FIRST UNDERSTAND WHAT EIGRP IS:
EIGRP (Enhanced Interior Gateway Routing Protocol) is a network protocol that lets routers exchange information more efficiently than with earlier network protocols. EIGRP evolved from IGRP (Interior Gateway Routing Protocol) and routers using either EIGRP and IGRP can interoperate because the metric (criteria used for selecting a route) used with one protocol can be translated into the metrics of the other protocol. EIGRP can be used not only for Internet Protocol (IP) networks but also for AppleTalk and Novell NetWare networks.
EIGRP is an interior gateway protocol suited for many different topologies and media. In a well designed network, EIGRP scales well and provides extremely quick convergence times with minimal network traffic.
EIGRP THEORY OF OPERATION:
Some of the many advantages of EIGRP are:
· Very low usage of network resources during normal operation; only hello packets are transmitted on a stable network.
· when a change occurs, only routing table changes are propagated, not the entire routing table; this reduces the load the routing protocol itself places on the network.
· Rapid convergence times for changes in the network topology (in some situations convergence can be almost instantaneous).
EIGRP is an enhanced distance vector protocol, relying on the Diffused Update Algorithm (DUAL) to calculate the shortest path to a destination within a network.
MAJOR REVISIONS OF THE PROTOCOL:
There are two major revisions of EIGRP, versions 0 and 1. Cisco IOS versions earlier than 10.3(11), 11.0(8), and 11.1(3) run the earlier version of EIGRP; some explanations in this paper may not apply to that earlier version. We highly recommend using the later version of EIGRP, as it includes many performance and stability enhancements.
FOR SHORT NOTES FOR EIGRP:
Cisco Proprietary Protocol
- Advanced distance vector
- Automatic summarization at classful boundary (can be disabled/turned off)
- supports VLSM/CIDR
- manually summarized routes have AD of 5, point to NULL0
- more specific routes within summarized range must exist in routing table, or summarized route disappears
- multicast address 224.0.0.10
- Unicast and multicast are used for updates
- IP/
- no special configuration required for various layer 2 technologies
- Unequal cost load balancing
- Successor - Best path to a destination
- Feasible sucessor - second best path to a destination
- Advertised Distance - cost from next hop to final destination
- Feasible Distance - cost from local router to final destination
- For Feasible successor to be used, AD must be less than the FD through successor
- Hello Packets are sent every 5 seconds on links greater than T1
- sent every 60 seconds for T1 and slower
- hold time interval defaults to 3 times the hello interval
- changing default hello interval does NOT automatically update the hold time
- ip hello-interval eigrp {as} {seconds} interface command
- ip hold-time eigrp {as} {seconds} interface command
- Un-acknowledged multicast updates are unicast to the host that did not ack. This avoids hold ups
- with further updates to the rest of the network
- EIGRP metric is based on load, bandwidth, delay, and reliability.
- Cisco recommends leaving k values at default
- Configuration of EIGRP
- router eigrp {as}
- network {address | wildcard mask} (wildcard is optional)
- no auto-summary (turns off summarization at classful boundary)
- redistribute static (redistributes any static routes into the protocol)
- variance {#} (modifies which routes will be considered for unequal cost load balancing)
- max-paths {#} (number of paths to be used for load balancing. default is 4, max is 16)
- ip summary-address eigrp {as} {address | mask} (interface configuration command to summarize routes at a non classful boundary.)
- eigrp stub receive-only ( this creates a stub in eigrp. The “receive-only option” tells the stub router to not send ANY routes)
For More Info iP Routing Introduction to EIGRP - > http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.html
EIGRP AUTHENTICATION:
By Router Authentication
- By default, there is no authentication required for routing protocol packets.
- Authentication can be applied for neighbor routers to limit what routers can participate in routing based on predefined passwords.
- When you configure a neighbor router authentication on a router, the router authenticates the source of each routing update packets that it receives.
- This is accomplished by the exchange of an authentication key (password) known to both the routers involved.
EIGRP supports MD 5 Authentication:
NOTE:
Simple Password (or Plain-text authentication) – these are not secure and totally vulnerable to attacks. The passwords are sent in plain text over the wire and anyone that know how to use a simple protocol analyzer can easily capture the data.
Correction: There is no option for configuring simple password/plain-text authentication with EIGRP
MD5 Authentication – this form of authentication is more secure because it doesn’t actually send the key
or password over the wire. Instead, it sends hashed keys, or message digest instead of the authenticating key itself.
or password over the wire. Instead, it sends hashed keys, or message digest instead of the authenticating key itself.
- MD5 authentication is a cryptographic authentication. To set it up, a router needs a key (password)
- and a key ID configured. An algorithm is run on the routing protocol using the key and the key ID to generate a message digest (called a hash). The message digest is sent on the wire instead of the key. When the hash is received on the other side, a similar algorithm is run and compares the result to the received message digest. If it’s a match, then it is authenticated.
