实验22: EIGRP 认证
1.实验目的
通过本实验可以掌握EIGRP 路由协议认证的配置和调试。
2.实验拓扑
本实验拓扑结构如所示。
3.实验步骤
r0,r1,r2配置如下:
r0(config)#no ip do loo
r0(config)#lin  c 0
r0(config-line)#logg s
r0(config-line)#exec-t 00
r0(config-line)#exit
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#exit
r0(config)#router
*Mar  1 00:03:15.823: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:03:16.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0 255.255.255.0
r0(config-router)#  
*Mar  1 00:03:42.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r0(config-router)#
*Mar  1 00:04:12.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-router)#
*Mar  1 00:04:30.795: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
D       172.16.2.0 [90/2681856] via 172.16.1.2, 00:00:18, Serial0/0
r0(config-router)#exit
r0(config)#key chain haojian
r0(config-keychain)#key 1
r0(config-keychain-key)#key-string cisco
r0(config-keychain-key)#exit
r0(config-keychain)#exit
r0(config)#int s0/0
r0(config-if)#ip auth
r0(config-if)#ip authentication ?
  key-chain  key-chain
  mode       mode
 
r0(config-if)#ip authentication  mode ?
  eigrp  Enhanced Interior Gateway Routing Protocol (EIGRP)
 
r0(config-if)#ip authentication  mode eigrp 1 ?   
  md5  Keyed message digest
 
r0(config-if)#ip authentication  mode eigrp 1 md5
r0(config-if)#ip a
*Mar  1 00:06:57.467: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is down: authentication mode changed
r0(config-if)#ip authentication key-chain?
key-chain 
 
r0(config-if)#ip authentication key-chain cisco
                                          ^
% Invalid input detected at '^' marker.
 
r0(config-if)#ip authentication key-chain cisco?
% Unrecognized command
r0(config-if)#ip authentication key-chain eigrp 1 cisco
r0(config-if)#do sh ip pro
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    172.16.1.0/24
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.16.1.2            90      00:06:48
  Distance: internal 90 external 170
 
r0(config-if)#do ping 172.16.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r0(config-if)#do sh ip eigrp int detail
IP-EIGRP interfaces for process 1
 
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Se0/0              0        0/0         0       0/15         215           0
  Hello interval is 5 sec
  Next xmit serial <none>
  Un/reliable mcasts: 0/0  Un/reliable ucasts: 2/3
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 2
  Retransmissions sent: 0  Out-of-sequence rcvd: 0
  Authentication mode is md5,  key-chain is "cisco"
  Use unicast
说明配置了认证
r0(config-if)#do wr
Building configuration...
[OK]
r0(config-if)#do sh ip eigrp nei
IP-EIGRP neighbors for process 1
r0(config-if)#
r0(config-if)#do debug eigrp packets //实验调试
EIGRP Packets debugging is on
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
r0(config-if)#
*Mar  1 00:29:51.651: EIGRP: Serial0/0: ignored packet from 172.16.1.2, opcode = 5 (missing authentication)
r0(config-if)#
*Mar  1 00:29:53.619: EIGRP: interface Serial0/0, No live authentication keys
*Mar  1 00:29:53.619: EIGRP: Sending HELLO on Serial0/0
*Mar  1 00:29:53.619:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
r0(config-if)#
*Mar  1 00:29:56.191: EIGRP: Serial0/0: ignored packet from 172.16.1.2, opcode = 5 (missing authentication)
r0(config-if)#
*Mar  1 00:29:58.147: EIGRP: interface Serial0/0, No live authentication keys
*Mar  1 00:29:58.147: EIGRP: Sending HELLO on Serial0/0
*Mar  1 00:29:58.147:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
r0(config-if)#
*Mar  1 00:30:01.179: EIGRP: Serial0/0: ignored packet from 172.16.1.2, opcode = 5 (missing authentication)
r0(config-if)#
*Mar  1 00:30:02.807: EIGRP: interface Serial0/0, No live authentication keys
*Mar  1 00:30:02.807: EIGRP: Sending HELLO on Serial0/0
*Mar  1 00:30:02.807:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
r0(config-if)#
*Mar  1 00:30:05.935: EIGRP: Serial0/0: ignored packet from 172.16.1.2, opcode = 5 (missing authentication)
r0(config-if)#do 
*Mar  1 00:30:07.291: EIGRP: interface Serial0/0, No live authentication keys
*Mar  1 00:30:07.291: EIGRP: Sending HELLO on Serial0/0
*Mar  1 00:30:07.291:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
r0(config-if)#do un all
All possible debugging has been turned off
r0(config-if)#
*Mar  1 00:30:10.275: EIGRP: Serial0/0: ignored packet from 172.16.1.2, opcode = 5 (missing authentication)
r0(config-if)#
 
 
 
 
 
 
r1(config)#no ip do loo
r1(config)#lin c 0
r1(config-line)#logg s
r1(config-line)#exec-t 00
r1(config-line)#exit
r1(config)#int s0/0
r1(config-if)#ip add 172.16.1.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#itn 
*Mar  1 00:03:58.723: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:03:59.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to u
r1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#router e
*Mar  1 00:04:15.195: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar  1 00:04:16.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.1.0 255.255.255.0
r1(config-router)#net
*Mar  1 00:04:30.499: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config-router)#net 172.16.2.0 255.255.255.0
r1(config-router)#no sh
                     ^
% Invalid input detected at '^' marker.
 
r1(config-router)#
*Mar  1 00:04:38.963: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
r1(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
C       172.16.2.0 is directly connected, Serial0/1
r1(config-router)#
*Mar  1 00:06:57.119: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: Interface Goodbye received
r1(config-router)#
*Mar  1 00:07:01.607: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config-router)#exit
r1(config)#key-chain haojian
              ^
% Invalid input detected at '^' marker.
 
