EIGRP - Hornad
Download
Report
Transcript EIGRP - Hornad
EIGRP
SAvPS
Genči
2009
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Zdroje
1. Prezentation „Introduction to EIGRP“ by Scott Hogg
www.seccug.org/Presentations/EIGRP-2006-1213.ppt (slides 3-9)
2. Introduction to EIGRP
http://www.cisco.com/en/US/tech/tk365/technologies_
tech_note09186a0080093f07.shtml
3. Configuring EIGRP (CISCO document)
4. NetAcad CCNP1 curriculum
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
EIGRP History
E.W. Dijkstra and C.S. Scholten were first to introduce diffusing
computations (Computations that start from an initial node and diffuse to all nodes in a graph.) in
1980 that are used to perform distributed shortest-path routing.
Most of the work on DUAL (Diffusing Update ALgorithm) since then has
been done by J.J. Garcia-Luna-Aceves.
In 1989 he released “A Unified Approach for Loop-Free Routing Using Link
States or Distance Vectors”
EIGRP was first introduced in 1994 in IOS 9.21. Lots of bugs! Major
updates in 10.3(11), 11.0(8), and 11.1(3)
Major enhancements were implemented in 10.x and 11.x releases of IOS.
Much Better!
>12.1 has EIGRP optimizations for SIA routes
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
EIGRP Basics
EIGRP is a Cisco proprietary routing protocol that is distance
vector based.
EIGRP is a classless protocol, meaning each route entry includes
a subnet mask.
By default EIGRP uses a non-hierarchical topology. OSPF-like
hierarchy can be achieved by introducing additional ASs.
EIGRP updates are non-periodic, partial/incremental, and bounded
EIGRP uses time-limits (hold times)
Each EIGRP router stores its neighbors routing tables ( topology
table / metrics).
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Administrative Distance
Route Source
Connected interface
Static route
Enhanced IGRP summary route
External BGP
Internal Enhanced IGRP
IGRP
OSPF
IS-IS
RIP
EGP
External Enhanced IGRP
Internal BGP
Unknown
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Default AD
0
1
5
20
90
100
110
115
120
140
170
200
255
?
5
EIGRP Metrics
EIGRP uses a composite of available bandwidth, delay,
load utilization, link reliability, and MTU.
256 X the same IGRP metric – more granular
BW = minimum BW, Delay = sum of delays
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
EIGRP Metrics
For a T1 link (1544Kbps)
Applying the metric formula:
10,000,000
1544
+
21000
*
256 = 2195456
10
Output from “show ip route 10.10.1.0”
* 10.10.1.0, from 10.10.1.2, 02:43:19 ago, via Serial1/0/1
Route metric is 2195456, traffic share count is 1
Reliability 255/255, minimum MTU 1500 bytes
Loading 8/255, Hops 1
metric weights <TOS> K1 K2 K3 K4 K5
Default K1=K3=1, K2=K4=K5 = 0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
EIGRP Components
EIGRP is comprised of four major modules:
A reliable transport mechanism used to exchange update
messages among routers (RTP)
Diffusing Update Algorithm (DUAL)
Neighbor discovery and recovery mechanisms
Protocol Dependent Modules (PDM) that enable its operation
in a multiprotocol environment
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
EIGRP (RTP)
Reliable Transport Protocol (RTP) handles the transmission and
receiving of EIGRP packets.
Guaranteed delivery of IP Protocol 88 packets uses multicast
address 224.0.0.10.
Acknowledgements from neighboring routers are typically unicast
using sequencing numbers for ordered delivery.
Packet Type
Multicast
Unicast
Hello
X
X
X
X
X
Ack
Update
X
Query
X
Reply
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
X
Unreliable
X
X
X
Cisco Confidential
Reliable
X
9
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
What is EIGRP?
EIGRP is an enhanced version of IGRP.
The same distance vector technology found in IGRP is
also used in EIGRP, and the underlying distance
information remains unchanged.
The convergence properties and the operating
efficiency of this protocol have improved significantly.
