication mode changed
Note that our adjancency bounced right after we configured the key chain. Then, after actually enabling MD5 authentication, we see in the last log message that the adjacency went down. This is because R1 is now using MD5 authentication, but R2 has not yet been configured to do the same. Let’s run a “debug eigrp packets” and see what’s going on over there:
R2# debug eigrp packets R2# *Mar 1 00:24:18.751: EIGRP: Sending HELLO on Serial0/0 *Mar 1 00:24:18.755: AS 42, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Mar 1 00:24:19.087: EIGRP: Serial0/0: ignored packet from 172.16.12.1, opcode = 5 (authentication off or key-chain missing) R2# undebug all All possible debugging has been turned off
Now let’s enable authentication on R2’s side and we should see the adjacency come right back up:
R2# configure terminal R2(config)# interface serial 0/0 R2(config-if)# ip authentication key-chain eigrp 42 EIGRP R2(config-if)# ip authentication mode eigrp 42 md5 R2(config-if)# end R2# *Mar 1 00:26:23.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 42: Neighbor 172.16.12.1 (Serial0/0) is up: new adjacency
Verifying EIGRP authentication
We can verify that authentication is being used using “debug eigrp packets” again:
R2# debug eigrp packets R2# *Mar 1 00:28:32.711: EIGRP: received packet with MD5 authentication, key id = 1 *Mar 1 00:28:32.711: EIGRP: Received HELLO on Serial0/0 nbr 172.16.12.1 *Mar 1 00:28:32.711: AS 42, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 R2# undebug all All possible debugging has been turned off
Looks good, let’s verify we still have full reachability:
R1# ping 2.2.2.2 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
Tags: ccna, cisco, eigrp, labs, networking | 3 Comments »
Basic Frame Relay Lab for Dynamips
Written by jlgaddis on November 15, 2008 – 11:04 am -Last night I put together a basic frame relay lab for dynamips, made up of three routers: one hub and two spokes. I’m sure there are a thousand others out there like it but I was putting something together to get a friend started on dynamips and it’s what I came up with.
First, the physical topology:
R1 is our hub router and R2 and R3 are our spoke routers. Each router has loopback0 configured with an IP address of 172.16.x.x and each’s serial0/0 interface is configured with an IP address of 172.16.123.x, “x” being the router number (1/2/3), of course. We also throw EIGRP into the mix to get full connectivity between devices (we’ll need full connectivity for my next lab).
Dynagen .net file:
autostart = false
[localhost:7200]
workingdir = /home/jlgaddis/dynamips/working/frame-relay
[[3640]]
image = /home/jlgaddis/dynamips/ios/c3640-jk9o3s-mz.123-14.T7.img
idlepc = 0x60530abc
ram = 128
disk0 = 8
disk1 = 0
mmap = true
ghostios = true
[[ROUTER R1]]
model = 3640
console = 2000
slot0 = NM-4T
s0/0 = FR 1
[[ROUTER R2]]
model = 3640
console = 2001
slot0 = NM-4T
s0/0 = FR 2
[[ROUTER R3]]
model = 3640
console = 2002
slot0 = NM-4T
s0/0 = FR 3
[[FRSW FR]]
1:102 = 2:201
1:103 = 3:301
R1 Configuration:
hostname R1
!
interface loopback 0
ip address 172.16.1.1 255.255.255.255
!
interface serial 0/0
encapsulation frame-relay
no frame-relay inverse-arp
ip address 172.16.123.1 255.255.255.0
frame-relay map ip 172.16.123.2 102 broadcast
frame-relay map ip 172.16.123.3 103 broadcast
no ip split-horizon eigrp 123
no shutdown
!
router eigrp 123
network 172.16.1.1 0.0.0.0
network 172.16.123.0 0.0.0.255
!
R2 Configuration:
hostname R2
!
interface loopback 0
ip address 172.16.2.2 255.255.255.255
!
interface serial 0/0
encapsulation frame-relay
no frame-relay inverse-arp
ip address 172.16.123.2 255.255.255.0
frame-relay map ip 172.16.123.1 201 broadcast
frame-relay map ip 172.16.123.3 201
no shutdown
!
router eigrp 123
network 172.16.2.2 0.0.0.0
network 172.16.123.0 0.0.0.255
!
R3 Configuration:
hostname R3
!
interface loopback 0
ip address 172.16.3.3 255.255.255.255
!
interface serial 0/0
encapsulation frame-relay
no frame-relay inverse-arp
ip address 172.16.123.3 255.255.255.0
frame-relay map ip 172.16.123.1 301 broadcast
frame-relay map ip 172.16.123.2 301
no shutdown
!
router eigrp 123
network 172.16.3.3 0.0.0.0
network 172.16.123.0 0.0.0.255
!
Now that everything is up and running, let’s verify that we have full connectivity between our three routers:
R1#ping 172.16.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/36 ms
R1#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/20 ms
R1#show ip route eigrp
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
D 172.16.3.3/32 [90/2297856] via 172.16.123.3, 00:01:17, Serial0/0
D 172.16.2.2/32 [90/2297856] via 172.16.123.2, 00:01:17, Serial0/0
R2#ping 172.16.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/48 ms
R2#ping 172.16.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/44 ms
R3#ping 172.16.2.2 source 172.16.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/40 ms
Success! We have full connectivity across our frame relay network. My next lab will be covering how to set up an IPSec site-to-site VPN between R2 and R3 to encrypt our data in transit.
Tags: ccna, cisco, eigrp, labs, networking | 4 Comments »