r1(config)#key chain ha
*Mar  1 00:08:21.119: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: retry limit exceeded
r1(config)#key chain haojian
r1(config-keychain)#
*Mar  1 00:08:24.607: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config-keychain)#key 1
r1(config-keychain-key)#key-string cisco
r1(config-keychain-key)#exit
r1(config-keychain)#exit
r1(config)#int s0/0
r1(config-if)#ip authencation mode eigrp 1 md5
                       ^
% Invalid input detected at '^' marker.
 
r1(config-if)#ip authentication mode eigrp 1 md5
r1(config-if)#
*Mar  1 00:09:26.683: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: authentication mode changed
r1(config-if)#ip au
r1(config-if)#ip authentication key-chain eigrp 1 cisco
r1(config-if)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/48 ms
r1(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
C       172.16.2.0 is directly connected, Serial0/1
r1(config-if)#do sh ip pro
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    172.16.1.0/24
    172.16.2.0/24
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170
 
r1(config-if)#exit
r1(config)#int s0/1
r1(config-if)#ip auth     
r1(config-if)#ip authentication mode eigrp 1 md5
r1(config-if)#ip au
*Mar  1 00:13:21.979: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is down: authentication mode changed
r1(config-if)#ip au
r1(config-if)#ip authentication key-chain eigrp 1 cisco
r1(config-if)#do sh ip itn b
sh ip itn b
       ^
% Invalid input detected at '^' marker.
 
r1(config-if)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.16.1.2      YES manual up                    up     
Serial0/1                  172.16.2.1      YES manual up                    up     
Serial0/2                  unassigned      YES unset  administratively down down   
Serial0/3                  unassigned      YES unset  administratively down down   
r1(config-if)#do ping 172.16.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/44 ms
r1(config-if)#do sh ip eigrp int detail
IP-EIGRP interfaces for process 1
 
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Se0/0              0        0/0         0       0/15          50           0
  Hello interval is 5 sec
  Next xmit serial <none>
  Un/reliable mcasts: 0/0  Un/reliable ucasts: 0/35
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 2
  Retransmissions sent: 29  Out-of-sequence rcvd: 0
  Authentication mode is md5,  key-chain is "cisco"
  Use unicast
Se0/1              0        0/0         0       0/15         383           0
  Hello interval is 5 sec
  Next xmit serial <none>
  Un/reliable mcasts: 0/0  Un/reliable ucasts: 0/4
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 2
  Retransmissions sent: 1  Out-of-sequence rcvd: 0
  Authentication mode is md5,  key-chain is "cisco"
  Use unicast
r1(config-if)#do wr
Building configuration...
[OK]
r1(config-if)#do sh ip eigrp neig 
IP-EIGRP neighbors for process 1
r1(config-if)#do sh key chain
Key-chain haojian:
    key 1 -- text "cisco"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]
r1(config-if)#
 
 
 
 
 
 
 
 
r2(config)#no ip do loo
r2(config)#lin c 0
r2(config-line)#logg s
r2(config-line)#exec-t 00
r2(config-line)#exit
r2(config)#exit
r2#
*Mar  1 00:02:10.995: %SYS-5-CONFIG_I: Configured from console by console
r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#
*Mar  1 00:02:32.635: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:02:33.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp 1
r2(config-router)#net 172.16.2.0 255.255.255.0
r2(config-router)#no au
r2(config-router)#
*Mar  1 00:03:02.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r2(config-router)#
*Mar  1 00:04:22.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-router)#
*Mar  1 00:04:38.583: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     172.16.0.0/24 is subnetted, 2 subnets
D       172.16.1.0 [90/2681856] via 172.16.2.1, 00:00:34, Serial0/0
C       172.16.2.0 is directly connected, Serial0/0
r2(config-router)#
*Mar  1 00:13:21.655: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is down: Interface Goodbye received
r2(config-router)#
*Mar  1 00:13:26.551: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)#exit
r2(config)#key chain haojian
r2(config-keychain)#key 1
r2(config-keychain-key)#key-string cisco
r2(config-keychain-key)#exit
r2(config-keychain)#exit
r2(config)#int s0/0
r2(config-if)#ip au
r2(config-if)#ip authentication mode eigrp 1 md5
r2(config-if)#ip au
*Mar  1 00:14:36.863: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is down: authentication mode changed
r2(config-if)#ip au
r2(config-if)#ip authentication key-chain eigrp 1 cisco
r2(config-if)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2(config-if)#do sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial0/0                  172.16.2.2      YES manual up                    up     
Serial0/1                  unassigned      YES unset  administratively down down   
Serial0/2                  unassigned      YES unset  administratively down down   
Serial0/3                  unassigned      YES unset  administratively down down   
r2(config-if)#do ping 172.16.1.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2(config-if)#do sh ip eigrp int detail
IP-EIGRP interfaces for process 1
 
                        Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Se0/0              0        0/0         0       0/15          50           0
  Hello interval is 5 sec
  Next xmit serial <none>
  Un/reliable mcasts: 0/0  Un/reliable ucasts: 1/19
  Mcast exceptions: 0  CR packets: 0  ACKs suppressed: 3
  Retransmissions sent: 15  Out-of-sequence rcvd: 1
  Authentication mode is md5,  key-chain is "cisco"
  Use unicast
r2(config-if)#do wr
Building configuration...
[OK]
r2(config-if)#
注:链路的一端启用了认证,另外一端没有起用认证和钥匙链的密匙不正确
会出现什么情况,读者自己试试