This allows for an improved architecture while retaining
existing investment in IGRP.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Objectives (M1)
This module will cover topics which allow students to
meet the following objectives:
Describe the key capabilities that distinguish EIGRP from other
routing protocols
Identify the four key technologies employed by EIGRP
Describe how EIGRP operates
Describe the five components of the metric used by EIGRP
Calculate the EIGRP metric for a range of pathways between
routers
Explain how IGRP routes are integrated into EIGRP routes and
vice-versa
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
EIGRP Features
There are several key differences with EIGRP from
other routing protocols which are explored in this
module.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
EIGRP Key Technologies
Neighbor discover/recovery
Reliable Transport Protocol (RTP)
DUAL finite-state machine
Protocol-dependent modules (PDMs)
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
The Diffusing Update Algorithm (DUAL)
How does EIGRP determine
which routes are loop-free?
Each of A’s neighbors is
reporting reachability to E:
B with a cost of 10
C with a cost of 10
D with a cost of 30
These three costs are
called the reported
distance (RD); the
distance each neighbor is
reporting to a given
destination
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
The Diffusing Update Algorithm (DUAL)
At A, the total cost to reach
E is:
20 through B
25 through C
45 through D
The best of these three
paths is the path through
B, with a cost of 20
This is the feasible distance
(FD)
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
The Diffusing Update Algorithm (DUAL)
A uses the FD and the RD
to determine which paths
are loop-free
The best path (FD) is used
as a benchmark; all paths
with RDs lower than the FD
cannot contain loops
The algorithm may mark
some loop-free paths as
loops
However, it is guaranteed
never to mark a looped path
as loop-free
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
The Diffusing Update Algorithm (DUAL)
At A:
The path through B is the
best path (FD), at 20
C can reach E with a cost
of 10; 10 (RD) is less than
20 (FD), so this path is
loop-free.
D can reach E with a
cost of 30; 30 (RD) is
not less than 20 (FD),
so EIGRP assumes
this path is a loop.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
EIGRP Topology Table
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
EIGRP Neighbor Status
RTRA#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H
Address
Interface Hold Uptime SRTT
(sec)
(ms)
2
10.1.1.1 Et0
12
6d16h
20
1
10.1.4.3 Et1
13
2w2d
87
0
10.1.4.2 Et1
10
2w2d
85
RTO
Q
Cnt
200 0
522 0
510 0
Seq
Num
233
452
3
Seconds Remaining Before Declaring Neighbor Down
How Long Since the Last Time Neighbor Was Discovered
How Long It Takes for This Neighbor To Respond To Reliable Packets
How Long to Wait Before Retransmitting If No Acknowledgement
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
EIGRP IP Routing Table
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Example: EIGRP Tables
Router C’s tables:
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
EIGRP Packets
Hello: Establish neighbor relationships.
Update: Send routing updates
Query: Ask neighbors about routing information
Reply: Respond to query about routing information
ACK: Acknowledge a reliable packet
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Initial Route Discovery
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
EIGRP Metric
Same metric components as IGRP:
Bandwidth
Delay
Reliability
Loading
MTU
EIGRP metric is IGRP metric multiplied by 256
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
EIGRP Metric Calculation
By default, EIGRP metric:
Metric = bandwidth (slowest link) + delay (sum of delays)
Delay = sum of the delays in the path, in tens of
microseconds, multiplied by 256.
Bandwidth = [10 / (minimum bandwidth link along the
path, in kilobits per second)] * 256
Formula with default K values (K1 = 1, K2 = 0, K3 = 1,
K4 = 0, K5 = 0):
Metric = [K1 * BW + ((K2 * BW) / (256 – load)) + K3 * delay]
If K5 not equal to 0:
Metric = Metric * [K5 / (reliability + K4)]
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
EIGRP Metrics Calculation Example
ABCD
Least bandwidth 64 kbps
Total delay 6,000
AXYZD
Least bandwidth 256 kbps
Total delay 8,000
Delay is the sum of all the delays of the links along the paths:
Delay = [delay in tens of microseconds] x 256
BW is the lowest bandwidth of the links along the paths:
BW = [10,000,000 / (bandwidth in kbps)] x 256
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
EIGRP Metrics Are Backward-Compatible
with IGRP
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Objectives (M2)
Upon completing this lesson, you will be able to
describe how to implement EIGRP routing. This ability
includes being able to meet these objectives:
Describe the commands used in a basic EIGRP configuration
task
Explain how to configure a router to use wildcard masks to
select the interfaces and networks that will participate in EIGRP
routing
Configure the gateway of last resort or default route
Verify that the router recognizes EIGRP neighbors and routes
Verify EIGRP operations
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Configuring EIGRP
Router(config)#
router eigrp autonomous-system-number
Defines EIGRP as the IP routing protocol.
