Thursday, December 29, 2011

Time-Based Eigrp Authentication

Time-Based Eigrp Authentication:

For example, if we add accept-lifetime command in the key chain configuration like this on 23:01:19.203 UTC Wed Dec 3 2011:

   

key chain AUTH
 key 1
   key-string 123456
   accept-lifetime 16:00:00 Oct 14 2011 14:00:00 Dec 2 2011
   send-lifetime 15:00:00 Oct 15 2011 infinite

After Dec 2 2011, Eigrp neighborship is closed with an error message of:

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (FastEthernet0/0) is down: Auth failure

Because accept-lifetime of key 1 is expired.


Lets do another time based Eigrp Authentication configuration example.

We set the clock manually on both routers at same time:

clock set 22:58:00 Nov 30 2011

Then we configure these key chain configurations on both routers:

key chain AUTH
 key 1
   key-string 123456
   accept-lifetime 16:00:00 Oct 14 2011 14:00:00 Dec 2 2011
   send-lifetime 15:00:00 Oct 15 2011 23:00:00 Nov 30 2011
 key 2
   key-string 123456
   accept-lifetime 22:00:00 Nov 30 2011 infinite
   send-lifetime 22:00:00 Nov 30 2011 infinite

Note: lowest key-id number is always prefered if it is in valid time range.


Then we wait for key-id change after 23:00:00.

Here is the debug eigrp packet outputs:



Nov 30 22:59:55.459: EIGRP: received packet with MD5 authentication, key id = 1
Nov 30 22:59:55.463: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2
Nov 30 22:59:55.467:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 22:59:57.291: EIGRP: Sending HELLO on FastEthernet0/1
Nov 30 22:59:57.295:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 22:59:57.615: EIGRP: Sending HELLO on Loopback0
Nov 30 22:59:57.619:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 22:59:57.631: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1
Nov 30 22:59:57.635:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0
Nov 30 22:59:57.635: EIGRP: Packet from ourselves ignored
Nov 30 22:59:57.963: EIGRP: Sending HELLO on FastEthernet0/0
Nov 30 22:59:57.967:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 22:59:58.063: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3
Nov 30 22:59:58.067:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 23:00:00.199: EIGRP: received packet with MD5 authentication, key id = 1
Nov 30 23:00:00.203: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2
Nov 30 23:00:00.207:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 23:00:01.763: EIGRP: Sending HELLO on FastEthernet0/1
Nov 30 23:00:01.767:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:02.231: EIGRP: Sending HELLO on Loopback0
Nov 30 23:00:02.235:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:02.243: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1
Nov 30 23:00:02.247:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0
Nov 30 23:00:02.247: EIGRP: Packet from ourselves ignored
Nov 30 23:00:02.443: EIGRP: Sending HELLO on FastEthernet0/0
Nov 30 23:00:02.447:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:02.779: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3
Nov 30 23:00:02.783:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 23:00:05.131: EIGRP: received packet with MD5 authentication, key id = 2
Nov 30 23:00:05.135: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2
Nov 30 23:00:05.139:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 23:00:06.307: EIGRP: Sending HELLO on FastEthernet0/1
Nov 30 23:00:06.311:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:06.491: EIGRP: Sending HELLO on Loopback0
Nov 30 23:00:06.495:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:06.495: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1
Nov 30 23:00:06.495:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0
Nov 30 23:00:06.495: EIGRP: Packet from ourselves ignored
Nov 30 23:00:07.063: EIGRP: Sending HELLO on FastEthernet0/0
Nov 30 23:00:07.067:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
Nov 30 23:00:07.723: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3
Nov 30 23:00:07.723:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Nov 30 23:00:10.091: EIGRP: received packet with MD5 authentication, key id = 2

Key-id changed without clearing the eigrp neighborship.

R2#show key chain
Key-chain AUTH:
    key 1 -- text "123456"
        accept lifetime (16:00:00 UTC Oct 14 2011) - (14:00:00 UTC Dec 2 2011) [valid now]
        send lifetime (15:00:00 UTC Oct 15 2011) - (23:00:00 UTC Nov 30 2011)
    key 2 -- text "123456"
        accept lifetime (22:00:00 UTC Nov 30 2011) - (infinite) [valid now]
        send lifetime (22:00:00 UTC Nov 30 2011) - (infinite) [valid now]
at 9:42 AM 0 comments
Labels: ,

Eigrp Authentication

Eigrp Authentication

- Eigrp Authentication must be enabled on both routers.
- Key-id and key-string must match on both routers.

