- Chapter Objectives
- Implementing EIGRP
- Troubleshooting EIGRP
- Chapter Summary
- Review Questions
Implementing EIGRP
EIGRP is an advanced distance vector routing protocol developed by Cisco. EIGRP is suited for many different topologies and media. In a well-designed network, EIGRP scales well and provides extremely quick convergence times with minimal overhead. EIGRP is a popular choice for a routing protocol on Cisco devices.
Introducing EIGRP
EIGRP is a Cisco-proprietary routing protocol that combines the advantages of link-state and distance vector routing protocols. EIGRP is an advanced distance vector or hybrid routing protocol that includes the following features:
- Rapid convergence: EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that uses EIGRP stores all available backup routes for destinations so that it can quickly adapt to alternate routes. If no appropriate route or backup route exists in the local routing table, EIGRP queries its neighbors to discover an alternate route.
- Reduced bandwidth usage: EIGRP does not make periodic updates. Instead, it sends partial updates when the path or the metric changes for that route. When path information changes, DUAL sends an update about only that link rather than about the entire table.
- Multiple network layer support: EIGRP supports AppleTalk, IP version 4 (IPv4), IP version 6 (IPv6), and Novell Internetwork Packet Exchange (IPX), which use protocol-dependent modules (PDM). PDMs are responsible for protocol requirements that are specific to the network layer.
- Classless routing: Because EIGRP is a classless routing protocol, it advertises a routing mask for each destination network. The routing mask feature enables EIGRP to support discontiguous subnetworks and variable-length subnet masks (VLSM).
- Less overhead: EIGRP uses multicast and unicast rather than broadcast. As a result, end stations are unaffected by routing updates and requests for topology information.
- Load balancing: EIGRP supports unequal metric load balancing, which allows administrators to better distribute traffic flow in their networks.
- Easy summarization: EIGRP enables administrators to create summary routes anywhere within the network rather than rely on the traditional distance vector approach of performing classful route summarization only at major network boundaries.
Each EIGRP router maintains a neighbor table. This table includes a list of directly connected EIGRP routers that have an adjacency with this router.
Each EIGRP router maintains a topology table for each routed protocol configuration. The topology table includes route entries for every destination that the router learns. EIGRP chooses the best routes to a destination from the topology table and places these routes in the routing table, as illustrated in Figure 5-1.
Figure 5-1 EIGRP Tables
In EIGRP, the best route is called a successor route while a backup route is called the feasible successor. To determine the best route (successor) and the backup route (feasible successor) to a destination, EIGRP uses the following two parameters:
- Advertised distance: The EIGRP metric for an EIGRP neighbor to reach a particular network
- Feasible distance: The advertised distance for a particular network learned from an EIGRP neighbor plus the EIGRP metric to reach that neighbor
A router compares all feasible distances to reach a specific network and then selects the lowest feasible distance and places it in the routing table. The feasible distance for the chosen route becomes the EIGRP routing metric to reach that network in the routing table.
The EIGRP topology database contains all the routes that are known to each EIGRP neighbor. Routers A and B send their routing tables to Router C, whose table is displayed in Figure 5-2. Both Routers A and B have pathways to network 10.1.1.0/24, as well as to other networks that are not shown.
Figure 5-2 Router C EIGRP Tables
Router C has two entries to reach 10.1.1.0/24 in its topology table. The EIGRP metric for Router C to reach both Routers A and B is 1000. Add this cost (1000) to the respective advertised distance for each router, and the results represent the feasible distances that Router C must travel to reach network 10.1.1.0/24.
Router C chooses the least-cost feasible distance (2000) and installs it in the IP routing table as the best route to reach 10.1.1.0/24. The route with the least-cost feasible distance that is installed in the routing table is called the successor route.
Router C then chooses a backup route to the successor called a feasible successor route, if one exists. For a route to become a feasible successor, a next-hop router must have an advertised distance that is less than the feasible distance of the current successor route.
