All Cisco-Network Study Notes: EIGRP Authentication

EIGRP Authentication

EIGRP authentication, abundant like OSPF authentication, requires the conception of keys and requires

authentication to be enabled on a per-interface basis. The keys are acclimated as the abstruse (private) key

used in an MD5 calculation. (EIGRP does not abutment clear-text authentication.)

Multiple keys are accustomed and are aggregate calm application a assemble alleged a key chain. A key

chain is artlessly a set of accompanying keys, anniversary of which has a altered cardinal and may be restricted

to a time period. By acceptance assorted accompanying keys in a key chain, with anniversary key accurate during

specified time periods, the architect can calmly plan for allowance to new keys in the future. (NTP

is recommended aback keys are belted by time ranges, because the bounded times on the routers

must be synchronized for this affection to assignment correctly.)

Cisco IOS enables the EIGRP affidavit action on a per-interface base application the command

ip affidavit approach eigrp asn md5, and refers to the key alternation that holds the keys with the

ip affidavit key-chain eigrp asn key_name interface subcommand. The router looks in the

key alternation and selects the key(s) accurate at that accurate time.

Example 8-7 shows the EIGRP affidavit agreement for R1, R2, and R4, and includes a

few added comments. The arrangement in Figure 8-1 is the base for this example.

Example 8-7 EIGRP Affidavit (R1, R2, and R4)

! First, R1 Config

! Alternation “carkeys” will be acclimated on R1’s LAN. R1 will use key “fred” for

! about a month, and again alpha application “wilma.”

key alternation carkeys

key 1

key-string fred

accept-lifetime 08:00:00 Jun 11 2007 08:00:00 Jul 11 2007

send-lifetime 08:00:00 Jun 11 2007 08:00:00 Jul 11 2007

key 2

key-string wilma

accept-lifetime 08:00:00 Jul 10 2007 08:00:00 Aug 11 2007

send-lifetime 08:00:00 Jul 10 2007 08:00:00 Aug 11 2007

! Next, key alternation “anothersetofkeys” defines the key to be

! acclimated with R4.

key alternation anothersetofkeys

key 1

key-string barney

! Next, R1’s interface subcommands are shown.

! The key alternation is referenced

! application the ip eigrp 1 affidavit command.

interface FastEthernet0/0

ip abode 172.31.11.1 255.255.255.0

ip affidavit approach eigrp 1 md5

ip affidavit key-chain eigrp 1 carkeys

! Below, R1 enables EIGRP affidavit on

EIGRP Agreement 227

Although the comments in Archetype 8-7 explain the added important details, one added point needs

to be fabricated apropos the key lifetimes. The agreement shows that two of the keys’ lifetimes

overlap by a day. On that day, EIGRP would use the key with the everyman key number. By using

such logic, you could alpha by configuring one key. Later, you could again add a additional key on all

the routers, with overlapping time periods, but still use the aboriginal key. Finally, you could either

let the aboriginal key expire or annul the aboriginal key, acceptance for accessible key migration.

EIGRP Automated Summarization

EIGRP defaults to use automated summarization, or autosummarization. Autosummarization can

be disabled with the no auto-summary command beneath router eigrp process. Unless you

particularly appetite a router to autosummarize application EIGRP, you should configure the no autosummary

command to attenuate this feature. (Note that EIGRP autosummarization works the same

in abstraction as autosummarization with RIP, which discussed in the Affiliate 7 area titled

“Enabling RIP and the Effects of Autosummarization.”

! the subinterface abutting to R4.

interface Serial0/0.4 point-to-point

ip abode 172.31.14.1 255.255.255.252

ip affidavit approach eigrp 1 md5

ip affidavit key-chain eigrp 1 anothersetofkeys

! R2 Config – R2 Config – R2 Config

! Next, on R2, the key alternation name (housekeys) differs with

! R1’s key alternation name (carkeys), but

! the key cord “fred” is the same.

key alternation housekeys

key 1

key-string fred

interface FastEthernet0/0

ip abode 172.31.11.2 255.255.255.0

ip affidavit approach eigrp 1 md5

ip affidavit key-chain eigrp 1 housekeys

! R4 Config – R4 Config – R4 Config

! Next, R4 enables EIGRP affidavit on its subinterface abutting to R1.

