Course:
CCNP ENARSI Labs
In this part of the lab, you will tune and optimize EIGRP for IPv4 through the use of passive interfaces, authentication, and variance.
Passive interfaces are interfaces that only partially participate in a routing protocols operation. The network address for the passive interface is advertised through other interfaces. However, the routing protocol does not actually speak on the passive interface. Use passive interfaces when you have a connected network that you want to advertise, but you do not want protocol neighbors to appear on that interface. For example, interfaces supporting users should always be configured as passive. There are two ways to configure interfaces as passive, either specifically by interface name or by default. Normally a device with many LAN interfaces will use the default option, and then use the no form of the command on those specific interfaces that should be sending and receiving EIGRP messages.
a. On PC1, run Wireshark and set the capture filter to eigrp. You should see a hello message roughly every five seconds. If your device were capable of running EIGRP, you might be able to form an adjacency and interact in the routing domain. This is unnecessary traffic on the LAN and a potential security risk. Stop the capture.
b. On R1, configure af-interface G0/0/1 to be passive.
Open configuration window
R1(config)# router eigrp BASIC-EIGRP-LAB R1(config-router)# address-family ipv4 unicast autonomous-system 27 R1(config-router-af)# af-interface g0/0.2 R1(config-router-af-interface)# passive-interface R1(config-router-af-interface)# end |
Close configuration window
c. On PC1, restart the Wireshark capture with the capture filter still configured for eigrp. You should no longer see EIGRP Hello messages.
The second option for configuring passive interfaces is to configure them all as passive and then issue the no passive-interface command for certain interfaces. This approach is suitable in a security-focused scenario, or when the device has many LAN interfaces. The commands vary depending on whether you are using Classic or Named EIGRP.
a. In Classic EIGRP configuration, enter the passive-interface default command followed by no passive-interface interface-number commands for all the interfaces that should be participating in EIGRP. The following provides an example of this on R2. You will temporarily lose EIGRP adjacencies until passive-interface is removed from required interfaces.
Open configuration window
R2(config)# router eigrp 27 R2(config-router)# passive-interface default R2(config-router)# no passive-interface g0/1 R2(config-router)# no passive-interface g0/2 R2(config-router)# exit R2(config)# end |
Close configuration window
b. In Named EIGRP configuration, you apply the passive-interface command to the af-interface default configuration, and the no passive-interface command to the specific af-interface interface-number. The following provides an example of this on R3. You will temporarily lose EIGRP adjacencies until passive-interface is removed from required interfaces.
Open configuration window
R3(config)# router eigrp BASIC-EIGRP-LAB R3(config-router)# address-family ipv4 unicast autonomous-system 27 R3(config-router-af)# af-interface default R3(config-router-af-interface)# passive-interface R3(config-router-af-interface)# exit R3(config-router-af)# af-interface g0/2 R3(config-router-af-interface)# no passive-interface R3(config-router-af-interface)# exit R3(config-router-af)# af-interface g0/0 R3(config-router-af-interface)# no passive-interface R3(config-router-af-interface)# end |
c. The output of the show ip protocols | section Passive command will give you a list of passive interfaces configured for EIGRP, which for R3 will only be the Loopback 0 interface that is simulating a LAN.
R3# show ip protocols | section Passive Passive Interface(s): Loopback0 |
Close configuration window
EIGRP supports authentication on an interface basis. In other words, each interface can be configured to require authentication of the connected peer. This ensures that connected devices that try to form an adjacency are authorized to do so. Classic EIGRP supports key-chain based MD5-hashed keys, while Named EIGRP adds support for SHA256-hashed keys. The two are not compatible.
In this step, you will configure both types of authentication to exercise the range of options available
a. On R1, R2, R3, and D2, create a key-chain named EIGRP-AUTHEN-KEY with a single key. The key should have the key-string $3cre7!!
Open configuration window
R1(config)# key chain EIGRP-AUTHEN-KEY R1(config-keychain)# key 1 R1(config-keychain-key)# key-string $3cre7!! R1(config-keychain-key)# end |
Close configuration window
b. On R2, configure interfaces G0/1 and G0/2 to encrypt the key chain you just created with MD5. Note that you will lose EIGRP adjacencies until the neighbor interfaces are configured.