If the route through the successor becomes invalid, possibly because of a topology change, or if a neighbor changes the metric, DUAL checks for feasible successors to the destination route. If one is found, DUAL uses it, avoiding the need to recompute the route. If no feasible successor exists, a recomputation must occur to determine the new successor.
Configuring and Verifying EIGRP
Use the router eigrp and network commands to create an EIGRP routing process. Note that EIGRP requires an autonomous system (AS) number. The AS number does not have to be registered as is the case when routing on the Internet with the Border Gateway Protocol (BGP) routing protocol. However, all routers within an AS must use the same AS number to exchange routing information with each other. Figure 5-3 shows the EIGRP configuration of a simple network.
Figure 5-3 EIGRP Configuration
The network command defines a major network number to which the router is directly connected. The EIGRP routing process looks for interfaces that have an IP address that belongs to the networks that are specified with the network command and begins the EIGRP process on these interfaces.
Table 5-1 applies to the EIGRP configurations on Router A in the EIGRP configuration example.
Table 5-1. EIGRP Command Example
Command |
Description |
router eigrp 100 |
Enables the EIGRP routing process for AS 100 |
network 172.16.0.0 |
Associates network 172.16.0.0 with the EIGRP routing process |
network 10.0.0.0 |
Associates network 10.0.0.0 with the EIGRP routing process |
EIGRP sends updates out of the interfaces in networks 10.0.0.0 and 172.16.0.0. The updates include information about networks 10.0.0.0 and 172.16.0.0 and any other networks that EIGRP learns.
EIGRP automatically summarizes routes at the classful boundary. In some cases, you might not want automatic summarization to occur. For example, if you have discontiguous networks, you need to disable automatic summarization to minimize router confusion. Figure 5-4 shows an example of how this summarization can cause advertisements for the 172.16.0.0 network to be sent from both Router A and Router B to Router C.
Figure 5-4 Autosummarization Causing Discontinuous Subnets
To disable automatic summarization, use the no auto-summary command in the EIGRP router configuration mode. When this command is used, both Router A and Router B will advertise the route specific to the subnet of a given interface, as shown in Figure 5-5.
Figure 5-5 Disabling Autosummarization Corrects Problem
After you enable EIGRP, various commands can be used to display information about how the protocol is operating. The show ip route eigrp command displays the current EIGRP entries in the routing table.
The show ip protocols command displays the parameters and current state of the active routing protocol process. This command shows the EIGRP AS number. It also displays filtering and redistribution numbers and neighbor and distance information. This also shows the networks that are currently being advertised on the router by the protocol.
Use the show ip eigrp interfaces [type number] [as-number] command to determine on which interfaces EIGRP is active, and to learn information about EIGRP that relates to those interfaces. If you specify an interface by using the type number option, only that interface is displayed. Otherwise, all interfaces on which EIGRP is running are displayed. If you specify an AS using the as-number option, only the routing process for the specified AS is displayed. Otherwise, all EIGRP processes are displayed. Example 5-1 shows the output of the show ip eigrp interfaces command.
Example 5-1. Determining Router Interface EIGRP Status/Information
RouterX# show ip eigrp interfaces IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Di0 0 0/0 0 11/434 0 0 Et0 1 0/0 337 0/10 0 0 SE0:1.16 1 0/0 10 1/63 103 0 Tu0 1 0/0 330 0/16 0 0
Table 5-2 describes the significant fields generated by the show ip eigrp interfaces output.
Table 5-2. show ip eigrp interfaces Output
Field |
Description |
Interface |
Interface over which EIGRP is configured |
Peers |
Number of directly connected EIGRP neighbors on the interface |
Xmit Queue Un/Reliable |
Number of packets remaining in the Unreliable and Reliable queues |
Mean SRTT |
Average smoothed round-trip time (SRTT) interval (in milliseconds) for all neighbors on the interface |
Pacing Time Un/Reliable |
Number of milliseconds to wait after transmitting unreliable and reliable packets |
Multicast Flow Timer |
Number of milliseconds to wait for acknowledgment of a multicast packet by all neighbors before transmitting the next multicast packet |
Pending Routes |
Number of routes in the packets in the transmit queue waiting to be sent |
Use the show ip eigrp neighbors command to display the neighbors that were discovered by EIGRP and to determine when neighbors become active and inactive, as demonstrated in Example 5-2. This command is also useful for debugging certain types of transport problems.