key alternation boatkeys

key 1

key-string barney

interface Serial0/0.1 point-to-point

ip abode 172.31.14.2 255.255.255.252

ip affidavit approach eigrp 1 md5

ip affidavit key-chain eigrp 1 boatkeys

Example 8-7 EIGRP Affidavit (R1, R2, and R4)

228 Affiliate 8: EIGRP

EIGRP Breach Horizon

EIGRP bound its updates application split-horizon logic. Breach border can be disabled on a perinterface

basis by application the no ip split-horizon eigrp asn interface subcommand. Most interface

types accredit breach border by default, with the notable barring of a concrete consecutive interface

configured for Frame Relay.

EIGRP Avenue Filtering

Outbound and entering EIGRP updates can be filtered at any interface, or for the absolute EIGRP

process. To clarify the routes, the distribute-list command is acclimated beneath router eigrp asn,

referencing an IP ACL.

The all-encompassing command, aback creating an EIGRP administration account that uses an ACL, is

distribute-list {access-list-number | name} {in | out} [interface-type interfacenumber]

Example 8-8 shows an entering administration account on router R2 (in the archetype in Figure 8-1),

filtering routes in the 172.31.196.0/22 range. For this example, R2 now receives several /24 and

/30 routes from S2, application EIGRP. The routes are in the ambit of 172.31.192.0/21, and the ambition is

to clarify the high bisected of that numeric range.

Example 8-8 EIGRP Administration List

! The archetype begins with a account of the routes that should be filtered.

! Agenda that the longer-prefixes advantage beneath makes the command

! account all routes in the range.

! The accent curve are the ones that will be filtered.

R2# appearance ip avenue 172.31.192.0 255.255.248.0 longer-prefixes

! Curve bare for brevity; in this case, the fable was deleted

172.31.0.0/16 is variably subnetted, 24 subnets, 3 masks

D 172.31.195.0/30 [120/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.194.0/24 [120/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.196.4/30 [120/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.195.4/30 [120/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.197.0/24 [120/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

D 172.31.196.0/30 [120/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

D 172.31.195.8/30 [120/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

! R2’s Agreement follows. access-list 2 denies all subnets in the

! 172.31.196.0/22 range, which is the set of subnets that needs to be filtered.

! The distribute-list 2 in FastEthernet0/0 command tells EIGRP to clarify inbound

! EIGRP updates that appear in fa0/0.

router eigrp 1

network 10.0.0.0

network 172.31.0.0

distribute-list 2 in FastEthernet0/0

access-list 2 abjure 172.31.196.0 0.0.3.255

access-list 2 admittance any

EIGRP Agreement 229

An EIGRP administer account ability accredit to a prefix account instead of an ACL to bout routes. Prefix

lists are advised to bout a ambit of subnets, as able-bodied as a ambit of subnet masks associated with

the subnets. The administer account charge still ascertain the administration of the updates to be advised (in or

out), and optionally an interface.

Chapter 10 includes a added complete altercation of the syntax and formatting of prefix lists; this

chapter focuses on how to alarm and use a prefix account for EIGRP avenue filtering. To advertence a prefix

list, use the afterward router eigrp asn subcommand:

distribute-list {prefix list-name} {in | out} [interface-type interface-number]

Example 8-9 shows the beheading of this syntax, with the prefix account abstinent all /30 routes from

the ambit 172.31.192.0/21. The prefix account permits all added subnets.

! Below, the after-effects appearance three beneath subnets in the beyond 172.31.192.0/21 range.

R2# appearance ip avenue 172.31.192.0 255.255.248.0 longer-prefixes

! Curve bare for brevity; in this case, the fable was deleted

172.31.0.0/16 is variably subnetted, 21 subnets, 3 masks

D 172.31.195.0/30 [90/1] via 172.31.11.202, 00:00:22, FastEthernet0/0

D 172.31.194.0/24 [90/1] via 172.31.11.202, 00:00:22, FastEthernet0/0

D 172.31.195.4/30 [90/1] via 172.31.11.202, 00:00:22, FastEthernet0/0

D 172.31.195.8/30 [90/1] via 172.31.11.202, 00:00:22, FastEthernet0/0

Example 8-9 EIGRP Prefix Lists

! The archetype begins with a account of the routes that should be filtered.

