EIGRP (NBMA): Summarization, bandwidth utilization and authentication Part 3

EIGRP, Route, Security 3 Minutes

Additional objective has been added last minute. For security your boss requires you to enable authentication among EIGRP routers, the keys should be changed at these timing and date:

1. first key phrase: cisco123

Accept from 16 September 2010 10pm to 17 September 2010 12MN.

Sent from 16 September 2010 10pm to 12MN

2. second key phrase: 123cisco

Accept from 17 September 2010 12MN to 17 September 2010 7am.

Sent from 16 September 2010 11.45pm to 12.15MN.

For EIGRP authentication to work, a time source is needed. A leased line is subscribed to provide connection from HQ to MTA corporation’s data center. You are required to sync the time of your routers with an external time source located in the data center.

Get connected to your leased line.

HQ(config-if)#ip address dhcp client-id fa0/0

HQ(config)#ip ddns update method myddns
HQ(DDNS-update-method)#ddns both
HQ(DDNS-update-method)#end

Change the configuration for the spoke routers:

West(config)#int se0/0.1 point-to-point

West(config-subif)#ip address 172.30.10.3 255.255.255.248
West(config-subif)#no shut

West(config-subif)#frame-relay interface-dlci 301 ietf

West(config-fr-dlci)#
*Mar  1 14:08:00.110: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.30.10.1 (Serial0/0.1) is up: new adjacency
West(config-fr-dlci)#exit

East(config)#int se0/0.1 point-to-point
East(config-subif)#ip address 172.30.10.2 255.255.255.248
East(config-subif)#frame-relay interface-dlci 201 ietf

East(config-subif)#end

*Mar  1 00:59:23.622: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.30.10.1 (Serial0/0.1) is up: new adjacency

3. Each router should summarize its routing table to minimize the processor load of the router.

West#sh ip route connected
172.30.0.0/29 is subnetted, 1 subnets
C       172.30.10.0 is directly connected, Serial0/0.1
10.0.0.0/24 is subnetted, 12 subnets
C       10.3.1.0 is directly connected, Loopback1
C       10.3.3.0 is directly connected, Loopback3
C       10.3.2.0 is directly connected, Loopback2
C       10.3.4.0 is directly connected, Loopback4

Summarized 10.3.0.0 route.

West(config-subif)#ip summary-address eigrp 100 10.3.0.0 255.255.252.0

West#sh ip route

172.30.0.0/29 is subnetted, 1 subnets
C       172.30.10.0 is directly connected, Serial0/0.1
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
C       10.3.1.0/24 is directly connected, Loopback1
D       10.1.3.0/24 [90/2297856] via 172.30.10.1, 00:10:36, Serial0/0.1
D       10.3.0.0/22 is a summary, 00:01:19, Null0
D       10.2.1.0/24 [90/2809856] via 172.30.10.1, 00:05:54, Serial0/0.1
D       10.1.2.0/24 [90/2297856] via 172.30.10.1, 00:10:36, Serial0/0.1
C       10.3.3.0/24 is directly connected, Loopback3
D       10.2.2.0/24 [90/2809856] via 172.30.10.1, 00:05:55, Serial0/0.1
D       10.1.1.0/24 [90/2297856] via 172.30.10.1, 00:10:37, Serial0/0.1
C       10.3.2.0/24 is directly connected, Loopback2
D       10.2.3.0/24 [90/2809856] via 172.30.10.1, 00:05:55, Serial0/0.1
D       10.2.4.0/24 [90/2809856] via 172.30.10.1, 00:05:57, Serial0/0.1
C       10.3.4.0/24 is directly connected, Loopback4
D       10.2.5.0/24 [90/2809856] via 172.30.10.1, 00:05:57, Serial0/0.1

East#sh ip route connected
172.30.0.0/29 is subnetted, 1 subnets
C       172.30.10.0 is directly connected, Serial0/0.1
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C       10.2.1.0/24 is directly connected, Loopback1
C       10.2.2.0/24 is directly connected, Loopback2
C       10.2.3.0/24 is directly connected, Loopback3
C       10.2.4.0/24 is directly connected, Loopback4
C       10.2.5.0/24 is directly connected, Loopback5
C       10.2.6.0/24 is directly connected, Loopback6
C       10.2.7.0/24 is directly connected, Loopback7

Summarize 10.2.0.0 route.