Example 5-2. Displaying Discovered Active/Inactive EIGRP Neighbors
RouterX# show ip eigrp neighbors IP-EIGRP Neighbors for process 77 Address Interface Holdtime Uptime Q Seq SRTT RTO (secs) (h:m:s) Count Num (ms) (ms) 172.16.81.28 Ethernet1 13 0:00:41 0 11 4 20 172.16.80.28 Ethernet0 14 0:02:01 0 10 12 24 172.16.80.31 Ethernet0 12 0:02:02 0 4 5 20
Table 5-3 describes the significant fields for the show ip eigrp neighbors command.
Table 5-3. show ip eigrp neighbors Output
Field |
Description |
process 77 |
AS number that is specified with the router command. |
Address |
IP address of the EIGRP peer. |
Interface |
Interface on which the router is receiving hello packets from the peer. |
Holdtime |
Length of time (in seconds) that Cisco IOS Software waits to hear from the peer before declaring it down. If the peer is using the default hold time, this number is less than 15. If the peer configures a nondefault hold time, the nondefault hold time is displayed. The hold time would be less than 180 on a sub-T1 multipoint interface. |
Uptime |
Elapsed time (in hours:minutes:seconds) since the local router first heard from this neighbor. |
Q Count |
Number of EIGRP packets (update, query, and reply) that the software is waiting to send. |
Seq Num |
Sequence number of the last update, query, or reply packet that was received from this neighbor. |
SRTT |
Smooth round-trip time (SRTT). The number of milliseconds that is required for an EIGRP packet to be sent to this neighbor and for the local router to receive an acknowledgment of that packet. |
RTO |
Retransmission timeout (RTO) (in milliseconds). This is the amount of time the software waits before resending a packet from the retransmission queue to a neighbor. |
The show ip eigrp topology command displays the EIGRP topology table, the active or passive state of routes, the number of successors, and the feasible distance to the destination, as demonstrated in Example 5-3.
Example 5-3. Displaying EIGRP Topology Information
RouterX# show ip eigrp topology IP-EIGRP Topology Table for process 77 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776 via 172.16.80.28 (46251776/46226176), Ethernet0 via 172.16.81.28 (46251776/46226176), Ethernet1 via 172.16.80.31 (46277376/46251776), Serial0 P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200 via Connected, Ethernet1 via 172.16.81.28 (307200/281600), Ethernet1 via 172.16.80.28 (307200/281600), Ethernet0 via 172.16.80.31 (332800/307200), Serial0
Table 5-4 describes the significant fields for the show ip eigrp topology command output.