EIGRP MESSAGE DIGESTS 5 (MD5) AUTHENTICATION CONFIGURATIONS:
EIGRP route authentication provides MD5 AUTHENTICATION of routing updates from the EIGRP routing protocol. The md5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
EIGRP supports message digest 5 (MD5) Authentications to prevent malicious and incorrect routing information from being introduced into the routing table of a Cisco router.
To configure EIGRP Authentication, the keys used in the authentication process have to be configured and attached to an interface along with MD5 as the mode of authentication.
HOW TO CONFIGURATION MD5 AUTHENTICATION:
To configure EIGRP MD5 authentication, you must configure an authenticating key and a key ID
on both the sending and receiving routers.
- Each key has its own key ID stored locally on the router.
- Key chains allow you to manage several keys. But only one key is used at a time (whichever is activated at the time).
- If the keys are not activated they cannot be use.
- If there’s a point in time when no key is activated, neighbor authentication cannot occur and routing updates will fail.
- The software examines the key numbers from lowest to highest and uses the first valid key it sees.
WHEN AUTHENTICATION IS CONFIGURED, AN MD5 KEYED DIGEST IS ADDED TO EACH EIGRP PACKET IN THE SPECIFIED AUTONOMOUS SYSTEM.
CONFIGURING EIGRP MD5 AUTHENTICATION STEPS ARE BELOW:
Task | Command |
Step 1 EnableMD5 authentication in IP Enhanced IGRP packets. | ip authentication mode eigrp autonomous-system md5 |
Step 2 Enable authentication of IP Enhanced IGRP packets. | ip authentication key-chain eigrp autonomous-system key-chain |
Step 3 Exit to global configuration mode. | Exit |
Step 4 Identify a key chain. (Match the name configured in Step 1). | key chain name-of-chain |
Step 5 In key chain configuration mode, identify the key number. This is the key ID. | key key-id |
Step 6 In key chain key configuration mode, identify the key string (password). | key-string text |
Step 7 Optionally specify the time period during which the key can be received. | accept-lifetime start-time {infinite | end-time | duration seconds} |
Step 8 Optionally specify the time period during which the key can be sent | send-lifetime start-time {infinite | end-time | duration seconds} |
- The autonomous-system is the EIGRP autonomous system number in which authentication is to be used.
- The key-chain is the name of the authentication key chain from which a key is to be obtained for that interface.
- The key key-id configures the key ID number of an authentication key on a key chain. You can use any number from 0 to 2147483647 and it does not have to be configured in order.
- The key-string command configures the alphanumeric password used to authenticate sent and received EIGRP packets. The key string can contain from 1 to 80 uppercase to lowercase alphanumeric characters, except that the first character cannot be a number.
STEP 1: CREATE AN (AUTHENTICATION) KEY CHAIN:
a. Create the chain and give it a name with the key chain name global command (this also puts the user into key chain config mode).
b. Create one or more key numbers using the key number command in the key chain configuration mode.
c. Define the authentication key’s value using the key-string value command in key configuration mode.
d. (Optional) Define the lifetime (time period) for both sending and accepting this particular key.
STEP 2: ENABLE EIGRP MD5 AUTHENTICATION ON AN INTERFACE:
For a particular EIGRP ASN , using the ip authentication mode eigrp asn md5 interface subcommand.
STEP 3: REFER TO THE CORRECT KEY CHAIN TO BE USED ON AN INTERFACE:
USING THE IP AUTHENTICATION KEY -CHAIN EIGRP ASN NAME-OF-CHAIN INTERFACE SUBCOMMAND.
IOS configures the key values separately, then requires an interface subcommand to refer to the key values. To support the ability to have multiple keys, and even multiple sets of keys, the configuration includes the concept of a key chain and multiple keys on each key chain.
IOS lets you configure multiple key chains so that different key chains can be used on different interfaces. Each key chain can include multiple keys. Having multiple keys in one key chain allows neighbors to still be up and working while the keys are being changed. Changing keys enhances security.
EIGRP authentication lifetime of a key can be configured as well. If this isn’t configured, the key is valid forever. However, if it is configured, the router uses the key only during the listed times.
To support the useful lifetime concept, a router must know the time and date. Routers can set the time and date with the clock set EXEC command. Routers can also use Network Time Protocol (NTP), a protocol that allows routers to synchronize their time-of-day clocks.
For authentication to work, neighboring routers must both have EIGRP MD5 authentication enabled, and the key strings they currently use must match. Note that the key chain name does not need to match. The most common problems relate to when the useful lifetime settings do not match, or one of the router’s clocks has the wrong time. NTP should be enabled and used before restricting keys to a particular time frame.
