Course:
CCNP ENARSI Labs
In this part of the lab, you will tune and optimize EIGRP for IPv6 through the use of passive interfaces, default router redistribution, summary routes, authentication, load balancing, and route filtering.
Passive interfaces are interfaces that only partially participate in the operation of a routing protocol. The network that a passive interface is connected to is advertised, while the routing protocol does not actually transmit routing protocol-specific traffic on that interface. Use passive interfaces when you have a connected network that you want to advertise, but you do not want protocol neighbors to appear on that interface. Interfaces supporting users should always be configured as passive. There are two ways to configure interfaces as passive. The first is specifically by interface. The other is to make all interfaces default to passive default. Normally a device with many LAN interfaces will use the default option, and then use the no form of the command on the specific interfaces that should be sending and receiving EIGRP messages.
a. On PC1, run Wireshark and set the display capture filter to eigrp. You should see a hello message roughly every five seconds. If PC 1 is capable of running EIGRP for IPv6, you might be able to form an adjacency and interact in the routing domain. This is not desirable.
b. On R1, configure af-interface g0/0.2 to be passive.
Open configuration window
| R1(config)# router eigrp EIGRP_IPV6 R1(config-router)# address-family ipv6 unicast autonomous-system 43 R1(config-router-af)# af-interface g0/0.2 R1(config-router-af-interface)# passive-interface R1(config-router-af-interface)# end |
Close configuration window
c. On PC1, restart the Wireshark capture with the eigrp capture filter. You should no longer see EIGRP Hello messages.
The second option for configuring passive interfaces is to configure them all as passive and then issue the no passive-interface command for certain interfaces. This approach is suitable in a security-focused scenario, or when the device has many LAN interfaces. The commands vary depending on whether you are using Classic or Named EIGRP.
a. In Classic EIGRP configuration, issue the passive-interface default command followed by no passive-interface [interface designation] command on the interfaces that should be participating in EIGRP. As an example, configure this on R2, and then make interfaces G0/1 and G0/2 active. Note that you will lose EIGRP adjacencies until the interfaces are active.
Open configuration window
R2(config)# ipv6 router eigrp 43 R2(config-rtr)# passive-interface default R2(config-rtr)# no passive-interface g0/1 R2(config-rtr)# no passive-interface g0/2 R2(config-rtr)# end |
Close configuration window
b. In Named EIGRP configuration, you apply the passive-interface command to the af-interface default configuration, and then no passive-interface command to the af-interface specific interface. On R3, set the af-interface default as passive and then configure G0/0 and G0/2 as active. Note that you will lose EIGRP adjacencies until the interfaces are active.
Open configuration window
R3(config)# router eigrp EIGRP_IPV6 R3(config-router)# address-family ipv6 unicast autonomous-system 43 R3(config-router-af)# af-interface default R3(config-router-af-interface)# passive-interface R3(config-router-af-interface)# exit-af-interface R3(config-router-af)# af-interface g0/0 R3(config-router-af-interface)# no passive-interface R3(config-router-af-interface)# exit-af-interface R3(config-router-af)# af-interface g0/2 R3(config-router-af-interface)# no passive-interface R3(config-router-af-interface)# end |
c. The output of show ip protocols | include (passive) will give you a list of passive interfaces configured for EIGRP.
R3# show ipv6 protocols | include (passive) Loopback5 (passive) Loopback4 (passive) Loopback3 (passive) Loopback2 (passive) Loopback1 (passive) |
Close configuration window
EIGRP for IPv6 can be configured to propagate a default route to other EIGRP routers in the AS. This lab will explore two methods of propagating a default route, either by redistributing a default static route or by sharing a summary default route.
In this topology, interface Loopback 0 on R2 has been configured to simulate an internet destination. Therefore, we will configure a default route on R2 and then configure EIGRP for IPv6 to redistribute the route.
a. Configure a static default route on R2 with an exit interface of Loopback0s IPv6 address.