Open configuration window
R2(config)# interface g0/1 R2(config-if)# ip authentication key-chain eigrp 27 EIGRP-AUTHEN-KEY R2(config-if)# ip authentication mode eigrp 27 md5 R2(config-if)# exit R2(config)# interface g0/2 R2(config-if)# ip authentication key-chain eigrp 27 EIGRP-AUTHEN-KEY R2(config-if)# ip authentication mode eigrp 27 md5 R2(config-if)# end |
Close configuration window
c. Configure interface G0/1 on R1 and G0/2 on R3 to use the key chain with MD5. EIGRP adjacencies with R2 should be restored.
Open configuration window
R1(config)# router eigrp BASIC-EIGRP-LAB R1(config-router)# address-family ipv4 unicast autonomous-system 27 R1(config-router-af)# af-interface g0/1 R1(config-router-af-interface)# authentication key-chain EIGRP-AUTHEN-KEY R1(config-router-af-interface)# authentication mode md5 R1(config-router-af-interface)# end |
d. Use the show ip eigrp interface detail | section Gi0/1 command to verify that authentication is in place and what type of authentication it is.
R1# show ip eigrp interface detail | section Gi0/1 Gi0/1 1 0/0 0/0 1 0/050 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial <none> Packetized sent/expedited: 14/2 Hello’s sent/expedited: 186/4 Un/reliable mcasts: 0/11 Un/reliable ucasts: 15/7 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 3 Out-of-sequence rcvd: 0 Topology-ids on interface – 0 Authentication mode is md5, key-chain is “EIGRP-AUTHEN-KEY” Topologies advertised on this interface: base Topologies not advertised on this interface: |
e. On R1 and D2, configure SHA 256 based authentication using the same $3cre7!! shared secret. R1 and D2 are running Named EIGRP, so the configuration is applied in af-interface mode. On R1, configure the G0/0.1 subinterface. On D2, configure the G0/1 interface. The configuration for R1 is shown. Note that the R1-D2 adjacency will be lost until both ends are configured.
R1(config)# router eigrp BASIC-EIGRP-LAB R1(config-router)# address-family ipv4 unicast autonomous-system 27 R1(config-router-af)# af-interface g0/0.1 R1(config-router-af-interface)# authentication mode hmac-sha-256 $3cre7!! R1(config-router-af-interface)# end |
Close configuration window
Open configuration window
D2(config)# router eigrp BASIC-EIGRP-LAB D2(config-router)# address-family ipv4 unicast autonomous-system 27 D2(config-router-af)# af-interface g0/1 D2(config-router-af-interface)# authentication mode hmac-sha-256 $3cre7!! D2(config-router-af-interface)# end |
Close configuration window
f. Use the show ip eigrp interface detail command to verify that authentication is in place and what type of authentication it is.
Open configuration window
R1# show ip eigrp interface detail | section Gi0/0.1 Gi0/0.1 1 0/0 0/0 3 0/050 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial <none> Packetized sent/expedited: 11/0 Hello’s sent/expedited: 225/4 Un/reliable mcasts: 0/11 Un/reliable ucasts: 12/7 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 4 Out-of-sequence rcvd: 0 Topology-ids on interface – 0 Authentication mode is HMAC-SHA-256, key-chain is not set Topologies advertised on this interface: base Topologies not advertised on this interface: |
Close configuration window
By default, load balancing occurs only over equal-cost paths. EIGRP supports up to four equal cost paths by default but can be configured to support as many as 32 with the maximum-paths command.
EIGRP has the added capability to load balance over unequal-cost paths. Load balancing is controlled by the variance parameter. Its value is a multiplier that is used to determine how to deal with multiple paths to the same destination.
Variance is set to 1 by default, so any paths up to the configured maximum number of paths that have a feasible distance equal to the best current feasible distance are also offered to the routing table. This provides equal cost load balancing.
The variance parameter can also be set to zero, which dictates that no load balancing takes place.
The variance parameter can be adjusted so that paths that have an FD that is less than or equal to variance times current best FD are also considered as successors and installed into the routing table. There is an extremely important differentiation here — to be a feasible successor, the RD of a path must be less than the current best FD. To be considered for unequal load balancing, the FD of the feasible successor is multiplied by the variance value, and if the product of this calculation is less than the current best FD, the feasible successor is promoted to successor.
There are two caveats; first, only feasible successors are considered and second, unequal cost load balancing is unequal; traffic share is proportional to the best metric in the routing table for the given path.