EXAMPLE CONFIGURE EIGRP ROUTE EIGRP ROUTE ARE :
1. IDENTIFY A KEY -CHAIN TO BE USED IN THE AUTHENTICATION,
Router(config)#key chain NAME
WHERE NAME IS THE NAME OF THE KEY -CHAIN THAT WILL BE CREATED
2. IDENTIFY THE KEY NUMBER,
Router(config-keychain)#key NO
WHERE NO IS THE NUMBER OF THE KEY
3. IDENTIFY THE KEY STRING,
Router(config-keychain)#key-string STRNG
WHERE STRNG IS THE KEY STRING
4. YOU CAN STOP HERE OR SETUP A PERIOD IN WHICH THE KEY WILL BE EFFECTIVE,
Router(config-keychain)#accept-lifetime START-TIME {INFINITE | END-TIME | DURATION}
Router(config-keychain)#send-lifetime START-TIME {INFINITE | END-TIME | DURATION}
Note:
You can set a start time and either end time, or duration in seconds, or you can leave the operation infinite.
EXAMPLE FOR LIFE TIME MD5:
config)# key chain <name>config-keychain)# key <#>config-keychain-key)# key-string < password> start time) (End time)config-keychain-key)#accept-lifetime<h:m:s mm dd yy>duration< mm- infinite >config-keychain-key)#send-lifetime <h:m:s mm dd yy> duration < mm- infinite > config)# interface <int>config-if)# ip authentication mode eigrp <AS#><md5> config-if)# ip authentication key-chain eigrp <AS<name>MD5 VERIFICATION:
Helpful commands for verifying MD5 authentication:
- show eigrp neighbors
- make sure that the neighbor table show that two router have successfully formed an EIGRP adjacency
- show ip route
- verify that network on the neighboring router has been learned via EIGRP over the right serial connection.
TROUBLESHOOTING MD5 AUTHENTICATION:
- Here’s an example of a successful authentication using the debug eigrp packets command:
# debug eigrp packets
TO VERIFY THAT THE AUTHENTICATION WORKED:
Use the show ip eigrp neighbors command. If the authentication fails, the neighbor relationship will not form. You can see more details about the authentication process using the debug eigrp packets command.
# show ip eigrp neighbors
SIMPLE LAB EXAMPLE FOR MD5:
CONFIGURATION TO ENABLE EIGRP ON
ROUTER A:
Router A (config# router eigrp 100
(Enable eigrp protocol and 100 is autonomous number).
Router A (config-router)# network 30.0.0.0
(Advertised router a serial network 30.0.0.0).
Router A (config-router)# network 10.0.0.0
(Advertised router a ethernet network 10.0.0.0).
ROUTER B:
IN GLOBAL CONFIGURATION MODE:
Router B (config) # router eigrp 10
(Enable eigrp protocol and 10 is autonomous number)
Router B (config-router) # network 30.0.0.0
(Advertised router b serial network 30.0.0.0).
Router B (config-router) # network 15.0.0.0
(Advertised router b ethernet network 15.0.0.0).
ON ROUTER A
IN GLOBAL CONFIGURATION MODE:
FIRST CREATE THE KEY CHAIN WITH THE NAME CISCO USED IN THIS EXAMPLE.
A (config) # key chain cisco
Now set the key number 1 used in this example.
A (config-keychain) # key 1
Now set the key string for the key name champion used in this example.
A (config-keychain-key) # key-string pREM
A (config-keychain-key) # end
Now specify the interface that you want to configure eigrp message authentication.
A (config) # interface serial 0
A (config-if) # ip authentication key-chain eigrp 1 cisco
A (config-if) # ip authentication mode eigrp 1 md 5
A (config-if) # end
Now configure eigrp authentication on router b
On global configuration mode:
FIRST CREATE THE KEY CHAIN WITH THE NAME CISCO USED IN THIS EXAMPLE.
B (config) # key chain cisco
Now set the key number 1 used in this example.
B (config-keychain) # key 1
B (config-keychain-key) # key-string pREM
B (config-keychain-key) # end
B (config) # interface serial 0
B (config-if) # ip authentication key-chain eigrp 1 cisco
B (config-if) # ip authentication mode eigrp 1 md 5
B (config-if) # end
EIGRP MD5 ARTICLE SUMMARY:
EIGRP Authentication
- EIGRP supports cleartext and MD5 authentication. It looks like we’re only concerned with MD5 for the exams (for obvious security reasons)
- ip authentication mode eigrp {as} md5 (interface config mode)
- ip authentication key-chain eigrp {as} {name of keychain}
- key chain {name of keychain} (global config mode)
- key {key-id} (this can be between 0-2147483647)
- key-string {key}
- As of IOS 12.3, EIGRP sends a graceful goodbye message when bringing the process down. Goodbye messages are sent inside of Hello packets
- Helpful Commands
- show ip eigrp neighbors
- show ip route
- show ip route eigrp
- show ip protocols – shows active routing protocol info (displays k values)
- show ip eigrp interfaces
- show ip eigrp toplogy – successor/feasible successor
- show ip eigrp traffic
- debug eigrp packets
- Key technologies
- Neighbor discovery/recovery
- Protocol dependant modules (ip, ipx, appletalk)
This Article Written Author By: Premakumar Thevathasan.
CCNA, CCNP, CCIP, MCSA, MCSE, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
1 comment:
This is very excellent way of teaching every one can be easy to understand this Article.
Post a Comment