Open configuration window
R2(config)# ipv6 route ::/0 2001:db8:ff:999::1 |
Note: If you are using (VIOS-ADVENTERPRISEK9-M), Version 15.9(3)M6, you may get an error message: % Not allowed to point static routes through yourself. In this case you can use ipv6 route ::/0 Null 0
b. Go into EIGRP configuration add the redistribute static command.
R2(config)# ipv6 router eigrp 43 R2(config-rtr)# redistribute static R2(config-rtr)# end |
Close configuration window
c. At R1, issue the show ipv6 route eigrp | begin EX :: command. Notice the default route is present as an EIGRP external route with an AD of 170. Further, notice that individual routes for the 2001:db8:cede::/64 and 2001:db8:cede:1::/64 networks, representing R2 interfaces Lo1 and Lo2, are present in the routing table.
Open configuration window
R1# show ipv6 route eigrp | begin EX :: EX ::/0 [170/2570240] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:FF:999::/64 [90/2570240] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:ABCD:8::/64 [90/16000] via FE80::2:1, GigabitEthernet0/1 via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:9::/64 [90/16000] via FE80::2:1, GigabitEthernet0/1 via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:10::/64 [90/16000] via FE80::2:1, GigabitEthernet0/1 via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:11::/64 [90/16000] via FE80::2:1, GigabitEthernet0/1 via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:12::/64 [90/16000] via FE80::2:1, GigabitEthernet0/1 via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ACAD:3::/64 [90/15360] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:CAFE:2::/64 [90/15360] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:CEDE::/64 [90/2570240] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:CEDE:1::/64 [90/2570240] via FE80::2:1, GigabitEthernet0/1 |
Close configuration window
d. On R2, remove the redistribute static command from EIGRP and remove the static default route.
Open configuration window
e. On R2, configure the ipv6 summary-address command on the GigabitEthernet0/0/0 and GigabtEthernet0/0/1 interfaces. Specify the eigrp 43 and the route ::/0
R2(config)# interface GigabitEthernet0/1 R2(config-if)# ipv6 summary-address eigrp 43 ::/0 R2(config-if)# interface GigabitEthernet0/2 R2(config-if)# ipv6 summary-address eigrp 43 ::/0 |
Close configuration window
f. Go to router R1 and use the show ipv6 route eigrp command to see the default route that has been injected into the routing table. Notice in the output that the route now appears as an internal EIGRP route with an AD of 90. Also notice that individual routes for the 2001:db8:cede::/64 and 2001:db8:cede:1::/64 networks, representing R2 interfaces Lo1 and Lo2, are no longer present in the routing table. The ipv6 summary-address ::/0 command replaced all individual routes that R2 was advertising.
Note: If you were to add another summary address on R2, similar to what you will do in the next sub-step, that summary would be advertised as well.
Open configuration window
R1# show ipv6 route eigrp <output omitted> D ::/0 [90/15360] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:ABCD:8::/64 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:9::/64 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:10::/64 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:11::/64 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ABCD:12::/64 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ACAD:3::/64 [90/15360] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:CAFE:2::/64 [90/20480] via FE80::D1:1, GigabitEthernet0/0.1 |
Close configuration window
Router R3 is configured with five loopback interfaces that simulate five IPv6 LANs. Those LAN addresses appear in the other EIGRP routers as five individual routes. In order to limit the impact of these five LANs on routing tables and routing protocol traffic, the routes can be configured with a single route summary address that will enable all five networks to be reached without requiring separate information to be shared for each network.
a. To optimize EIGRP for IPv6, on R3 summarize the loopback addresses as a single route and advertise the summary route in R3’s EIGRP updates to R1 and R2. Use the same summarization method that is used for IPv4 by finding the bits that all five addresses have in common. The IPv6 loopback addresses could be summarized as 2001:db8:abcd::/61, but common practice is not to split the summary at the nibble level. Therefore, summary masks will normally be 48, 52, 56, and 60 bits. For our exercise, we will specify a 56 bit mask, even though that summary would indicate more networks than R3 is hosting. After configuring the summary route on the interface, notice that the neighbor adjacency between R3 and R2 and R1 is resynchronized (restarted).
