The assumed starting point with this lab is that all devices have been cabled, and IP addressing has been set on all serial, ethernet, and loopback adapters. Since I already covered PPP authentication in my previous lab, you can either opt to enable it, or just enter encapsulation ppp on the interfaces and forgo the authentication. EIGRP authentication will be enabled on the 10.0.0.0/8 network.
If you are continuing this lab directly after the OSPF lab, you can easily clear your OSPF settings, and keep everything else, by entering
R1(config)# no router ospf 1
R2(config)# no router ospf 1
R3(config)# no router ospf 1
Remember that with EIGRP, there aren't special neighbor relationship states like in OSPF. Routers will either become neighbors with one another, or they will not, depending on if they pass the requirements to be neighbors-if you can't recall these, they are:
operating in the same subnet
both configured with the same AS number
matching K values
successful authentication
Interestingly, the hello timers do not need to match, however if you do modify the hello/dead timers, you need to ensure that the configuration will work, and a neighboring router's dead timer does not expire.
To begin, we will start at router R1. Keeping in mind that we must use matching AS numbers, we will use the value 7 for our AS number on this network. Like OSPF, EIGRP uses wildcard masks with its network statements.
R1(config)# router eigrp 7
R1(config-router)#network 10.0.0.0 255.0.0.0
R1(config-router)#network 172.30.1.0 0.0.0.255
R1(config-router)#network 192.100.254.0 0.0.0.3
R2(config)#router eigrp 7
R2(config-router)#network 10.0.0.0 255.0.0.0
R2(config-router)#network 172.30.2.0 0.0.0.255
R2(config-router)#network 192.100.254.0 0.0.0.3
R2(config-router)#network 192.100.254.4 0.0.0.3
R3(config)#router eigrp 7
R3(config-router)#network 10.0.0.0 255.0.0.0
R3(config-router)#network 172.30.3.0 0.0.0.255
R3(config-router)#network 192.100.254.4 0.0.0.3
Next, we will configure EIGRP authentication over the 10.0.0.0/8 network. EIGRP authentication is slightly more complex then the configuration set on OSPF and has a few more features available.
EIGRP uses the concept of key chains. These key chains can be given a lifespan, so that you can automatically rotate different passwords amongst the routers based on two parameters- accept-lifetime and send-lifetime. The router dates and clocks must be synchronized in order for key lifetime to work correctly.
Starting on R1, our first step will be to create a key chain.
R1(config)#key chain red
Next, we define an individual key by giving it a number and a name
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string LAN
In this lab, I won't be configuring lifetimes for the keys, but the command syntax is:
accept-lifetime [H:M:S] [month] [day number] [yyyy] [H:M:S] [month] [day number]
The send-lifetime command uses the same parameters.
Now we will instruct the router to use this key on its fa0/0 port
R1(config)#int fa0/0
R1(config-if)#ip authentication mode eigrp 7 md5
R1(config-if)#ip authentication key-chain eigrp 7 red
Now, for authentication to be successful (and for the neighbor relationships to form again) the key-strings and key numbers for R1, R2 and R3 must match. The key chain name does not need to match.
R2(config)#key chain blue
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string LAN
R2(config-keychain-key)#int fa0/0
R2(config-if)#ip authentication mode eigrp 7 md5
R2(config-if)#ip authentication key-chain eigrp 7 blue
R2 and R1 should now be neighbors on the 10.0.0.0/8 network. You can confirm this with the command
show ip eigrp neighbors. You will see 10.0.0.1 listed, but not 10.0.0.3 as authentication has not yet been configured on R3.
Authentication will now be configured on R3
R3(config)#key chain yellow
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string LAN
R3(config-keychain-key)#int fa0/0
R3(config-if)#ip authentication mode eigrp 7 md5
R3(config-if)#ip authentication key-chain eigrp 7 yellow
Now, when you run show neighbors on R2, you will also see R3 as authentication matches between the three routers on the 10.0.0.0/8 network.
In a subsequent post, this lab will be expanded on and I will go into further detail about tweaking successor routes and feasible successor routes by changing the bandwidth and delay value on the links.
No comments:
Post a Comment