Table 5-4. show ip eigrp topology Output
Field |
Description |
Codes |
The state of this topology table entry. Passive and Active refer to the EIGRP state with respect to this destination; Update, Query, and Reply refer to the type of packet that is being sent. |
P - Passive |
Indicates that no EIGRP computations are being performed for this destination. |
A - Active |
Indicates that EIGRP computations are being performed for this destination. |
U - Update |
Indicates that an update packet was sent to this destination. |
Q - Query |
Indicates that a query packet was sent to this destination. |
R - Reply |
Indicates that a reply packet was sent to this destination. |
r - Reply status |
A flag that is set after the software has sent a query and is waiting for a reply. |
172.16.90.0 |
Destination IP network number. |
255.255.255.0 |
Destination subnet mask. |
successors |
Number of successors. This number corresponds to the number of next hops in the IP routing table. If "successors" is capitalized, the route or next hop is in a transition state. |
FD |
Feasible distance. The feasible distance is the best metric to reach the destination or the best metric that was known when the route went active. This value is used in the feasibility condition check. If the reported distance of the router (the metric after the slash) is less than the feasible distance, the feasibility condition is met and that path is a feasible successor. After the software determines it has a feasible successor, it does not need to send a query for that destination. |
replies |
The number of replies that are still outstanding (have not been received) with respect to this destination. This information appears only when the destination is in active state. |
state |
The exact EIGRP state that this destination is in. It can be the number 0, 1, 2, or 3. This information appears only when the destination is in the active state. |
via |
The IP address of the peer that told the software about this destination. The first n of these entries, where n is the number of successors, are the current successors. The remaining entries on the list are feasible successors. |
(46251776/46226176) |
The first number is the EIGRP metric that represents the cost to the destination. The second number is the EIGRP metric that this peer advertised. |
Ethernet0 |
The interface from which this information was learned. |
Serial0 |
The interface from which this information was learned. |
The show ip eigrp traffic command displays the number of packets sent and received, as demonstrated in Example 5-4.
Example 5-4. Displaying the Number of EIGRP Sent/Received Packets
RouterX# show ip eigrp traffic IP-EIGRP Traffic Statistics for process 77 Hellos sent/received: 218/205 Updates sent/received: 7/23 Queries sent/received: 2/0 Replies sent/received: 0/2 Acks sent/received: 21/14
Table 5-5 describes the fields that might be shown in the display.
Table 5-5. show ip eigrp traffic Output
Field |
Description |
process 77 |
The AS number that is specified in the router command |
Hellos sent/received |
The number of hello packets that were sent and received |
Updates sent/received |
The number of update packets that were sent and received |
Queries sent/received |
The number of query packets that were sent and received |
Replies sent/received |
The number of reply packets that were sent and received |
Acks sent/received |
The number of acknowledgment packets that were sent and received |
The debug ip eigrp privileged EXEC command helps you analyze the EIGRP packets that an interface sends and receives, as demonstrated in Example 5-5. Because the debug ip eigrp command generates a substantial amount of output, use it only when traffic on the network is light.
Example 5-5. Analyzing Sent/Received EIGRP Packets
RouterX# debug ip eigrp IP-EIGRP: Processing incoming UPDATE packet IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 – 256000 104960 IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 – 256000 104960 IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 – 256000 104960 IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200 IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480 IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400 IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080 IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1
Table 5-6 describes the fields in the sample output from the debug ip eigrp command.
Table 5-6. debug ip eigrp Output
Field |
Description |
IP-EIGRP |
Indicates that this is an IP EIGRP packet. |
Ext |
Indicates that the following address is an external destination rather than an internal destination, which would be labeled as Int. |
do not advertise out |
Indicates interfaces out which EIGRP will not advertise the given route. This configuration prevents routing loops (split horizon). |
M |
Displays the computed metric, which includes the sent metric (SM) and the cost between this router and the neighbor. The first number is the composite metric. The next two numbers are the inverse bandwidth and the delay, respectively. |
SM |
Displays the metric as reported by the neighbor. |
Load Balancing with EIGRP
Typically, networks are configured with multiple paths to a remote network. When these paths are equal or nearly equal, it makes sense to utilize all the available paths. Unlike Layer 2 forwarding, Layer 3 forwarding has the capability to load-balance between multiple paths. That is, the router can send frames out multiple interfaces to reduce the amount of traffic sent to a single network connection. The key to this feature is that the network paths must be of equal cost (or nearly equal for some protocols like EIGRP). EIGRP uses a metric to compute the costs to a given network.
EIGRP Metric
The EIGRP metric can be based on several criteria, but EIGRP uses only two of these criteria by default:
- Bandwidth: The smallest bandwidth between source and destination
- Delay: The cumulative interface delay in microseconds along the path
The following criteria can be used but are not recommended because they typically result in frequent recalculation of the topology table:
- Reliability: This value represents the worst reliability between the source and destination, based on keepalives.
