EIGRP Default Route Summarization Authentication - TopicsExpress

EIGRP Default Route Summarization Authentication Route-Map Basic configuration of all routers: R1 interface FastEthernet0/0 ip address 192.168.14.1 255.255.255.0 no shutdown ! interface Serial1/1 ip address 10.0.12.1 255.255.255.252 no shutdown R2 interface FastEthernet0/0 ip address 10.2.2.2 255.255.255.0 no shutdown ! interface Serial1/0 ip address 10.0.23.1 255.255.255.252 no shutdown ! interface Serial1/1 ip address 10.0.12.2 255.255.255.252 no shutdown R3 interface FastEthernet0/0 ip address 10.3.3.3 255.255.255.0 no shutdown ! interface Serial1/1 ip address 10.0.23.2 255.255.255.252 no shutdown ! interface Serial1/2 ip address 10.0.34.1 255.255.255.252 no shutdown R4 interface FastEthernet0/0 ip address 192.168.14.4 255.255.255.0 no shutdown ! interface Serial1/0 ip address 10.0.34.2 255.255.255.252 no shutdown Lets Configure the routers to run EIGRP AS 100 . The LANs Subnet 10.2.2.0/24 and 10.3.3.0/24 connected to R2 and R3 respectively will be redistributed as external routes R1 router eigrp 100 network 192.168.14.1 0.0.0.0 network 10.0.12.1 0.0.0.0 no auto-summary R2 router eigrp 100 network 10.0.12.2 0.0.0.0 network 10.0.23.1 0.0.0.0 no auto-summary R3 router eigrp 100 no auto-summary network 10.0.23.2 0.0.0.0 network 10.0.34.1 0.0.0.0 R4 router eigrp 100 no auto-summary network 192.168.14.4 0.0.0.0 network 10.0.34.2 0.0.0.0 Lets verify the neighbor relationship: R1#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 192.168.14.4 Fa0/0 13 00:03:10 137 822 0 3 0 10.0.12.2 Se1/1 13 00:03:40 257 1542 0 7 R2#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 1 10.0.23.2 Se1/0 14 00:05:01 289 1734 0 3 0 10.0.12.1 Se1/1 12 00:05:19 270 1620 0 8 R3#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.0.23.1 Se1/1 11 00:06:28 467 2802 0 6 R4#show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.14.1 Fa0/0 13 00:09:50 1579 5000 0 7 Now we will show how to configure authentication of EIGRP in order to secure the Updates . We will use the password CISCO: R1 key chain CISCO-CHAIN key 1 key-string CISCO ! interface fastethernet 0/0 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN ! interface serial 1/1 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN R2 key chain CISCO-CHAIN key 1 key-string CISCO ! interface serial 1/1 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN ! interface serial 1/0 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN R3 key chain CISCO-CHAIN key 1 key-string CISCO ! interface serial 1/1 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN ! interface serial 1/2 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN R4 key chain CISCO-CHAIN key 1 key-string CISCO ! interface fastethernet 0/0 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN ! interface serial 1/1 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 CISCO-CHAIN Lets check the authentication: R1#show key chain CISCO-CHAIN Key-chain CISCO-CHAIN: key 1 -- text CISCO accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] The show ip eigrp interfaces details command display the interfaces configured to authenticate the EIGRP updates : R1#show ip eigrp interfaces detail EIGRP-IPv4 Interfaces for AS(100) Xmit Queue PeerQ Mean Pacing Time Multicast Pending Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes Fa0/0 1 0/0 0/0 137 0/0 560 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial Packetized sent/expedited: 2/0 Hellos sent/expedited: 237/2 Un/reliable mcasts: 0/2 Un/reliable ucasts: 2/2 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 1 Out-of-sequence rcvd: 1 Topology-ids on interface - 0 Authentication mode is md5, key-chain is CISCO-CHAIN Se1/1 1 0/0 0/0 257 0/16 924 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial Packetized sent/expedited: 4/0 Hellos sent/expedited: 237/2 Un/reliable mcasts: 0/0 Un/reliable ucasts: 4/5 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Topology-ids on interface - 0 Authentication mode is md5, key-chain is CISCO-CHAIN We will redistribute the connected LANs subnet 10.2.2.0/24 and 10.3.3.0/24 of R2 and R3 respectively using the redistribute connected command: R2 router eigrp 100 redistribute connected R3 router eigrp 100 redistribute connected we will configure the routers R2 and R3 to advertise the default route to R1 and R4. R2 interface serial 1/1 ip summary-address eigrp 100 0.0.0.0 0.0.0.0 R3 interface serial 1/2 ip summary-address eigrp 100 0.0.0.0 0.0.0.0 R1 and R4 are not allowed to receive the external route EIGRP to 10.2.2.0/24 and 10.3.3.0/24 therfore We will use prefix-list called DEFAULT-ROUTE to allow only a default route to R1 and R4 and a distribute-list command is configured under router eigrp 100 with the prefix-list out the interfaces s1/1 and s1/2 of R2 and R3 respectively.All other routes that do not match the sequence 5 of the prefix-list are denied by default with an implicit deny (in this case (10.2.2.0/24 and 10.3.3.0/24 ,also 10.0.23/24). R2 ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0 ! router eigrp 100 distribute-list prefix DEFAULT-ROUTE out serial 1/1 R3 ip prefix-list DEFAULT-ROUTE seq 5 permit 0.0.0.0/0 ! router eigrp 100 distribute-list prefix DEFAULT-ROUTE out serial 1/2 Lets check the routing tables of all routers: R1 receives only a default route from R2 and an EIGRP route to 10.0.34.0/24 from R4 ,the subnets 10.2.2.0/24,10.3.3.0/24 and 10.0.23/24 are filtered by the prefix- list: R1#show ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 10.0.12.2 to network 0.0.0.0 D* 0.0.0.0/0 [90/2172416] via 10.0.12.2, 00:00:34, Serial1/1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D 10.0.34.0/30 [90/2172416] via 192.168.14.4, 00:00:42, FastEthernet0/0 R2 receives an external EIGRP route to 10.3.3.0/24 from R3 as expected because R3 filters this subnet only out the interface s1/2 toward R1: R2#show ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D* 0.0.0.0/0 is a summary, 00:01:43, Null0 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks D 10.0.34.0/30 [90/2681856] via 10.0.23.2, 00:31:20, Serial1/0 D EX 10.3.3.0/24 [170/2172416] via 10.0.23.2, 00:01:37, Serial1/0 D 192.168.14.0/24 [90/2172416] via 10.0.12.1, 00:31:57, Serial1/1 R2# R3 receives an external EIGRP route to 10.2.2.0/24 from