Open configuration window
R3(config)# router eigrp EIGRP_IPV6 R3(config-router)# address-family ipv6 unicast autonomous-system 43 R3(config-router-af)# af-interface g0/2 R3(config-router-af-interface)# summary-address 2001:db8:abcd::/56 R3(config-router-af-interface)# exit R3(config-router-af)# af-interface g0/0 R3(config-router-af-interface)# summary-address 2001:db8:abcd::/56 R3(config-router-af-interface)# end |
Close configuration window
b. Examine the routing table of R1 to verify that R1 is receiving only one summary route for the loopback interfaces.
Open configuration window
R1# show ipv6 route eigrp <output omitted> D ::/0 [90/15360] via FE80::2:1, GigabitEthernet0/1 D 2001:DB8:ABCD::/56 [90/16000] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:ACAD:3::/64 [90/15360] via FE80::D1:1, GigabitEthernet0/0.1 D 2001:DB8:CAFE:2::/64 [90/20480] via FE80::D1:1, GigabitEthernet0/0.1 |
Close configuration window
EIGRP for IPv6 supports authentication on an interface basis. In other words, each interface can be configured to require authentication of the connected peer. This ensures that connected devices that try to form an adjacency are authorized to do so. Classic EIGRP supports key-chain based MD5-hashed keys, while Named EIGRP adds support for SHA256-hashed keys. The two are not compatible.
In this step, you will configure both types of authentication to exercise the range of options available.
a. On R1, R2, and R3, create a key-chain named EIGRPv6-AUTHEN-KEY with a single key. The key should have the key-string $3cre7!!
Open configuration window
R1(config)# key chain EIGRPv6-AUTHEN-KEY R1(config-keychain)# key 1 R1(config-keychain-key)# key-string $3cre7!! R1(config-keychain-key)# end |
Close configuration window
b. On R2, configure interfaces G0/1 and G0/2 to use the key chain that you just created with MD5. Note that you will lose EIGRP adjacencies until the neighbor interfaces are configured.
Open configuration window
R2(config)# interface g0/1 R2(config-if)# ipv6 authentication key-chain eigrp 43 EIGRPv6-AUTHEN-KEY R2(config-if)# ipv6 authentication mode eigrp 43 md5 R2(config-if)# exit R2(config)# interface g0/2 R2(config-if)# ipv6 authentication key-chain eigrp 43 EIGRPv6-AUTHEN-KEY R2(config-if)# ipv6 authentication mode eigrp 43 md5 R2(config-if)# end |
Close configuration window
c. Configure interfaces GigabitEthernet0/0/0 on R1 and R3 to use the key chain with MD5. EIGRP adjacencies with R2 should be restored.
Open configuration window
R1(config)# router eigrp EIGRP_IPV6 R1(config-router)# address-family ipv6 unicast autonomous-system 43 R1(config-router-af)# af-interface g0/1 R1(config-router-af-interface)# authentication key-chain EIGRPv6-AUTHEN-KEY R1(config-router-af-interface)# authentication mode md5 R1(config-router-af-interface)# end |
d. Use the show ip eigrp interface detail | section Gi0/1 command to verify authentication is in place and what type it is.
R1# show ipv6 eigrp interface detail | section Gi0/1 Gi0/1 1 0/0 0/0 1 0/050 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial <none> Packetized sent/expedited: 14/2 Hello’s sent/expedited: 186/4 Un/reliable mcasts: 0/11 Un/reliable ucasts: 15/7 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 3 Out-of-sequence rcvd: 0 Topology-ids on interface – 0 Authentication mode is md5, key-chain is “EIGRP-AUTHEN-KEY” Topologies advertised on this interface: base Topologies not advertised on this interface: |
e. On R1, R3 and D2, configure HMAC-SHA-256 based authentication using the same shared secret, $3cre7!!, on R1 interface G0/0.1, R3 interface G0/0, and D2 interfaces G0/0 and G0/1. Note that EIGRP adjacency will be lost until both ends of a link are configured.
R1(config)# router eigrp EIGRP_IPV6 R1(config-router)# address-family ipv6 unicast autonomous-system 43 R1(config-router-af)# af-interface g0/0/1.1 R1(config-router-af-interface)# authentication mode hmac-sha-256 $3cre7!! R1(config-router-af-interface)# end |
f. Use the show ipv6 eigrp interface detail command to verify authentication is in place and what type it is.