All routers in the internetwork that must exchange EIGRP
routing updates must have the same autonomous system
number.
Router(config-router)#
network network-number [wildcard-mask]
Identifies attached networks participating in EIGRP.
The wildcard-mask is an inverse mask used to
determine how to interpret the address. The mask has
wildcard bits, where 0 is a match and 1 is “don’t care.”
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Configuring EIGRP (Cont.)
Router(config-if)#
bandwidth kilobits
Defines the interface’s bandwidth for the purposes of
sending routing update traffic.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Configuring EIGRP for IP
Network 192.168.1.0 is not configured on router A,
because it is not directly connected to router A.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Configuring EIGRP with IP (cont.)
Classful configuration example:
routerA(config)#router eigrp 109
routerA(config-router)#network 10.1.0.0
routerA(config-router)#network 10.4.0.0
routerA(config-router)#network 172.16.7.0
routerA(config-router)#network 172.16.2.0
Classless configuration example:
routerA(config)#router eigrp 109
routerA(config-router)#network 10.1.0.0 0.0.255.255
routerA(config-router)#network 10.4.0.0 0.0.255.255
routerA(config-router)#network 172.16.2.0 0.0.0.255
routerA(config-router)#network 172.16.7.0 0.0.0.255
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Using the Wildcard Mask in EIGRP
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Using and Configuring the ip default-network
command for EIGRP
Chyba
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Example R1 EIGRP Configuration
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
R2 EIGRP Configuration
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
<output omitted>
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
<output omitted>
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
Verifying EIGRP: show ip eigrp neighbors
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
0
192.168.1.102 Se0/0/1
10
00:07:22
10
R1#
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
RTO
Q Seq
Cnt Num
2280 0 5
39
Verifying EIGRP: show ip route
eigrp
R1#show ip route eigrp
D
172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:07:01, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D
172.16.0.0/16 is a summary, 00:05:13, Null0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
D
192.168.1.0/24 is a summary, 00:05:13, Null0
R1#show ip route
<output omitted>
Gateway of last resort is not set
D
172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:06:55, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D
172.16.0.0/16 is a summary, 00:05:07, Null0
C
172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C
192.168.1.96/27 is directly connected, Serial0/0/1
D
192.168.1.0/24 is a summary, 00:05:07, Null0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
Verifying EIGRP: show ip protocols
R1#show ip protocols
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
EIGRP NSF-aware route hold timer is 240s
<output omitted>
Maximum path: 4
Routing for Networks:
172.16.1.0/24
192.168.1.0
Routing Information Sources:
Gateway
Distance
Last Update
(this router)
90
00:09:38
Gateway
Distance
Last Update
192.168.1.102
90
00:09:40
Distance: internal 90 external 170
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
41
Verifying EIGRP: show ip eigrp
interfaces
R1#show ip eigrp interfaces
IP-EIGRP interfaces for process 100
Xmit Queue
Interface
Peers Un/Reliable
Fa0/0
0
0/0
Se0/0/1
1
0/0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Mean
SRTT
0
10
Pacing Time
Un/Reliable
0/10
10/380
Multicast
Flow Timer
0
424
Pending
Routes
0
0
42
Verifying EIGRP: show ip eigrp
topology
R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(192.168.1.101)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 192.168.1.96/27, 1 successors, FD is 40512000
via Connected, Serial0/0/1
P 192.168.1.0/24, 1 successors, FD is 40512000
via Summary (40512000/0), Null0
P 172.16.0.0/16, 1 successors, FD is 28160
via Summary (28160/0), Null0
P 172.16.1.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0
P 172.17.0.0/16, 1 successors, FD is 40514560
via 192.168.1.102 (40514560/28160), Serial0/0/1
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
Topology table codes
Passive (P): This network is available, and installation can occur in the routing
table. Passive is the correct state for a stable network.