- Load: This value represents the worst load on a link between the source and destination, computed based on the packet rate and the configured bandwidth of the interface.
Load Balancing Across Equal Paths
Equal-cost load balancing is the capability of a router to distribute traffic over all its network ports that are the same metric from the destination address. Load balancing increases the use of network segments and increases effective network bandwidth.
For IP, Cisco IOS Software applies load balancing across up to four equal-cost paths by default. With the maximum-paths maximum-path router configuration command, up to 16 equal-cost routes can be kept in the routing table. If you set the maximum-path to 1, you disable load balancing. When a packet is process switched, load balancing over equal-cost paths occurs on a per-packet basis. When packets are fast switched, load balancing over equal-cost paths occurs on a per-destination basis.
Configuring Load Balancing Across Unequal-Cost Paths
EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequal-cost load balancing. The degree to which EIGRP performs load balancing is controlled with the variance command.
The multiplier parameter for the variance command is a value from 1 to 128, used for load balancing. The default is 1, which indicates that only equal-cost load balancing is being performed. The multiplier defines the range of metric values that are accepted for load balancing by the EIGRP process.
Example: Variance
In Figure 5-6, a variance of 2 is configured, and the range of the metric values, which are the feasible distances for Router E to get to network 172.16.0.0, is 20 to 45. This range of values determines the feasibility of a potential route.
Figure 5-6 Variance Example
A route is feasible if the next router in the path is closer to the destination than to the current router and if the metric of the alternate path is within the variance. Load balancing can use only feasible paths, and the routing table includes only these paths. The two feasibility conditions are as follows:
- The local best metric, which is the current feasible distance, must be greater than the best metric (the advertised distance) that is learned from the next router. In other words, the next router in the path must be closer to the destination than to the current router; this criterion prevents routing loops.
- The metric of the alternate path must be less than the variance multiplied by the local best metric (the current feasible distance).
If both of these conditions are met, the route is determined to be feasible and can be added to the routing table.
In Figure 5-6, three paths to network 172.16.0.0 exist with the following metrics:
- Path 1: 30 (through B)
- Path 2: 20 (through C)
- Path 3: 45 (through D)
By default, the router places only path 2 (through C) in the routing table because it is the least-cost path. To load-balance over paths 1 and 2, use a variance of 2 because 20 * 2 = 40, which is greater than the metric through path 1.
In Figure 5-6, Router E uses Router C as the successor because it has the lowest feasible distance (20). With the variance 2 command applied to Router E, the path through Router B meets the criteria for load balancing. In this case, the feasible distance through Router B is less than twice the feasible distance for the successor (Router C).
Router D is not considered for load balancing with this variance because the feasible distance through Router D is greater than twice the feasible distance for the successor (Router C). In the example, however, Router D would never be a feasible successor no matter what the variance is. This decision is because the advertised distance of Router D is 25, which is greater than the Router E feasible distance of 20; therefore, to avoid a potential routing loop, Router D is not considered a feasible successor.
EIGRP Authentication
You can configure EIGRP neighbor authentication, also known as neighbor router authentication or route authentication, such that routers can participate in routing based on predefined passwords. By default, no authentication is used for EIGRP packets. EIGRP can be configured to use Message Digest Algorithm 5 (MD5) authentication.
When you configure neighbor authentication on a router, the router authenticates the source of each routing update packet that it receives. For EIGRP MD5 authentication, you must configure an authenticating key and a key ID on both the sending and the receiving router. The key is sometimes referred to as a password.
The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources.
Each key has its own key ID, which the router stores locally. The combination of the key ID and the interface that is associated with the message uniquely identifies the MD5 authentication key in use.
EIGRP enables you to manage keys by using key chains. Each key definition within the key chain can specify a time interval for which that key is activated (its lifetime). Then, during the lifetime of a given key, routing update packets are sent with this activated key. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and it uses the first valid key that it encounters.