These configurations should be added to both Eigrp neighboring routers for Eigrp Authentication :

key chain AUTH
 key 10
   key-string 123456

interface FastEthernet0/0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 AUTH


If we enable Eigrp Authentication one of them, we can get these type of log messages, when “debug eigrp packet” command is active:

* EIGRP: FastEthernet0/0: ignored packet from 192.168.12.2, opcode = 5 (missing authentication)

If the key id and key-string does not match, we can get these type of log messages, when “debug eigrp packet” command is active:

*EIGRP: FastEthernet0/0: ignored packet from 192.168.12.2, opcode = 5 (invalid authentication)



at 9:37 AM 0 comments
Labels: ,

Basic Eigrp Configuration

Basic Eigrp Configuration

After EIGRP process is configured on the router, the router starts to exchange EIGRP hello packets over the multicast address 224.0.0.10.Eigrp neighborships form between routers after they get each other's hello packet.

Some rules for these neighborships:

-      The receiving router compares the source address of the hello packet with the IP address of the interface where the packet was received.These IP addresses must be in same subnet.
-      The routers compares the K constant values of each other.These K values must match.
-      The routers must use the same AS number for Eigrp.

Basic Eigrp configuration between two  routers:

Router1:

interface Loopback0
 ip address 192.168.0.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0

router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary

Here is the basic Eigrp configuration for Router2

interface Loopback0
 ip address 192.168.0.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0

router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary


Verification:

R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.12.2            Fa0/0             13 00:25:40  286  1716  0  36

The explanations of the “show ip eigrp neighbors” command output:

H— The list of the neighbors.

Address— The IP address of the neighbors.

Interface— The interface that the router communicate with the neighbor.

Hold— The hold timer for the neighbor. If this timer reaches 0, the neighbor relationship becomes down

Uptime— shows the how long this neighbor has been established.

SRTT (Smooth Round Trip Time)— The average time interval for EIGRP packet is sent and received.

RTO (Round Trip Timeout)— How long the router will wait to retransmit the EIGRP reliable packet if acknowledgment is not received.

Q Count— The number of EIGRP packets waiting to
 be sent to the neighbor.

Sequence Number— The sequence number of the last EIGRP reliable packets being
received from the neighbor.
at 9:32 AM 0 comments
Labels:

Eigrp Metric Calculation

EIGRP Metric Calculation:
Eigrp Metric=256x[(10.000.000/ min bw in kbps along the path)+(total delay in tens of microseconds along the path)]

Lets do an example for Eigrp Metric Calculation:
For example, We have an EIGRP topology entry like this:

R1#show ip eigrp topology 192.168.0.2/32
IP-EIGRP (AS 1): Topology entry for 192.168.0.2/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600
  Routing Descriptor Blocks:
  192.168.12.2 (FastEthernet0/0), from 192.168.12.2, Send flag is 0x0
      Composite metric is (409600/128256), Route is Internal
      Vector metric:
        Minimum bandwidth is 10000 Kbit
        Total delay is 6000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1

Formula is:
Eigrp Metric=256x[(10.000.000/ min bw in kbps along the path)+(total delay in tens of microseconds along the path)]
So;
256x[(10000000/10000)+(6000/10)]=256x1600=409600 is the Eigrp metric for this route.

at 9:29 AM 0 comments
Labels: ,

Monday, December 26, 2011

Cisco RIP filtering routes with Prefix-Lists

Cisco RIP filtering routes with Prefix-Lists:

Here is the topology for this example:



We will configure R1 to filter the routes that come from R3:

Before the configuration:

R1#show ip route rip
     100.0.0.0/22 is subnetted, 1 subnets
R       100.100.100.0 [120/4] via 192.168.13.3, 00:00:22, FastEthernet0/1

We configure RIP filtering with prefix-lists on R1:

router rip
 version 2
 network 192.168.0.0
 network 192.168.12.0
 network 192.168.13.0
 distribute-list prefix FILTER gateway GW-R3 in
 no auto-summary
!
ip prefix-list FILTER seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list GW-R3 seq 5 deny 192.168.13.3/32
ip prefix-list GW-R3 seq 10 permit 0.0.0.0/0 le 32

After the configuration:

R1#show ip route rip         
     100.0.0.0/22 is subnetted, 1 subnets
R       100.100.100.0 [120/10] via 192.168.12.2, 00:00:04, FastEthernet0/0
at 4:05 AM 0 comments
Labels: ,

Cisco RIP Offset-list Configuration example

Cisco RIP Offset-list Configuration example:

The RIP Offset-list is used for adding metrics for inbound or outbound RIP updates.

