EIGRP 建立鄰居條件
EIGRP 建立鄰居的條件:
1.相鄰的設備AS號要相同
2.AS內的所有設備K值要相同 默認情況下 K值 K1=1, K2=0, K3=1, K4=0, K5=0
K1=帶寬 K2=負載 K3=延遲 K4=可靠性 K5=MTU
配置:
router eigrp 90
metric weights 0 1 1 1 1 1 //修改K值爲 K1=1 K2=1 K3=1, K4=1, K5=1
R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(90)
Metric weight K1=1, K2=1, K3=1, K4=1, K5=1
*Apr 10 13:14:33.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: K-value mismatch
3.主接口,主地址在最小範圍內要ping通,掩碼長度可以不同
*Apr 10 13:21:38.656: %DUAL-6-NBRINFO: EIGRP-IPv4 90: Neighbor 150.1.1.5 (Ethernet0/2) is blocked: not on common subnet (15.1.1.1/24)
4.認證 EIGRP支持密文認證,在命名模式的EIGRP下還支持HMAC認證
配置:
第一步:配置鑰匙串及密鑰
key chain QYT //指定鑰匙串,本端有效,建議配置兩端都一樣
key 1 //指定密鑰ID
key-string cisco //指定密鑰的password
第二步:開啓認證
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip authentication mode eigrp 90 md5 //先開啓MD5認證
ip authentication key-chain eigrp 90 QYT //調用key-chain
R5#show ip eigrp interfaces detail e0/2
EIGRP-IPv4 Interfaces for AS(90)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/2 0 0/0 0/0 0 0/2 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 31/4
Hello's sent/expedited: 518/2
Un/reliable mcasts: 0/21 Un/reliable ucasts: 36/18
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 4
Retransmissions sent: 1 Out-of-sequence rcvd: 2
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "QYT" //接口已經使能MD5認證,調用key-chain "QYT"
R5#debug eigrp packet //通過debug 命令來解析認證
情況一:
*Dec 13 12:01:47.374: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 1 (missing authentication or key-chain missing) //接口開啓MD5認證,但是沒有調用key-chain
R5#
*Dec 13 12:01:49.227: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication or key-chain missing)
情況二:
*Dec 13 12:04:59.751: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication) //本端開啓MD5,已經調用key-chain
*Dec 13 12:05:00.602: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:05:00.602: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
情況三:
*Dec 13 12:07:18.086: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:07:18.086: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:07:18.953: EIGRP: pkt key id = 1, authentication mismatch
*Dec 13 12:07:18.953: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication) //說明對方已經開啓認證,但是無效的認證,可能認證的密碼不匹配
情況四:
*Dec 13 12:23:50.674: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:23:51.582: EIGRP: pkt authentication key id = 2, key not defined
*Dec 13 12:23:51.582: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication)//對方發送的是key id 2對應的密碼,而本端沒有定義
5.passive 被動接口 不接收也不發送hello報文
一般配置在連接終端設備的接口,不會影響發送路由信息
注意:千萬不要配置在路由器相連接的接口
router eigrp 90
network 11.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
network 13.1.1.1 0.0.0.0
network 15.1.1.0 0.0.0.255
passive-interface default //抑制所有使能EIGRP的接口
no passive-interface Ethernet0/2 //關閉抑制功能
no passive-interface Serial1/0
no passive-interface Serial1/1
6.一邊單播,一邊組播不可以建立鄰居關係
兩邊要不都是組播,要不都是單播纔可以建立鄰居關係
R1(config)#router eigrp 90
R1(config-router)#neighbor 15.1.1.5 e0/2 //單播指定對方直連接口ip地址,加出接口
*Apr 10 13:36:37.572: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: Static peer replaces multicast
7.過濾 EIGRP的報文
ip access-list extended EIGRP
deny eigrp any any
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip access-group EIGRP in
R5#show ip access-lists
Extended IP access list EIGRP
5 permit ip any any (4 matches)
10 deny eigrp any any (31 matches)