Tasks
- Establish EIGRP adjacencies using both Named Mode and traditional EIGRP
- Each EIGRP Autonomous System must be in it's own VRF on the Hub Router (R2)
- Use authentication between a pair of neighbors
- BONUS: Leak routes from 1 VRF to another
Using the topology below configure the tasks from above.
Notes:
R1
- Traditional EIGRP configuration
- NO VRF's
R2
- Named EIGRP configuration
- 2 VRF's
- Authentication to R3
- BONUS: Leak routes from 1 VRF to another
R3
- Traditional EIGRP configuration
- NO VRF's
- Authentication to R2
Approx. Lab Time: 10 - 15 Minutes
Configs - Phase 1: Interfaces and Loopbacks
R1:
interface Loopback1
description "Loopback for EIGRP advertisments"
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
description "Connection to R2"
ip address 10.0.12.1 255.255.255.0
no shut
R2:
! Establish VRF's
! R1 -> R2 = VRF 12
! R2 -> R3 = VRF 23
ip vrf 12
rd 12:12
ip vrf 23
rd 23:23
! Configure interfaces & Loopbacks
interface Loopback12
description "Loopback for EIGRP advertisement"
ip vrf forwarding 12
ip address 12.12.12.12 255.255.255.255
interface Loopback23
description "Loopback for EIGRP advertisement"
ip vrf forwarding 23
ip address 23.23.23.23 255.255.255.255
interface FastEthernet0/0
description "Connection to R1"
ip vrf forwarding 12
ip address 10.0.12.2 255.255.255.0
no shut
interface FastEthernet1/0
description "Connection to R2"
ip vrf forwarding 23
ip address 10.0.23.2 255.255.255.0
no shut
R3:
interface Loopback3
description "Loopback for EIGRP advertisement"
ip address 3.3.3.3 255.255.255.255
interface FastEthernet1/0
description "Connection to R2"
ip address 10.0.23.3 255.255.255.0
no shut
Verify:
R1:
R1#ping 10.0.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/40 ms
R2:
R2#ping vrf 12 10.0.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
R2#ping vrf 23 10.0.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/28 ms
R3:
R3#ping 10.0.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/31/40 ms
Configs - Phase 2: EIGRP
EIGRP between R1 --> R2 = AS 12
EIGRP between R2 --> R3 = AS 23
R1: Traditional EIGRP Configuration
router eigrp 12
network 0.0.0.0
R2: EIGRP Named Configuration
router eigrp central
!
address-family ipv4 unicast vrf 12 autonomous-system 12
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
address-family ipv4 unicast vrf 23 autonomous-system 23
!
topology base
exit-af-topology
network 0.0.0.0
exit-address-family
!
R3: Traditional EIGRP Configuration
router eigrp 23
network 0.0.0.0
Verify:
R1:
R1#sho ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(12)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.12.2 Fa0/0 10 01:14:52 56 336 0 3
R1#sho ip eigrp topology
EIGRP-IPv4 Topology Table for AS(12)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 12.12.12.12/32, 1 successors, FD is 28160
via 10.0.12.2 (28160/256), FastEthernet0/0
P 1.1.1.1/32, 1 successors, FD is 128256
via Connected, Loopback1
P 10.0.12.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0
R1#ping 12.12.12.12 so lo 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.12, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms
R2:
R2#sho eigrp address-family ipv4 vrf 12 neighbors
EIGRP-IPv4 VR(central) Address-Family Neighbors for AS(12)
VRF(12)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.12.1 Fa0/0 13 01:07:53 1406 5000 0 3
R2#sho eigrp address-family ipv4 vrf 12 topology
EIGRP-IPv4 VR(central) Topology Table for AS(12)/ID(12.12.12.12)
Topology(base) TID(0) VRF(12)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 12.12.12.12/32, 1 successors, FD is 163840
via Connected, Loopback12
P 1.1.1.1/32, 1 successors, FD is 340787200
via 10.0.12.1 (340787200/327761920), FastEthernet0/0
P 10.0.12.0/24, 1 successors, FD is 13107200
via Connected, FastEthernet0/0