Active (A): This network is currently unavailable, and installation cannot occur in
the routing table. Being active means that there are outstanding queries for this
network.
Update (U): This code applies if a network is being updated (placed in an update
packet). This code also applies if the router is waiting for an acknowledgment for
this update packet.
Query (Q): This code applies if there is an outstanding query packet for this
network other than being in the active state. This code also applies if the router is
waiting for an acknowledgment for a query packet.
Reply (R): This code applies if the router is generating a reply for this network or is
waiting for an acknowledgment for the reply packet.
Stuck-in-active (SIA) status: This code signifies an EIGRP convergence problem
for the network with which it is associated.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
Verifying EIGRP: show ip eigrp
traffic
R1#show ip eigrp traffic
IP-EIGRP Traffic Statistics for AS 100
Hellos sent/received: 429/192
Updates sent/received: 4/4
Queries sent/received: 1/0
Replies sent/received: 0/1
Acks sent/received: 4/3
Input queue high water mark 1, 0 drops
SIA-Queries sent/received: 0/0
SIA-Replies sent/received: 0/0
Hello Process ID: 113
PDM Process ID: 73
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Packets explanation ([1])
Updates are used to propagate routing information.
Update packets are reliably transmitted only when
necessary (unlike IGRP/RIP). Update packets carry
only necessary routing information and are sent to only
involved routers.
Queries and Replies are used to help in the search of
feasible successors during routing changes. DUAL
uses this information to perform it’s computations.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
EIGRP Terminology ([1])
Adjacency - Like OSPF, EIGRP uses Hellos to identify itself to potential
neighbors and form adjacencies with other same-protocol speaking
routers.
Feasible Distance - The lowest calculated metric for any destination is
the feasible distance. The FD metric can be chosen from several
advertised routes to the destination.
Feasible Condition - Is met when a neighbor’s advertised metric is lower
than the routers FD to that destination.
Feasible Successor - When a neighboring router’s advertised metric
meets the FC, that neighbor becomes a feasible successor.
Successor - A successor is a neighboring router that is currently being
used as the next-hop, has the least cost route to the destination, and is
not part of a routing loop.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
47
EIGRP DUAL ([1])
In determining the successor for the subnet the router
does the following:
Determines which neighbors have an advertised metric to the
subnet that is less than the router’s FD to the subnet. If any
neighbor’s advertised metric that is less then they are feasible
successors for that route.
Calculate the minimum computed metric to the subnet. (FD)
The router with the lower FD becomes the successor. (if FS
metrics had been the same, then equal cost load balancing
could be used)
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
EIGRP DUAL (cont)
What happens if the successor route fails?
If there is a feasible successor for the failed router then
there is no transition to Active for the subnet and the
feasible successor will take over as the successor.
This is known as local computation.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
EIGRP DUAL (cont)
If no feasible route is known based upon the routing information
previously learned from neighbors, the route goes Active for that
destination.
The router then sends queries to all neighboring routers. The
queries are propagated until an alternate route is found. The query
contains the new calculated FD, which is “unreachable”.
This is known as a diffusing computation.
The router will set the reply status flag to one, which means that a
reply is expected.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
EIGRP DUAL (cont)
The following rules should be kept in mind when determining the
status of DUAL:
Local computation always occurs when an input event is detected
Change in a FD
Any change in topology (e.g. a flapping interface)
When an update, query, or reply packet is seen
The successor of any given route will be picked based on the lowest
FD calculated. However, if no FS are located, the route goes Active
and queries are sent to all neighboring routers. The route remains in
an Active state until all queries are replied to.
If the active timer expires or no FS is located, the destination will
become unreachable.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
EIGRP DUAL (cont)
By default the active timer is 3 minutes.
For each neighbor to which a query was sent, the router will keep
track of a reply status flag ,”r”. This is done to keep track of all
outstanding queries. The diffusing computation is complete when
the router has received a reply to all queries.