Note: Keep in mind that your routing table may be different than the one created by the examples in this lab. If your results are different, examine them carefully to determine why so that you can thoroughly understand how EIGRP is operating.
a. On R3, there are two equal-cost paths to 192.168.1.0/24.
Open configuration window
R3# show ip route eigrp | section 192.168.1.0 D 192.168.1.0/24 [90/20480] via 172.16.13.2, 00:08:18, GigabitEthernet0/0 [90/20480] via 10.0.23.2, 00:08:18, GigabitEthernet0/2 |
Close configuration window
b. To change this and allow for the demonstration of variance, change the interface bandwidth for the R2 interfaces G0/1 and G0/2 to 800000.
Open configuration window
R2(config)# interface g0/1 R2(config-if)# bandwidth 800000 R2(config-if)# exit R2(config)# interface g0/2 R2(config-if)# bandwidth 800000 R2(config-if)# end |
Close configuration window
c. When you examine the routing table on R3, you see that there is no load balancing occurring. All destinations have a single path.
Open configuration window
R3# show ip route eigrp | begin Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D 10.0.12.0/24 [90/16640] via 10.0.23.2, 00:01:17, GigabitEthernet0/2 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks D 172.16.1.0/24 [90/15360] via 172.16.13.2, 00:01:04, GigabitEthernet0/0 D 192.168.1.0/24 [90/20480] via 172.16.13.2, 00:01:04, GigabitEthernet0/0 |
d. However, we know there are multiple paths in the network. The first consideration for manipulating variance is that it only works with feasible successors. Examining the topology table on R3 shows that there is a feasible successor for the 192.168.1.0/24 network. The route via 10.0.23.2 out the G0/0/0 interface has a RD less than the FD for the current successor.
R3# show ip eigrp topology | section 192.168.1.0 P 192.168.1.0/24, 1 successors, FD is 2621440 via 172.16.13.2 (2621440/1966080), GigabitEthernet0/0 via 10.0.23.2 (2785280/2129920), GigabitEthernet0/2 e. To use the other route for unequal cost load balancing, we can set the variance parameter to 2. This will mean that any path with an RD less than or equal to 5242880 will qualify as a successor (2 x 2621440 = 5242880). R3(config)# router eigrp BASIC-EIGRP-LAB R3(config-router)# address-family ipv4 unicast autonomous-system 27 R3(config-router-af)# topology base R3(config-router-af-topology)# variance 2 R3(config-router-af-topology)# end |
e. The output of the show ip route eigrp | begin Gateway command now displays two paths available to the 192.168.1.0/24 network. Notice that the routes have different metrics, but are listed and used just the same. Also, notice adding variance 2 adds a second path to the 10.0.12.0/24 network.
R3# show ip route eigrp | begin Gateway Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D 10.0.12.0/24 [90/20480] via 172.16.13.2, 00:00:11, GigabitEthernet0/0 [90/16640] via 10.0.23.2, 00:00:11, GigabitEthernet0/2 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks D 172.16.1.0/24 [90/15360] via 172.16.13.2, 00:00:11, GigabitEthernet0/0 D 192.168.1.0/24 [90/20480] via 172.16.13.2, 00:00:11, GigabitEthernet0/0 [90/21760] via 10.0.23.2, 00:00:11, GigabitEthernet0/2 |
f. Issue the show ip route 192.168.1.0 command to see more details about the paths the router has to the 192.168.1.0 network. As a part of this output, you see the traffic share count, which tells you the ratio of traffic that will be sent between these links. In this example, the count is 120 via 172.16.13.2 and 113 via 10.0.23.2. What that means is that 120 packets will be sent via 172.16.13.2 and then 113 packets will be sent via 10.0.23.2.
R3# show ip route 192.168.1.0 Routing entry for 192.168.1.0/24 Known via “eigrp 27”, distance 90, metric 20480, type internal Redistributing via eigrp 27 Last update from 10.0.23.2 on GigabitEthernet0/2, 00:01:42 ago Routing Descriptor Blocks: * 172.16.13.2, from 172.16.13.2, 00:01:42 ago, via GigabitEthernet0/0 Route metric is 20480, traffic share count is 120 Total delay is 30 microseconds, minimum bandwidth is 1000000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 10.0.23.2, from 10.0.23.2, 00:01:42 ago, via GigabitEthernet0/2 Route metric is 21760, traffic share count is 113 Total delay is 30 microseconds, minimum bandwidth is 800000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 2 |
Google