R2#sho eigrp address-family ipv4 vrf 23 neighbors
EIGRP-IPv4 VR(central) Address-Family Neighbors for AS(23)
VRF(23)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.23.3 Fa1/0 14 01:08:07 1379 5000 0 3
R2#sho eigrp address-family ipv4 vrf 23 topology
EIGRP-IPv4 VR(central) Topology Table for AS(23)/ID(23.23.23.23)
Topology(base) TID(0) VRF(23)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 23.23.23.23/32, 1 successors, FD is 163840
via Connected, Loopback23
P 10.0.23.0/24, 1 successors, FD is 13107200
via Connected, FastEthernet1/0
P 3.3.3.3/32, 1 successors, FD is 340787200
via 10.0.23.3 (340787200/327761920), FastEthernet1/0
R2#ping vrf 12 1.1.1.1 so lo 12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.12
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
R2#ping vrf 23 3.3.3.3 so lo 23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 23.23.23.23
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
R3:
R3#sho ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(23)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.0.23.2 Fa1/0 13 01:12:58 47 282 0 3
R3#sho ip eigrp topology
EIGRP-IPv4 Topology Table for AS(23)/ID(3.3.3.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 23.23.23.23/32, 1 successors, FD is 28160
via 10.0.23.2 (28160/256), FastEthernet1/0
P 10.0.23.0/24, 1 successors, FD is 28160
via Connected, FastEthernet1/0
P 3.3.3.3/32, 1 successors, FD is 128256
via Connected, Loopback3
R3#ping 23.23.23.23 so lo 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.23, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/25/32 ms
Configs - Phase 3: EIGRP Authentication
NOTE: When applying the authentication configs your neighbors WILL bounce.
R2: Named EIGRP Address Family Authentication
! Establish a key chain and shared key string
key chain to-r3
key 23
key-string p@ssw0rd
! EIGRP Authentication commands go under the address-family NOT the interface!!!
router eigrp central
!
address-family ipv4 unicast vrf 23 autonomous-system 23
!
af-interface FastEthernet1/0
authentication mode md5
authentication key-chain to-r3
exit-af-interface
!
exit-address-family
R3: Traditional EIGRP Authentication
! Establish and key chain and shared key string
key chain to-r2
key 23
key-string p@ssw0rd
! EIGRP authentication commands go under the interface config
interface FastEthernet1/0
description "Connection to R2"
ip address 10.0.23.3 255.255.255.0
no shut
ip authentication mode eigrp 23 md5
ip authentication key-chain eigrp 23 to-r2
Verify:
R2 & R3:
- Use the same commands and technique from above to verify your adjacency is still up.
- Check your Key Strings:
R3#sho key chain to-r2
Key-chain to-central:
key 23 -- text "p@ssw0rd"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
- debug to verify authentication
Successful Authentication:
R3#debug eigrp packets
*Mar 21 12:07:33.367: EIGRP: received packet with MD5 authentication, key id = 23
*Mar 21 12:07:33.367: EIGRP: Received HELLO on Fa1/0 - paklen 60 nbr 10.0.23.2
Password Mis-match:
R3#debug eigrp packets
*Mar 21 12:10:42.363: EIGRP: pkt key id = 23, authentication mismatch
*Mar 21 12:10:42.367: EIGRP: Fa1/0: ignored packet from 10.0.23.2, opcode = 5 (invalid authentication)
Mis-configured Authentication: (1 side configured, the other side NOT configured)
R3#debug eigrp packets
*Mar 21 12:16:30.263: EIGRP: Fa1/0: ignored packet from 10.0.23.2, opcode = 5 (missing authentication)
BONUS: Leak EIGRP routes from 1 VRF to another
TASK: Ping from R1 to R3
We must:
- Configure import and export route-targets for both VRF's
- Configure BGP and redistribute EIGRP into BGP
- Redistribute BGP back into EIGRP
Configs - Phase 1: Route-targets and Redistribution
R2:
! Configure import and export route-targets for both VRF's
ip vrf 12
route-target import 23:23
route-target export 12:12
!