At the beginning of every diffusing computation, a 3 minute Active
timer is started. In large networks with a lot of low speed links, a
router may not receive replies to every query sent within the 3
minute time. When this occurs, it is known as stuck-in-active (SIA)
%DUAL-3-SIA: Route 10.1.1.0 255.255.255.0 stuck-inactive state in IP-EIGRP 10. Cleaning up
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
EIGRP DUAL (cont)
The neighbor or neighbors that failed to reply will be
removed from the neighbor table, and DUAL will
consider that neighbor to have replied with an infinite
metric.
The neighbor or neighbors that failed to reply within the
Active timer should be noted and troubleshot further.
This command can be used to change the active timer
or disable it altogether.
timers active-time [time-limit | disabled]
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Objectives (M3)
Upon completing this lesson, you will be able to implement
authentication in an EIGRP network. This ability includes
being able to meet these objectives:
Describe router authentication
Describe the MD5 authentication used in EIGRP
Configure MD5 authentication
Troubleshoot MD5 authentication
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Router Authentication
Many routing protocols support authentication such that
a router authenticates the source of each routing
update packet that it receives.
Simple password authentication is supported by:
IS-IS
OSPF
RIPv2
MD5 authentication is supported by:
OSPF
RIPv2
BGP
EIGRP
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
57
Simple Password vs. MD5 Authentication
Simple password authentication:
Router sends packet and key.
Neighbor checks if received key matches its key.
Not secure.
MD5 authentication
Configure a “key” (password) and key-id; router generates a
message digest, or hash, of the key, key-id and message.
Message digest is sent with packet; key is not sent.
Secure.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
58
EIGRP MD5 Authentication
EIGRP supports MD5 authentication.
Router generates and checks every EIGRP packet.
Router authenticates the source of each routing update
packet that it receives.
Configure a “key” (password) and key-id; each
participating neighbor must have same key configured.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
59
MD5 Authentication
EIGRP MD5 authentication:
Router generates a message digest, or hash, of the key, key-id,
and message.
EIGRP allows keys to be managed using key chains.
Specify key-id (number, key, and lifetime of key).
First valid activated key, in order of key numbers, is used.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
Configuring EIGRP MD5 Authentication
Router(config-if)#
ip authentication mode eigrp autonomous-system md5
Specifies MD5 authentication for EIGRP packets
Router(config-if)#
ip authentication key-chain eigrp autonomous-system
name-of-chain
Enables authentication of EIGRP packets using key in the
key-chain
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Configuring EIGRP MD5 Authentication
(cont.)
Router(config)#
key chain name-of-chain
Enters configuration mode for the key-chain
Router(config-keychain)#
key key-id
Identifies key and enters configuration mode for the keyid
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
Configuring EIGRP MD5 Authentication
(cont.)
Router(config-keychain-key)#
key-string text
Identifies key string (password)
Router(config-keychain-key)#
accept-lifetime start-time {infinite | end-time | duration
seconds}
Optional: specifies when key will be accepted for received
packets
Router(config-keychain-key)#
send-lifetime start-time {infinite | end-time | duration
seconds}
Optional: specifies when key can be used for sending
packets
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
63
Example MD5 Authentication
Configuration
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
64
R1 Configuration for MD5 Authentication
<output omitted>
key chain R1chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.101 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R1chain
!
router eigrp 100
network 172.16.1.0 0.0.0.255
network 192.168.1.0
auto-summary
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
65
R2 Configuration for MD5 Authentication
<output omitted>
key chain R2chain
key 1
key-string firstkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
key 2
key-string secondkey
accept-lifetime 04:00:00 Jan 1 2006 infinite
send-lifetime 04:00:00 Jan 1 2006 infinite
<output omitted>
interface FastEthernet0/0
ip address 172.17.2.2 255.255.255.0
!
interface Serial0/0/1
bandwidth 64
ip address 192.168.1.102 255.255.255.224
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 R2chain
!