Here is the topology for RIP Offset-list configuration example:



We will configure outbound  RIP Offset-list on R2 for route 100.100.100.0/22.This outbound RIP Offset-list is attached for link to R1:

access-list 1 permit 100.100.100.0

router rip
 version 2
 offset-list 1 out 5 FastEthernet0/0
 network 192.168.0.0
 network 192.168.12.0
 network 192.168.24.0
 no auto-summary

R1`s routing table before this configuration:

R1#show ip route rip
     100.0.0.0/22 is subnetted, 1 subnets
R       100.100.100.0 [120/4] via 192.168.13.3, 00:00:25, FastEthernet0/1
                                  [120/4] via 192.168.12.2, 00:00:13, FastEthernet0/0
R    192.168.24.0/24 [120/1] via 192.168.12.2, 00:00:13, FastEthernet0/0
R    192.168.34.0/24 [120/1] via 192.168.13.3, 00:00:25, FastEthernet0/1
     192.168.0.0/32 is subnetted, 4 subnets
R       192.168.0.2 [120/1] via 192.168.12.2, 00:00:13, FastEthernet0/0
R       192.168.0.3 [120/1] via 192.168.13.3, 00:00:25, FastEthernet0/1
R       192.168.0.4 [120/2] via 192.168.13.3, 00:00:25, FastEthernet0/1
                    [120/2] via 192.168.12.2, 00:00:13, FastEthernet0/0


After the configuration:

R1#debug ip rip
RIP protocol debugging is on
*Mar  1 01:28:52.991: RIP: received packet with MD5 authentication
*Mar  1 01:28:52.995: RIP: received v2 update from 192.168.12.2 on FastEthernet0/0
*Mar  1 01:28:52.995:      100.100.100.0/22 via 0.0.0.0 in 9 hops
*Mar  1 01:28:52.995:      192.168.0.2/32 via 0.0.0.0 in 1 hops
*Mar  1 01:28:52.999:      192.168.0.4/32 via 0.0.0.0 in 2 hops
*Mar  1 01:28:52.999:      192.168.24.0/24 via 0.0.0.0 in 1 hops
*Mar  1 01:28:52.999:      192.168.34.0/24 via 0.0.0.0 in 2 hops

R1`s routing table after RIP Offset-list configuration on R2:

R1#show ip route rip
     100.0.0.0/22 is subnetted, 1 subnets
R       100.100.100.0 [120/4] via 192.168.13.3, 00:00:23, FastEthernet0/1
R    192.168.24.0/24 [120/1] via 192.168.12.2, 00:00:12, FastEthernet0/0
R    192.168.34.0/24 [120/1] via 192.168.13.3, 00:00:23, FastEthernet0/1
     192.168.0.0/32 is subnetted, 4 subnets
R       192.168.0.2 [120/1] via 192.168.12.2, 00:00:12, FastEthernet0/0
R       192.168.0.3 [120/1] via 192.168.13.3, 00:00:23, FastEthernet0/1
R       192.168.0.4 [120/2] via 192.168.13.3, 00:00:23, FastEthernet0/1
                    [120/2] via 192.168.12.2, 00:00:12, FastEthernet0/0

If we dont use access-list and use offset-list 0 command it influences all routes:

On R2:

router rip
 version 2
 offset-list 0 out 6 FastEthernet0/0
 network 192.168.0.0
 network 192.168.12.0
 network 192.168.24.0
 no auto-summary