ip vrf 23
route-target import 12:12
route-target export 23:23
exit
! Configure BGP and redistribute EIGRP into BGP
router bgp 65535
address-family ipv4 vrf 12
redistribute eigrp 12
exit
address-family ipv4 vrf 23
redistribute eigrp 23
exit
Verify - Phase 1:
R2:
R2#sho bgp vpnv4 unicast all
BGP table version is 37, local router ID is 123.123.123.123
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 12:12 (default for vrf 12)
*> 1.1.1.1/32 10.0.12.1 2662400 32768 ?
*> 3.3.3.3/32 10.0.23.3 2662400 32768 ?
*> 10.0.12.0/24 0.0.0.0 0 32768 ?
*> 10.0.23.0/24 0.0.0.0 0 32768 ?
*> 12.12.12.12/32 0.0.0.0 0 32768 ?
*> 23.23.23.23/32 0.0.0.0 0 32768 ?
Route Distinguisher: 23:23 (default for vrf 23)
*> 1.1.1.1/32 10.0.12.1 2662400 32768 ?
*> 3.3.3.3/32 10.0.23.3 2662400 32768 ?
*> 10.0.12.0/24 0.0.0.0 0 32768 ?
*> 10.0.23.0/24 0.0.0.0 0 32768 ?
*> 12.12.12.12/32 0.0.0.0 0 32768 ?
*> 23.23.23.23/32 0.0.0.0 0 32768 ?
R2#
At this point the routes for both VRF's are in both VRF's local routing tables. We still cannot ping from R1 to R3 because they aren't aware of each other's networks. The routes from R2 are not being propagated out to R1 & R3. We need to redistribute the routes from BGP-->EIGRP.
Configs - Phase 2: Redistribute BGP into EIGRP
R2:
router eigrp central
address-family ipv4 unicast vrf 12 autonomous-system 12
topology base
redistribute bgp 65535 metric 1000 100 255 1 1500
exit
exit
address-family ipv4 unicast vrf 23 autonomous-system 23
topology base
redistribute bgp 65535 metric 1000 100 255 1 1500
exit
exit
Verify - Phase 2:
R1:
R1#sho ip route | b Gate
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback1
3.0.0.0/32 is subnetted, 1 subnets
D EX 3.3.3.3 [170/2588160] via 10.0.12.2, 00:08:52, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.12.0/24 is directly connected, FastEthernet0/0
L 10.0.12.1/32 is directly connected, FastEthernet0/0
D EX 10.0.23.0/24 [170/2588160] via 10.0.12.2, 00:08:52, FastEthernet0/0
12.0.0.0/32 is subnetted, 1 subnets
D 12.12.12.12 [90/28160] via 10.0.12.2, 01:45:05, FastEthernet0/0
23.0.0.0/32 is subnetted, 1 subnets
D EX 23.23.23.23 [170/2588160] via 10.0.12.2, 00:08:52, FastEthernet0/0
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/60/72 ms
R3:
R3#sho ip route | b Gate
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
D EX 1.1.1.1 [170/2588160] via 10.0.23.2, 00:00:10, FastEthernet1/0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback3
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 10.0.12.0/24 [170/2588160] via 10.0.23.2, 00:00:10, FastEthernet1/0
C 10.0.23.0/24 is directly connected, FastEthernet1/0
L 10.0.23.3/32 is directly connected, FastEthernet1/0
12.0.0.0/32 is subnetted, 1 subnets
D EX 12.12.12.12 [170/2588160] via 10.0.23.2, 00:00:10, FastEthernet1/0
23.0.0.0/32 is subnetted, 1 subnets
D 23.23.23.23 [90/28160] via 10.0.23.2, 01:37:00, FastEthernet1/0
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/71/104 ms
No comments:
Post a Comment