router eigrp 100
network 172.17.2.0 0.0.0.255
network 192.168.1.0
auto-summary
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
66
Verifying MD5 Authentication
R1#
*Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
192.168.1.102 (Serial0/0/1) is up: new adjacency
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H
Address
Interface
Hold
0
192.168.1.102
Se0/0/1
12
Uptime
SRTT
00:03:10 17
RTO Q Seq
2280 0 14
R1#show ip route
<output omitted>
Gateway of last resort is not set
D
172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D
172.16.0.0/16 is a summary, 00:31:31, Null0
C
172.16.1.0/24 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C
192.168.1.96/27 is directly connected, Serial0/0/1
D
192.168.1.0/24 is a summary, 00:31:31, Null0
R1#ping 172.17.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
Troubleshooting MD5 Authentication
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
*Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102
*Jan 21 16:38:51.745:
AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
R2#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2
*Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101
*Jan 21 16:38:38.321:
AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe
erQ un/rely 0/0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
68
Troubleshooting MD5 Authentication
Problem
MD5 authentication on both R1 and R2, but R1 key 2 (that it uses when
sending) changed
R1(config-if)#key chain R1chain
R1(config-keychain)#key 2
R1(config-keychain-key)#key-string wrongkey
R2#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,
SIAREPLY)
R2#
*Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch
*Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc
ode = 5 (invalid authentication)
*Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication
*Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1
*Jan 21 16:50:18.749:
AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101
(Serial0/0/1) is down: Auth failure
R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
R2#
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
69
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
Objectives (M4)
Upon completing this lesson, you will be able to describe,
recognize, and correct common EIGRP issues and
problems. This ability includes being able to meet these
objectives:
Explain factors affecting scalability in large internetworks
Explain how EIGRP uses queries to update its routing
tables in the event a route is lost and there is no feasible
successor
Explain how to mark the spokes of large network as stubs
to reduce EIGRP queries and thus improve network
scaling
Explain why SIA connections occur
Explain how to minimize active routes
Describe how graceful shut down prevents loss of
packets when routers go down
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71
Factors That Influence EIGRP Scalability
Quantity of routing information exchanged between
peers: without proper route summarization, this can be
excessive.
Number of routers that must be involved when a
topology change occurs.
Depth of topology: the number of hops that information
must travel to reach all routers.
Number of alternate paths through the network.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
72
EIGRP Query Process
Queries are sent when a route is lost and no feasible
successor is available.
The lost route is now in “active” state.
Queries are sent to all neighboring routers on all
interfaces except the interface to the successor.
If the neighbors do not have their lost-route information,
queries are sent to their neighbors.
If a router has an alternate route, it answers the query;
this stops the query from spreading in that branch of
the network.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
73
Updates and Queries in Hub-and-Spoke
Topology
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
74
The stability of large-scale EIGRP networks is often dependent on the
range of queries through the network. This topic explains how to mark the
spokes of a large network as stubs to reduce EIGRP queries and thus
improve network scaling.
Hub-and-spoke network topologies commonly use stub routing.
hub-and-spoke topology, having a full routing table on the remote router
serves no functional purpose because the path to the corporate network
and the Internet is always through the hub router.
Traffic from a hub router should not use a remote router as a transit path.
A typical connection from a hub router to a remote router has significantly
less bandwidth than a connection at the network core; attempting to use
the connection to a remote router as a transit path typically results in
excessive congestion, as illustrated in the figure.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
75
EIGRP Stub
The EIGRP Stub Routing feature
Improves network stability
Reduces resource utilization and
Simplifies remote router (spoke) configuration
Stub routing is commonly used in hub-and-spoke topology
Stub router sends a special peer information packet to all
neighboring routers to report its status as a stub router
Any neighbor that receives a packet informing it of the
stub status does not query the stub router for any routes
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
76
If A loses its connection
to 10.1.1.0/24, it must
build and transmit five
queries: one query to
each remote, and one
query to B
10.1.1.0/24
Stub Review
A
B
Each of the remote sites
will also build a query
towards B
B receives five queries
which it must process
and answer
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
77
If these spokes are
remotes sites, they
typically have two
connections for
redundancy, not so they
can transit traffic between
A and B
A should never use the
spokes as a path to
anything reachable
through B, so there’s no
reason to learn about, or
query for, routes through
these spokes
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10.1.1.0/24
Stub Review
A
B
These Are Not
Designed to
Transit Traffic
78
To signal A and B that the paths
through the spokes should not
be used for transit traffic, the
spoke routers can be
configured as stubs
10.1.1.0/24
Stub Review
A
B
router#config t#
router(config)#router eigrp 100
router(config-router)#eigrp stub
router(config-router)#
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
79
Marking the spokes as
stubs allows them to signal
A and B that they are not
transit paths
A will not query stubs,
reducing the total number
of queries in this example
to one
10.1.1.0/24
Stub Review
A
B
Marking the remotes as
stubs also reduces the
complexity of this topology;
B now believes it only has
one path to 10.1.1.0/24,
rather than five
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Configuring EIGRP Stub
Router(config-router)#
eigrp stub [receive-only|connected|static|summary]
receive-only: Prevents the stub from sending any
type of route.