! Agenda that the longer-prefixes advantage beneath makes the

! command account all routes in the range.

! The accent curve are the ones that will be filtered.

R2# appearance ip avenue 172.31.192.0 255.255.248.0 longer-prefixes

! Curve bare for brevity; in this case, the fable was deleted

172.31.0.0/16 is variably subnetted, 24 subnets, 3 masks

D 172.31.195.0/30 [90/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.194.0/24 [90/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.196.4/30 [90/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.195.4/30 [90/1] via 172.31.11.202, 00:00:18, FastEthernet0/0

D 172.31.197.0/24 [90/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

D 172.31.196.0/30 [90/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

D 172.31.195.8/30 [90/1] via 172.31.11.202, 00:00:19, FastEthernet0/0

! R2’s agreement follows. The “wo2” prefix account banned the affectation ambit to

! alone /30 with the “ge 30 le 30” parameters. It matches any subnets between

! 172.31.192.0 and 172.31.199.255.

! Agenda that the prefix-list commands are all-around commands.

router eigrp 1

network 10.0.0.0

network 172.31.0.0

distribute-list prefix wo2 in FastEthernet0/0

Example 8-8 EIGRP Administration Account (Continued)

continues

230 Affiliate 8: EIGRP

One key abstraction is account acquainted afore we move on: With EIGRP filtering, an admission filter

prevents cartography advice from entering the EIGRP cartography table. That is, entering filters do

not affect the acquisition table directly, but because they accumulate acquisition advice from the topology

table, they accept the aforementioned effect.

EIGRP Account Lists

EIGRP account lists acquiesce EIGRP to add to a route’s metric, either afore sending an update, or for

routes accustomed in an update. The account account refers to an ACL (standard, extended, or named) to

match the routes; any akin routes accept the authentic offset, or added metric, added to their

metrics. Any routes not akin by the account account are unchanged. The account account additionally specifies

which acquisition updates to appraise by allegorical a administration (in or out) and, optionally, an interface.

If the interface is bare from the command, all updates for the authentic administration will be

examined.

Offset lists are abundant added applicative to RIP (version 1 or 2) than EIGRP because RIP has such a

limited metric range. With EIGRP, because of the metric’s complexity, it is ambiguous that you

would dispense EIGRP metrics this way. Because several added clarification methods and means to

influence EIGRP metrics are available, account lists see bound use in EIGRP and are accordingly not

covered in added detail in this chapter.

ip prefix-list wo2 seq 5 abjure 172.31.192.0/21 ge 30 le 30

ip prefix-list wo2 seq 10 admittance 0.0.0.0/0 le 32

! Below, agenda the absence of /30 routes in the authentic range, and the presence

! of the two /24 routes apparent at the alpha of Archetype 8-8.

R2# appearance ip avenue 172.31.192.0 255.255.248.0 longer-prefixes

! Curve bare for brevity; in this case, the fable was deleted

172.31.0.0/16 is variably subnetted, 19 subnets, 3 masks

D 172.31.194.0/24 [90/1] via 172.31.11.202, 00:00:23, FastEthernet0/0

D 172.31.197.0/24 [90/1] via 172.31.11.202, 00:00:23, FastEthernet0/0

Example 8-9 EIGRP Prefix Lists (Continued)

EIGRP Agreement 231

Clearing the IP Acquisition Table

The bright ip avenue * command clears the IP acquisition table. However, because EIGRP keeps all

possible routes in its cartography table, a bright ip avenue * command does not account EIGRP to send

any letters or apprentice any new cartography information; the router artlessly refills the IP acquisition table

with the best routes from the absolute cartography table.

The bright ip eigrp acquaintance command clears all acquaintance relationships, which clears the entire

topology table on the router. The neighbors again appear aback up, accelerate new updates, and repopulate

the cartography and acquisition tables. The bright command additionally allows for allowance all neighbors that are

reachable out an interface, or based on the neighbor’s IP address. The all-encompassing syntax is

clear ip eigrp neighbors [ip-address | interface-type interface-number]