Keys cannot be used during time periods for which they are not activated. Therefore, it is recommended that for a given key chain, key activation times overlap to avoid any period of time for which no key is activated. If a time exists during which no key is activated, neighbor authentication cannot occur, and therefore, routing updates fail.
Creating a Key Chain
Perform the following steps to create a key chain:
- Step 1 Enter the key chain command to enter the configuration mode for the key chain. The value provided for the name-of-chain parameter for the key chain command indicates the name of the authentication key chain from which a key is to be obtained.
- Step 2 Use the key command to identify a key ID to use, and enter configuration mode for that key. The value provided for the key-id parameter of the key command indicates the ID number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key ID numbers need not be consecutive.
- Step 3 Use the key-string command to identify the key string (password) for this key. The value provided for the text parameter of the key-string command indicates the authentication string that is to be used to authenticate sent and received EIGRP packets. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters. The first character cannot be a number, and the string is case sensitive.
- Step 4 Optionally, use accept-lifetime to specify the time during which this key is accepted for use on received packets. If you do not enter an accept-lifetime command, the time is infinite. Table 5-7 describes the accept-lifetime command parameters.
Table 5-7. accept-lifetime Parameters
Parameter
Description
start-time
Beginning time that the key that is specified by the key command is valid for use on received packets. The syntax can be either of the following:
hh:mm:ss month date year
hh:mm:ss date month year
where
hh: Hours
mm: Minutes
ss: Seconds
month: First three letters of the name of the month
date: Date (1–31)
year: Year (four digits)
The default start time. The earliest acceptable date is January 1, 1993.
infinite
The key is valid for use on received packets from the start-time value on, with no end time.
end-time
The key is valid for use on received packets from the start-time value until the end-time value. The syntax is the same as that for the start-time value. The end-time value must be after the start-time value. The default end time is infinite.
seconds
Length of time (in seconds) that the key is valid for use on received packets. The range is from 1 to 2147483646.
- Step 5 Optionally, specify the time during which this key can be used for sending packets using the send-lifetime command. If you do not enter a send-lifetime command, the time is infinite. Table 5-8 describes the send-lifetime command parameters.
Table 5-8. send-lifetime Parameters
Parameter |
Description |
start-time |
Beginning time that the key specified by the key command is valid to be used for sending packets. The syntax can be either of the following: hh:mm:ss month date year hh:mm:ss date month year where hh: Hours mm: Minutes ss: Seconds month: First three letters of the name of the month date: Date (1–31) year: Year (four digits) The default start time and the earliest acceptable date is January 1, 1993. |
infinite |
The key is valid to be used for sending packets from the start-time value on. |
end-time |
The key is valid to be used for sending packets from the start-time value until the end-time value. The syntax is the same as that for the start-time value. The end-time value must be after the start-time value. The default end time is infinite. |
seconds |
Length of time (in seconds) that the key is valid to be used for sending packets. The range is from 1 to 2147483646. |
Configuring MD5 Authentication for EIGRP
To configure MD5 authentication for EIGRP, complete the following steps:
- Step 1 Enter configuration mode for the interface on which you want to enable authentication.
- Step 2 Use the ip authentication mode eigrp autonomous-system md5 command to specify that MD5 authentication is to be used for EIGRP packets. The value provided for the autonomous-system parameter of the ip authentication mode eigrp md5 command indicates the EIGRP AS number in which authentication is to be used.
- Step 3 Use the ip authentication key-chain eigrp autonomous-system name-of-chain command to specify which key chain to use for the authentication of EIGRP packets. Table 5-9 describes the parameters for this command.
Table 5-9. ip authentication key-chain eigrp Parameters
Parameter |
Description |
autonomous-system |
The EIGRP AS number in which authentication is to be used |
name-of-chain |
The name of the authentication key chain from which a key is to be obtained |
Example: MD5 Authentication Configuration
Figure 5-7 shows an example network used for the configuration of EIGRP MD5 authentication for Router X in Example 5-6.