connected: Permits stub to send connected routes
(may still need to redistribute).
static: Permits stub to send static routes (must still
redistribute).
summary: Permits stub to send summary routes.
Default is connected and summary.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
81
Example: EIGRP stub Parameters
If stub connected is
configured:
B will advertise 10.1.2.0/24
to A.
B will not advertise
10.1.2.0/23, 10.1.3.0/23, or
10.1.4.0/24.
If stub summary is
configured:
B will advertise 10.1.2.0/23
to A.
B will not advertise
10.1.2.0/24, 10.1.3.0/24, or
10.1.4.0/24.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
82
Example: EIGRP stub Parameters (Cont.)
If stub static is
configured:
B will advertise 10.1.4.0/24
to A.
B will not advertise
10.1.2.0/24, 10.1.2.0/23, or
10.1.3.0/24.
If stub receive-only
is configured:
B won’t advertise anything to
A, so A needs to have a
static route to the networks
behind B to reach them.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
83
EIGRP Query Process Stuck-in-Active
The router has to get all the replies from the neighbors
with an outstanding query before the router calculates
the successor information.
If any neighbor fails to reply to the query within three minutes,
by default, the route is SIA, and the router resets the neighbor
relationship with the neighbor that fails to reply.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
84
EIGRP Stuck in Active ([1])
When route goes into the active state the router queries its neighbors and
starts 3-min active timer.
If neighbor has a feasible successor then it recalculates its own local
distance and reports back.
If neighbor does not have a feasible successor then it goes into active
state.
If none of the queried routers can provide a feasible successor then route
is cleared.
If a response was not received within 3 minutes the router logs a DUAL-3SIA and then restarts the adjacency with the non-responding router.
This can cause further routers to go "active", additional adjacency resets,
and lots of reconvergence.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
85
10.1.1.0/24
10.1.1.0/24
EIGRP Stuck in Active ([1])
BSCI 2 - 1
A
B
Query
Query
Reply
Reply
A
© 2006 Cisco Systems, Inc. All rights reserved.
C
B
Query
A Resets Relationship!
Cisco Confidential
C
Query
Reply
86
Active Process Enhancement
BSCI 2 - 1
Before
After
Router A resets relationship to
router B when the normal active
timer expires. However, the
problem is the link between router
B and C.
Router A sends an SIA-Query at
half of the normal active timer.
Router B acknowledges the
query there by keeping the
relationship up.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
87
Graceful Shutdown
Implemented with the goodbye message feature.
Designed to improve EIGRP network convergence.
In the figure, router A is using router B as the successor for a number of routes;
router C is the feasible successor for the same routes. Router B normally would not
tell router A if the EIGRP process on router B was going down. Router A would have
to wait for its hold timer to expire before it would discover the change and react to it.
Packets sent during this time would be lost.
With graceful shutdown, the goodbye message is broadcast when an EIGRP
routing process is shut down to inform adjacent peers about the impending topology
change. This feature allows supporting EIGRP peers to synchronize and recalculate
neighbor relationships more efficiently than would occur if the peers discovered the
topology change after the hold timer expired.
The goodbye message is supported in Cisco IOS Software Release 12.3(2),
12.3(3)B, and 12.3(2)T and later. Goodbye messages are sent in hello packets.