R1# show ipv6 eigrp interface detail | section Gi0/0.1 Gi0/0.1 1 0/0 0/0 3 0/050 0 Hello-interval is 5, Hold-time is 15 Split-horizon is enabled Next xmit serial <none> Packetized sent/expedited: 27/1 Hello’s sent/expedited: 582/3 Un/reliable mcasts: 0/28 Un/reliable ucasts: 35/11 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0 Retransmissions sent: 2 Out-of-sequence rcvd: 0 Topology-ids on interface – 0 Authentication mode is HMAC-SHA-256, key-chain is not set Topologies advertised on this interface: base Topologies not advertised on this interface: |
Close configuration window
By default, load balancing occurs only over equal-cost paths. EIGRP supports up to four equal cost paths by default but can be configured to support as many as 32 with the maximum-paths command.
EIGRP has the added capability to load balance over unequal-cost paths. Load balancing is controlled by the variance parameter. Its value is a multiplier that is used to determine how to deal with multiple paths to the same destination.
Variance is set to 1 by default, so any paths up to the configured maximum number of paths that have an FD equal to the best current FD are also offered to the routing table. This provides equal cost load balancing.
The variance parameter can also be set to zero, which dictates that no load balancing takes place.
The variance parameter can be adjusted so that paths that have an FD that is less than or equal to variance times current best FD are also considered as successors and installed into the routing table. There is an extremely important differentiation here — to be a feasible successor, the RD of a path must be less than the current best FD. To be considered for unequal load balancing, the FD of the feasible successor is multiplied by the variance value, and if the product of this calculation is less than the current best FD, the feasible successor is promoted to successor.
There are two caveats; first, only feasible successors are considered and second, with unequal cost load balancing, traffic share is proportional to the best metric in the routing table for the given path.
Note: Keep in mind that your routing table may be different than the one created by the examples in this lab. If your results are different, examine them carefully to determine why so that you can thoroughly understand how EIGRP is operating.
a. Before manipulating variance, R3 needs to see individual routes from R2 instead of a summary. Therefore, remove the summary routes on R2 so that it will again advertise more specific EIGRP routes to R3.
Open configuration window
R2(config-if)# interface g0/1 R2(config-if)# no ipv6 summary-address eigrp 43 ::/0 R2(config-if)# exit R2(config)# interface g0/2 R2(config-if)# no ipv6 summary-address eigrp 43 ::/0 R2(config-if)# end |
Close configuration window
b. On R3, verify that there are again two equal-cost paths to 2001:db8:acad:2::64. In this example, the IPv6 address must be entered in ALL CAPS.
Open configuration window
R3# show ipv6 route eigrp | section 2001:DB8:ACAD:2::/64 D 2001:DB8:ACAD:2::/64 [90/20480] via FE80::D1:2, GigabitEthernet0/0 via FE80::2:2, GigabitEthernet0/2 |
Close configuration window
c. To change this and allow for the demonstration of variance, change the interface bandwidth for the R2 interfaces G0/0 and G0/2 to 800000.
Open configuration window
R2(config)# interface g0/1 R2(config-if)# bandwidth 800000 R2(config-if)# exit R2(config)# interface g0/2 R2(config-if)# bandwidth 800000 R2(config-if)# end |
Close configuration window
d. When you examine the routing table on R3, you see that there is no load balancing occurring. All destinations have a single path.
Open configuration window
R3# show ipv6 route eigrp | section 2001:DB8:ACAD:2::/64 D 2001:DB8:ACAD:2::/64 [90/20480] via FE80::D1:2, GigabitEthernet0/0 |
e. However, we know there are multiple paths in the network. The first consideration for manipulating variance is that it only works with feasible successors. Examining the topology table on R3 shows that there is a feasible successor for the 2001:db8:acad:2::/64 network. The route via fe80::2:2 out the G0/2 interface has an RD less than the FD for the current successor.