R1#debug ip rip
*Mar  1 01:38:29.923: RIP: received packet with MD5 authentication
*Mar  1 01:38:29.923: RIP: received v2 update from 192.168.12.2 on FastEthernet0/0
*Mar  1 01:38:29.927:      100.100.100.0/22 via 0.0.0.0 in 10 hops
*Mar  1 01:38:29.927:      192.168.0.2/32 via 0.0.0.0 in 7 hops
*Mar  1 01:38:29.931:      192.168.0.4/32 via 0.0.0.0 in 8 hops
*Mar  1 01:38:29.931:      192.168.24.0/24 via 0.0.0.0 in 7 hops
*Mar  1 01:38:29.935:      192.168.34.0/24 via 0.0.0.0 in 8 hops
at 3:41 AM 0 comments
Labels: ,

Cisco RIP Summarization Configuration Example

RIP Summarization Configuration Example

We will configure RIP Summarization by using ip summary-address rip command.

Here is the topology for this example:



In this example we will create four connected interfaces on R4.We will redistribute them into RIP with metric of 3.Then we will do RIP summarization on R2 and R3 by using ip summary-address rip command.

Configurtion of R4:

interface Loopback0
 ip address 192.168.0.4 255.255.255.255
!
interface Loopback100
 ip address 100.100.100.1 255.255.255.0
!
interface Loopback101
 ip address 100.100.101.1 255.255.255.0
!
interface Loopback102
 ip address 100.100.102.1 255.255.255.0
!
interface Loopback103
 ip address 100.100.103.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.24.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.34.4 255.255.255.0
!
router rip
 version 2
 redistribute connected metric 3
 network 192.168.0.0
 network 192.168.24.0
 network 192.168.34.0
 no auto-summary


Then we see that R2 and R3 gets these connected routes:

R3#show ip route rip
R    192.168.12.0/24 [120/1] via 192.168.13.1, 00:00:08, FastEthernet0/0
     100.0.0.0/24 is subnetted, 4 subnets
R       100.100.100.0 [120/3] via 192.168.34.4, 00:00:17, FastEthernet0/1
R       100.100.101.0 [120/3] via 192.168.34.4, 00:00:17, FastEthernet0/1
R       100.100.102.0 [120/3] via 192.168.34.4, 00:00:17, FastEthernet0/1
R       100.100.103.0 [120/3] via 192.168.34.4, 00:00:17, FastEthernet0/1
R    192.168.24.0/24 [120/1] via 192.168.34.4, 00:00:17, FastEthernet0/1
     192.168.0.0/32 is subnetted, 4 subnets
R       192.168.0.1 [120/1] via 192.168.13.1, 00:00:08, FastEthernet0/0
R       192.168.0.2 [120/2] via 192.168.34.4, 00:00:17, FastEthernet0/1
                    [120/2] via 192.168.13.1, 00:00:08, FastEthernet0/0
R       192.168.0.4 [120/1] via 192.168.34.4, 00:00:17, FastEthernet0/1
On R2 and R3 we will configure RIP summarization by using ip summary-address rip
Command:

interface FastEthernet0/0
ip summary-address rip 100.100.100.0 255.255.252.0

R1 gets the summary, not the more specific routes:

R1#show ip route rip
     100.0.0.0/22 is subnetted, 1 subnets
R       100.100.100.0 [120/4] via 192.168.13.3, 00:00:24, FastEthernet0/1
                                  [120/4] via 192.168.12.2, 00:00:26, FastEthernet0/0
R    192.168.24.0/24 [120/1] via 192.168.12.2, 00:00:26, FastEthernet0/0
R    192.168.34.0/24 [120/1] via 192.168.13.3, 00:00:24, FastEthernet0/1
     192.168.0.0/32 is subnetted, 4 subnets
R       192.168.0.2 [120/1] via 192.168.12.2, 00:00:26, FastEthernet0/0
R       192.168.0.3 [120/1] via 192.168.13.3, 00:00:24, FastEthernet0/1
R       192.168.0.4 [120/2] via 192.168.13.3, 00:00:24, FastEthernet0/1
                    [120/2] via 192.168.12.2, 00:00:26, FastEthernet0/0

Lets check the reachability:

R1#ping 100.100.100.1 source 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/55/88 ms

R1#ping 100.100.101.1 source 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/64/92 ms

R1#ping 100.100.102.1 source 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.102.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/88 ms

R1#ping 100.100.103.1 source 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.103.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/96 ms
at 3:18 AM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)