EIGRP sends an interface goodbye message with all K values set to 255 when
taking down all peers on an interface.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
88
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
89
Auto-Summary ([1],[3])
EIGRP performs classful (i.e. Class A, B, C) summarization by
default
EIGRP automatically summarizes directly connected networks at
their natural boundaries
Therefore, you must manually turn off summarization to make
EIGRP operate as a classless routing protocol
router eigrp 10
no auto-summary
Automatic summarization is performed when there are two or more
network router configuration commands configured for the EIGRP
process.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
90
Auto-Summary (cont)
Route summarization works in conjunction with the
ip summary-address eigrp
interface configuration command, in which additional
summarization can be performed.
If there are any more specific routes in the routing table, EIGRP
will advertise the summary address out the interface with a metric
equal to the minimum of all more specific routes.
If automatic summarization is in effect, there usually is no need to
configure network level summaries using the ip summaryaddress eigrp command.
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
91
Summarization benefits
1. Summarization would decrease the number of routes advertised
by EIGRP. This would result in:
less bandwidth utilization by EIGRP,
smaller IP routing tables,
smaller EIGRP topology tables.
This would result in less CPU utilization and less memory usage on
the routers. These additional resources can be used to send data
more quickly.
2. Summarization could also prevent updates regarding flapping
routes from being propagated throughout the EIGRP domain if
those flapping routes fall within a summary address placed at a
critical point in the network (usually as close to the source as
possible).
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
92
Example (CNAP EIGRP summarization lab)
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
93
Example (cont)
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
94
Example (cont)
R1# show ip route eigrp
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/41152000] via 192.168.100.2, 00:01:14, Serial0/0/0
192.168.200.0/30 is subnetted, 7 subnets
D
192.168.200.0 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.4 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.8 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.12 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.16 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.20 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
192.168.200.24 [90/40640000] via 192.168.100.2, 00:03:09, Serial0/0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D
10.1.3.0/30 [90/41152000] via 192.168.100.2, 00:03:09, Serial0/0/0
D
10.1.1.0/29 [90/41024000] via 192.168.100.2, 00:03:09, Serial0/0/0
D 192.168.12.0/23 [90/41152000] via 192.168.100.2, 00:03:09, Serial0/0/0
D 192.168.8.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
D 192.168.24.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
D 192.168.4.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
D 192.168.20.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
D 192.168.0.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
D 192.168.16.0/23 [90/41152000] via 192.168.100.2, 00:03:11, Serial0/0/0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
95
Summary networks and their placements
Network
Summary
At
10.0.0.0/8
10.0.0.0/8
R2
172.16.0.0/16
172.16.0.0/16
R3
172.31.0.0/16
172.31.0.0/16
R1
192.168.100.0/24 192.168.100.0/
24
192.168.200.0/24 192.168.200.0/
24
192.168.0.0/23 - 192.168.0.0/19
192.168.24.0/23
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
R2
R2
R3
96
R1# show ip route
<output omitted>
Gateway of last resort is not set
D 172.16.0.0/16 [90/41152000] via 192.168.100.2, 04:04:11, Serial0/0/0
172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C
172.31.1.0/24 is directly connected, Loopback0
D
172.31.0.0/16 is a summary, 02:47:43, Null0
D 192.168.200.0/24 [90/40640000] via 192.168.100.2, 02:47:34, Serial0/0/0
D 10.0.0.0/8 [90/41024000] via 192.168.100.2, 02:47:34, Serial0/0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C
192.168.100.0/29 is directly connected, Serial0/0/0
D
192.168.100.0/24 is a summary, 02:47:44, Null0
D 192.168.0.0/19 [90/41152000] via 192.168.100.2, 02:32:07, Serial0/0/0
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
97
Some notes
EIGRP auto-summarizes only at the classful boundary.
Even if EIGRP auto-summarization is turned on, the
networks 192.168.0.0/23 through 192.168.24.0/23 will
not be summarized!!!
Auto-summarization will not summarize the supernets.
Summarization will result in only 8-bit, 16-bit, and 24-bit
subnet masks in the routes installed by EIGRP.
More info – see EIGRP summarization lab
BSCI 2 - 1
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
98