R3# show ipv6 eigrp topology | section 2001:DB8:ACAD:2::/64 P 2001:DB8:ACAD:2::/64, 1 successors, FD is 2621440 via FE80::D1:2 (2621440/1966080), GigabitEthernet0/0/1 via FE80::2:2 (2785280/2129920), GigabitEthernet0/0/0 |
f. To use the other route for unequal cost load balancing, we can set the variance parameter to 2. This will mean that any path with an RD less than or equal to 5242880 will qualify as a successor (2 x 2621440 = 5242880).
R3(config)# router eigrp EIGRP_IPV6 R3(config-router)# address-family ipv6 unicast autonomous-system 43 R3(config-router-af)# topology base R3(config-router-af-topology)# variance 2 R3(config-router-af-topology)# exit R3(config-router-af)# exit R3(config-router)# exit R3(config)# end |
g. The output of the show ipv6 route eigrp command now displays two paths available to the 2001:db8:acad:2::/64 network. Notice that the routes have different metrics, but are listed and used just the same. Also, notice adding variance 2 adds a second path to the 2001:db8:cafe:1::/64 network.
R3# show ipv6 route eigrp <output omitted> D 2001:DB8:FF:999::/64 [90/2570240] via FE80::2:2, GigabitEthernet0/2 D 2001:DB8:ABCD::/56 [5/1280] via Null0, directly connected D 2001:DB8:ACAD:2::/64 [90/20480] via FE80::D1:2, GigabitEthernet0/0 via FE80::2:2, GigabitEthernet0/2 D 2001:DB8:ACAD:3::/64 [90/15360] via FE80::D1:2, GigabitEthernet0/0 D 2001:DB8:CAFE:1::/64 [90/16640] via FE80::2:2, GigabitEthernet0/2 via FE80::D1:2, GigabitEthernet0/0 D 2001:DB8:CEDE::/64 [90/2570240] via FE80::2:2, GigabitEthernet0/2 D 2001:DB8:CEDE:1::/64 [90/2570240] via FE80::2:2, GigabitEthernet0/2 |
In this step, you will configure a filter at R2 to block propagation of the network 2001:db8:cafe:1::/64 to R3.
a. On R3, issue the command show ipv6 route 2001:db8:cafe:1::/64 command. The output should list two successors, one via fe80::2:2 and one via fe90::d2:2. We want to filter route via fe80::2:1.
R3# show ipv6 route 2001:db8:cafe:1::/64 Routing entry for 2001:DB8:CAFE:1::/64 Known via “eigrp 43”, distance 90, metric 16640, type internal Route count is 2/2, share count 0 Routing paths: FE80::2:2, GigabitEthernet0/2 From FE80::2:2 Last updated 00:05:00 ago FE80::D1:2, GigabitEthernet0/0 From FE80::D1:2 Last updated 00:04:35 ago |
Close configuration window
b. On R2, create an IPv6 prefix list that matches the 2001:db8:cafe:1::/64 network.
Open configuration window
R2(config)# ipv6 prefix-list DROP-CAFE-1 seq 10 deny 2001:db8:cafe:1::/64 R2(config)# ipv6 prefix-list DROP-CAFE-1 seq 20 permit ::/0 R2(config)# end |
c. On R2, apply the prefix list as a distribute list for updates exiting the G0/2 interface towards R3.
R2(config)# ipv6 router eigrp 43 R2(config-rtr)# distribute-list prefix-list DROP-CAFE-1 out g0/2 R2(config-rtr)# exit R2(config)# end |
Close configuration window
d. On R3, issue the show ipv6 route 2001:db8:cafe:1::/64 command. The output should now list one successor fe80::d1:2. Verify that R3 no longer has a successor route via fe80::2:2 to the 2001:db8:cafe:1::/64 network.
Open configuration window
R3# show ipv6 route 2001:db8:cafe:1::/64 Routing entry for 2001:DB8:CAFE:1::/64 Known via “eigrp 43”, distance 90, metric 20480, type internal Route count is 1/1, share count 0 Routing paths: FE80::D1:2, GigabitEthernet0/0 From FE80::D1:2 Last updated 00:15:29 ago |
Google