Figure 5-7 Network Topology for EIGRP MD5 Configuration Example
Example 5-6. Configuring EIGRP MD5 Authentication on Router X
RouterX <output omitted> key chain RouterXchain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite <output omitted> ! interface Serial0/0/1 bandwidth 64 ip address 192.168.1.101 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 RouterXchain
MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterXchain command specifies that the key chain RouterXchain is to be used for EIGRP AS 100.
The key chain RouterXchain command enters configuration mode for the RouterXchain key chain. Two keys are defined. Key 1 is set to "first key" with the key-string firstkey command. This key is acceptable for use on packets that are received by Router X from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. However, the send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 command specifies that this key is valid for use only when packets are sent for one minute on January 1, 2006; afterward, it is no longer valid for use in sending packets.
Key 2 is set to "second key" with the key-string secondkey command. This key is acceptable for use on packets that are received by Router X from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.
Therefore, Router X accepts and attempts to verify the MD5 digest of any EIGRP packets with a key ID equal to 1. Router X will also accept a packet with a key ID equal to 2. All other MD5 packets are dropped. Router X sends all EIGRP packets using key 2 because key 1 is no longer valid for use in sending packets.
Example 5-7 shows the configuration of EIGRP MD5 authentication for Router Y in Figure 5-7.
Example 5-7. Configuring EIGRP MD5 Authentication on Router Y
RouterY <output omitted> key chain RouterYchain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite <output omitted> ! interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 RouterYchain
MD5 authentication is configured on the Serial 0/0/1 interface with the ip authentication mode eigrp 100 md5 command. The ip authentication key-chain eigrp 100 RouterYchain command specifies that the key chain RouterYchain is to be used for EIGRP AS 100.
The key chain RouterYchain command enters configuration mode for the RouterYchain key chain. Two keys are defined. Key 1 is set to "first key" with the key-string firstkey command. This key is acceptable for use on packets that are received by Router Y from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.
Key 2 is set to "second key" with the key-string secondkey command. This key is acceptable for use on packets that are received by Router Y from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the accept-lifetime 04:00:00 Jan 1 2006 infinite command. This key can also be used when packets are sent from 4:00 a.m. (0400) on January 1, 2006, onward, as specified in the send-lifetime 04:00:00 Jan 1 2006 infinite command.
Therefore, Router Y accepts and attempts to verify the MD5 digest of any EIGRP packets with a key ID equal to 1 or 2. Router Y uses key 1 to send all EIGRP packets because it is the first valid key in the key chain.
Verifying MD5 Authentication
Example 5-8 shows the output of the show ip eigrp neighbors and show ip route commands on Router X.
Example 5-8. Verifying EIGRP MD5 Authentication on Router X
RouterX# show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 192.168.1.102 Se0/0/1 12 00:03:10 17 2280 0 14 RouterX# show ip route <output omitted> Gateway of last resort is not set D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D 172.16.0.0/16 is a summary, 00:31:31, Null0 C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.96/27 is directly connected, Serial0/0/1 D 192.168.1.0/24 is a summary, 00:31:31, Null0 RouterX# ping 172.17.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
The fact that the neighbor table shows the IP address of Router Y indicates that the two routers have successfully formed an EIGRP adjacency. The routing table verifies that the 172.17.0.0 network has been learned through EIGRP over the serial connection. Therefore, the MD5 authentication for EIGRP must have been successful between Router X and Router Y.
The results of a ping to the Router Y FastEthernet interface address are also displayed to illustrate that the link is working.
Summary of Implementing EIGRP
The following summarizes the key points that were discussed in the previous sections:
- EIGRP is a classless, advanced distance vector routing protocol that runs the DUAL algorithm.
- EIGRP requires you to configure an autonomous system number that must match on all routers to exchange routes.
- EIGRP is capable of load balancing across unequal-cost paths.
- EIGRP supports MD5 authentication to protect against unauthorized, rogue routers entering your network.