标签:15.1 13 邻居 EIGRP key 条件 90 Dec
EIGRP 建立邻居条件
EIGRP 建立邻居的条件:
1.相邻的设备AS号要相同
2.AS内的所有设备K值要相同 默认情况下 K值 K1=1, K2=0, K3=1, K4=0, K5=0
K1=带宽 K2=负载 K3=延迟 K4=可靠性 K5=MTU
配置:
router eigrp 90
metric weights 0 1 1 1 1 1 //修改K值为 K1=1 K2=1 K3=1, K4=1, K5=1
R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(90)
Metric weight K1=1, K2=1, K3=1, K4=1, K5=1
*Apr 10 13:14:33.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: K-value mismatch
3.主接口,主地址在最小范围内要ping通,掩码长度可以不同
*Apr 10 13:21:38.656: %DUAL-6-NBRINFO: EIGRP-IPv4 90: Neighbor 150.1.1.5 (Ethernet0/2) is blocked: not on common subnet (15.1.1.1/24)
4.认证 EIGRP支持密文认证,在命名模式的EIGRP下还支持HMAC认证
配置:
第一步:配置钥匙串及密钥
key chain QYT //指定钥匙串,本端有效,建议配置两端都一样
key 1 //指定密钥ID
key-string cisco //指定密钥的password
第二步:开启认证
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip authentication mode eigrp 90 md5 //先开启MD5认证
ip authentication key-chain eigrp 90 QYT //调用key-chain
R5#show ip eigrp interfaces detail e0/2
EIGRP-IPv4 Interfaces for AS(90)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/2 0 0/0 0/0 0 0/2 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 31/4
Hello's sent/expedited: 518/2
Un/reliable mcasts: 0/21 Un/reliable ucasts: 36/18
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 4
Retransmissions sent: 1 Out-of-sequence rcvd: 2
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "QYT" //接口已经使能MD5认证,调用key-chain "QYT"
R5#debug eigrp packet //通过debug 命令来解析认证
情况一:
*Dec 13 12:01:47.374: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 1 (missing authentication or key-chain missing) //接口开启MD5认证,但是没有调用key-chain
R5#
*Dec 13 12:01:49.227: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication or key-chain missing)
情况二:
*Dec 13 12:04:59.751: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication) //本端开启MD5,已经调用key-chain
*Dec 13 12:05:00.602: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:05:00.602: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
情况三:
*Dec 13 12:07:18.086: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:07:18.086: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:07:18.953: EIGRP: pkt key id = 1, authentication mismatch
*Dec 13 12:07:18.953: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication) //说明对方已经开启认证,但是无效的认证,可能认证的密码不匹配
情况四:
*Dec 13 12:23:50.674: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:23:51.582: EIGRP: pkt authentication key id = 2, key not defined
*Dec 13 12:23:51.582: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication)//对方发送的是key id 2对应的密码,而本端没有定义
5.passive 被动接口 不接收也不发送hello报文
一般配置在连接终端设备的接口,不会影响发送路由信息
注意:千万不要配置在路由器相连接的接口
router eigrp 90
network 11.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
network 13.1.1.1 0.0.0.0
network 15.1.1.0 0.0.0.255
passive-interface default //抑制所有使能EIGRP的接口
no passive-interface Ethernet0/2 //关闭抑制功能
no passive-interface Serial1/0
no passive-interface Serial1/1
6.一边单播,一边组播不可以建立邻居关系
两边要不都是组播,要不都是单播才可以建立邻居关系
R1(config)#router eigrp 90
R1(config-router)#neighbor 15.1.1.5 e0/2 //单播指定对方直连接口ip地址,加出接口
*Apr 10 13:36:37.572: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: Static peer replaces multicast
7.过滤 EIGRP的报文
ip access-list extended EIGRP
deny eigrp any any
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip access-group EIGRP in
R5#show ip access-lists
Extended IP access list EIGRP
5 permit ip any any (4 matches)
10 deny eigrp any any (31 matches)
标签:15.1,13,邻居,EIGRP,key,条件,90,Dec 来源: https://blog.51cto.com/3965485/2380424
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。