East(config-subif)#ip summary-address eigrp 100 10.2.0.0 255.255.248.0

East#sh ip route
172.30.0.0/29 is subnetted, 1 subnets
C       172.30.10.0 is directly connected, Serial0/0.1
10.0.0.0/8 is variably subnetted, 11 subnets, 3 masks
D       10.2.0.0/21 is a summary, 00:00:19, Null0
D       10.3.0.0/22 [90/2809856] via 172.30.10.1, 00:14:53, Serial0/0.1
C       10.2.1.0/24 is directly connected, Loopback1
C       10.2.2.0/24 is directly connected, Loopback2
C       10.2.3.0/24 is directly connected, Loopback3
D       10.1.0.0/22 [90/2297856] via 172.30.10.1, 00:05:03, Serial0/0.1
C       10.2.4.0/24 is directly connected, Loopback4
D       10.3.4.0/24 [90/2809856] via 172.30.10.1, 00:19:29, Serial0/0.1
C       10.2.5.0/24 is directly connected, Loopback5
C       10.2.6.0/24 is directly connected, Loopback6
C       10.2.7.0/24 is directly connected, Loopback7

HQ#sh ip route connected
172.30.0.0/29 is subnetted, 1 subnets
C       172.30.10.0 is directly connected, Serial0/0.1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C       10.1.3.0/24 is directly connected, Loopback3
C       10.1.2.0/24 is directly connected, Loopback2
C       10.1.1.0/24 is directly connected, Loopback1
C    192.168.1.0/24 is directly connected, FastEthernet0/0

summarize 10.1.0.0 route

HQ(config-subif)#ip summary-address eigrp 100 10.1.0.0 255.255.252.0

4. Make HQ router to utilize 20% more bandwidth on its serial interface than the default EIGRP bandwidth utilization.

Subscribed bandwidth has not been adjusted. EIGRP will assume the serial link to be a T1 if no specific adjustment has been done. EIGRP depends on K values to do its calculation hence K1 must be accurate. K1 and K3 are default K values to be calculated. Which K values to be used can be adjusted. If only K1 is set to 1 and the rest to 0 then only bandwidth is used to calculate the metric, for HQ’s case the metric will be 1mbps multiply by 256 = 256000000, this is only if one K value (example K1 bandwdith) is being used.

East: 512kbps

West: 512kbps

HQ: 1mbps

Change all these bandwidth values according to subscribed bandwidth.

HQ(config-subif)#bandwidth 1000000

West(config-subif)#bandwidth 512000

East(config-subif)#bandwidth 512000

Increase the bandwidth utilization of HQ link by 20%. By default EIGRP is using 50% of the link bandwidth, so 20% + 50% = 70%

HQ(config-subif)#ip bandwidth-percent eigrp 100 70

5. Synchronize the time with external time source.

HQ(config)#clock timezone SIN 8

HQ(config)#ntp server ntp.your.org source fa0/0 prefer

HQ(config)#do sh clock
21:35:03.682 SIN Thu Sep 16 2010

West(config)#ntp peer 172.30.10.1 source se0/0.1 prefer
West(config)#clock timezone SIN 8

West(config)#do sh clock
21:36:29.820 SIN Thu Sep 16 2010

East(config)#ntp peer 172.30.10.1 source se0/0.1 prefer
East(config)#clock timezone SIN 8

East(config)#do sh clock
21:37:24.412 SIN Thu Sep 16 2010

HQ(config)#key chain hq-keys

HQ(config-keychain)#key 1

HQ(config-keychain-key)#key-string cisco123

HQ(config-keychain-key)#accept-lifetime 22:00:00 16 sep 2010 00:00:00 17 sep 2010

HQ(config-keychain-key)#send-lifetime 22:00:00 16 sep 2010  00:00:00 17 sep 2010

HQ(config-keychain-key)#key 2

HQ(config-keychain-key)#key-string 123cisco

HQ(config-keychain-key)#accept-lifetime 00:00:00 17 sep 2010 07:00:00 17 sep 2010

HQ(config-keychain-key)#send-lifetime 23:45:00 16 sep 2010 00:15:00 17 sep 2010

Do the same for West and East

East(config)#int se0/0.1

East(config-subif)#ip authentication mode eigrp 100 md5

East(config-subif)#ip authentication key-chain eigrp 100 east-key

West(config)#int se0/0.1

West(config-subif)#ip authentication mode eigrp 100 md5

West(config-subif)#ip authentication key-chain eigrp 100 west-key

HQ(config)#int se0/0.1
HQ(config-subif)#ip authentication mode eigrp 100 md5

HQ(config-subif)#ip authentication key-chain eigrp 100 hq-keys

Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s