R2 as expected because R2 filters this subnet only out the interface s1/1 toward R1: R3#show ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D* 0.0.0.0/0 is a summary, 00:03:32, Null0 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks D 10.0.12.0/30 [90/2681856] via 10.0.23.1, 00:33:45, Serial1/1 D EX 10.2.2.0/24 [170/2172416] via 10.0.23.1, 00:03:58, Serial1/1 D 192.168.14.0/24 [90/2684416] via 10.0.23.1, 00:33:45, Serial1/1 R3# R4 receives only a default route from R2 and an EIGRP route to 10.0.12.0/24 from R4 ,the subnets 10.2.2.0/24,10.3.3.0/24 and 10.0.23/24 are filtered by the prefix- list: R4#show ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 192.168.14.1 to network 0.0.0.0 D* 0.0.0.0/0 [90/2174976] via 192.168.14.1, 00:05:35, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D 10.0.12.0/30 [90/2172416] via 192.168.14.1, 00:35:18, FastEthernet0/0 R4# Lets add secondary ip addresses on the Lan interfaces of R1 and R4 and lets advertise these subnet into EIGRP.Then we configure R1 and R4 to advertise only a summarized route for these subnets to R2 and R3: 1.Network: 192.168.0.0/24 - 192.168.0.1/24 to R1 and 192.168.0.4/24 to R4 2.Network: 192.168.1.0/24 - 192.168.1.1/24 to R1 and 192.168.1.4/24 to R4 3.Network: 192.168.2.0/24 - 192.168.2.1/24 to R1 and 192.168.2.4/24 to R4 4.Network: 192.168.3.0/24 - 192.168.3.1/24 to R1 and 192.168.3.4/24 to R4 R1 interface fastethernet 0/0 ip address 192.168.0.1 255.255.255.0 secondary ip address 192.168.1.1 255.255.255.0 secondary ip address 192.168.2.1 255.255.255.0 secondary ip address 192.168.3.1 255.255.255.0 secondary ! interface serial 1/1 ip summary-address eigrp 100 192.168.0.0 255.255.252.0 ! router eigrp 100 network 192.168.0.0 0.0.3.255 R2 interface fastethernet 0/0 ip address 192.168.0.4 255.255.255.0 secondary ip address 192.168.1.4 255.255.255.0 secondary ip address 192.168.2.4 255.255.255.0 secondary ip address 192.168.3.4 255.255.255.0 secondary ! interface serial 1/0 ip summary-address eigrp 100 192.168.0.0 255.255.252.0 ! router eigrp 100 network 192.168.0.0 0.0.3.255 R2 and R3 are receiving a summary route toward the secondaries ip addresses: R2#show ip route eigrp Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 0.0.0.0 to network 0.0.0.0 D* 0.0.0.0/0 is a summary, 00:35:51, Null0 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks D 10.0.34.0/30 [90/2681856] via 10.0.23.2, 01:05:28, Serial1/0 D EX 10.3.3.0/24 [170/2172416] via 10.0.23.2, 00:35:45, Serial1/0 D 192.168.0.0/22 [90/2172416] via 10.0.12.1, 00:19:58, Serial1/1 D 192.168.14.0/24 [90/2172416] via 10.0.12.1, 01:06:05, Serial1/1 R2# Lets test connectivity to these subnets: R2#ping 192.168.0.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/94/132 ms R2# R2#ping 192.168.1.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 68/97/144 ms R2# R2#ping 192.168.2.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/113/132 ms R2# R2#ping 192.168.3.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/122/168 ms R2# R3#ping 192.168.0.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/134/188 ms R3# R3#ping 192.168.1.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/120/152 ms R3# R3#ping 192.168.2.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/137/172 ms R3# R3#ping 192.168.3.0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.0, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 112/148/180 ms R3# The purpose now is that the packets sourced from the LAN interface of R2 (10.2.2.2) should use the R2-R3-R4 path to reach the 10.1.1.0/24 and 192.168.1.0/24 subnets. To achieve this goal we use the Policy-Based Routing PBR on R2: First we configure an access-list 100 to identify the source and the destination ,the source subnet is 10.2.2.2 and the destination subnets are 10.1.1.0/24 and 192.168.1.0/24. Then we define a route-map called R2-PBR that matches the ACL 100 and we set the next-hop of R3 (10.0.23.2) and apply the route-map with ip local policy route-map R2- PBR command: R2 access-list 100 permit ip host 10.2.2.2 192.168.14.0 0.0.0.255 access-list 100 permit ip host 10.2.2.2 192.168.1.0 0.0.0.255 ! route-map R2-PBR permit 10 match ip address 100 set ip next-hop 10.0.23.2 ! route-map R2-PBR deny 20 ! ip local policy route-map R2-PBR Lets verify with debugging using debug ip policy command anda pings to 192.168.14.1 and 192.168.1.0 with the source address 10.2.2.2: R2#debug ip policy Policy routing debugging is on R2# R2#ping 192.168.14.1 source 10.2.2.2 repeat 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds: Packet sent with a source address of 10.2.2.2 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 160/160/160 ms R2# *Sep 14 23:55:34.707: IP: s=10.2.2.2 (local), d=192.168.14.1, len 100, policy match *Sep 14 23:55:34.711: IP: route map R2-PBR, item 10, permit *Sep 14 23:55:34.711: IP: s=10.2.2.2 (local), d=192.168.14.1 (Serial1/0), len 100, policy routed *Sep 14 23:55:34.715: IP: local to Serial1/0 10.0.23.2 R2# R2#ping 192.168.1.0 source 10.2.2.2 repeat 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 192.168.1.0, timeout is 2 seconds: Packet sent with a source address of 10.2.2.2 ! Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 ms R2# *Sep 14 23:55:51.203: IP: s=10.2.2.2 (local), d=192.168.1.0, len 100, policy match *Sep 14 23:55:51.207: IP: route map R2-PBR, item 10, permit *Sep 14 23:55:51.207: IP: s=10.2.2.2 (local), d=192.168.1.0 (Serial1/0), len 100, policy routed *Sep 14 23:55:51.211: IP: local to Serial1/0 10.0.23.2 R2# We can see from the debug above that the PBR works as excpected notice the lines policy match and policy routed for each ping,the ICMP packet are forwarded to 10.0.23.2 out the serial 1/0 as denoted by the line IP: local to Serial1/0 10.0.23.2 We can verify the PBR operation using the show route-map R2-PBR command which displays the number of packets matched by the policy routing ,in this case since we sent one ICMP packet for each ping, there are two matched packets: R2#show route-map R2-PBR route-map R2-PBR, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: ip next-hop 10.0.23.2 Nexthop tracking current: 0.0.0.0 10.0.23.2, fib_nh:0,oce:0,status:0 Policy routing matches: 2 packets, 200 bytes route-map R2-PBR, deny, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes

A well-worn out N1000 note and a similarly distressed N10 note

ROBO DE UN BANCO EN CHINA : Hubo una vez un robo en Guangzhou,

The Chappell Hill Independence Day Parade is held each summer down

Mateus 8 - 1. E, DESCENDO ele do monte, seguiu-o uma grande

Bad for Business: India’s White Elephant Kashmir (Part

Reflection for August 1, 2013 (Thursday) Taken from "Didache

In the past few days, the Atlanta Symphony Orchestra reached a

25 Contact Tips 000-067 000067 0.030 for Miller Hobart MIG Welding

Why 23? In the Goetia/Lesser Key ov Solomon, thee 23rd Spirit is

stop by for breakfast. well get you filled up and on your way in

So I have some one on one time with my Miss Maggie. We had a

GERMAN-MADE 15-mm Diameter Brad Point Drill Bit Other products

Ten Arab states join U.S. in fighting against Islamic State -

Désolée a l avance pour tous, mais a partir d aujourd hui je

LaserJet 4100mfp Printer REDEEM YOUR DEALS NOW >>

Want to make sure to announce this. My documentary, WHITE LIKE ME:

Eleanor &

PRESS RELEASE: No basis to Khalid Ibrahims claim that sacking

Payday Loans $8500 In Montana

HIS BIRTH AND ORE NEW BIRTH BEHOLD, THE VIRGIN SHALL...BEAR A SON,

Joys of owning a few differant vehicles first the van needed to

From Front Street Animal Shelter - City of Sacramento: A Month

Senarai Agen Jualan Pelikat Pants yang telah daftar ; En Aniep

Foreign Minister Augustine Kpehe Ngafuan has provided an update on