EIGRP 建立邻居条件

EIGRP 建立邻居的条件:

1.相邻的设备AS号要相同

 

2.AS内的所有设备K值要相同  默认情况下 K K1=1, K2=0, K3=1, K4=0, K5=0

K1=带宽 K2=负载 K3=延迟 K4=可靠性 K5=MTU

配置:

router eigrp 90

 metric weights 0 1 1 1 1 1  //修改K值为 K1=1 K2=1 K3=1, K4=1, K5=1


R1#show eigrp protocols

EIGRP-IPv4 Protocol for AS(90)

  Metric weight K1=1, K2=1, K3=1, K4=1, K5=1

 

*Apr 10 13:14:33.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: K-value mismatch

 

 

3.主接口,主地址在最小范围内要ping通,掩码长度可以不同

 

*Apr 10 13:21:38.656: %DUAL-6-NBRINFO: EIGRP-IPv4 90: Neighbor 150.1.1.5 (Ethernet0/2) is blocked: not on common subnet (15.1.1.1/24)

 

4.认证 EIGRP支持密文认证,在命名模式的EIGRP下还支持HMAC认证

配置:

第一步:配置钥匙串及密钥

key chain QYT   //指定钥匙串,本端有效,建议配置两端都一样

 key 1   //指定密钥ID

  key-string cisco   //指定密钥的password

 

第二步:开启认证

interface Ethernet0/2

 ip address 15.1.1.5 255.255.255.0

 ip authentication mode eigrp 90 md5   //先开启MD5认证

 ip authentication key-chain eigrp 90 QYT  //调用key-chain

 

R5#show ip eigrp interfaces detail e0/2

EIGRP-IPv4 Interfaces for AS(90)

                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending

Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes

Et0/2                    0        0/0       0/0           0       0/2           50           0

  Hello-interval is 5, Hold-time is 15

  Split-horizon is enabled

  Next xmit serial <none>

  Packetized sent/expedited: 31/4

  Hello's sent/expedited: 518/2

  Un/reliable mcasts: 0/21  Un/reliable ucasts: 36/18

  Mcast exceptions: 1  CR packets: 1  ACKs suppressed: 4

  Retransmissions sent: 1  Out-of-sequence rcvd: 2

  Topology-ids on interface - 0

  Authentication mode is md5,  key-chain is "QYT"  //接口已经使能MD5认证,调用key-chain "QYT"

 

R5#debug eigrp packet //通过debug 命令来解析认证

情况一:

*Dec 13 12:01:47.374: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 1 (missing authentication or key-chain missing)  //接口开启MD5认证,但是没有调用key-chain

R5#

*Dec 13 12:01:49.227: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication or key-chain missing)

 

情况二:

*Dec 13 12:04:59.751: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication)    //本端开启MD5,已经调用key-chain

*Dec 13 12:05:00.602: EIGRP: Sending HELLO on Et0/2 - paklen 60

*Dec 13 12:05:00.602:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

 

情况三:

*Dec 13 12:07:18.086: EIGRP: Sending HELLO on Et0/2 - paklen 60

*Dec 13 12:07:18.086:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

*Dec 13 12:07:18.953: EIGRP: pkt key id = 1, authentication mismatch

*Dec 13 12:07:18.953: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication) //说明对方已经开启认证,但是无效的认证,可能认证的密码不匹配

 

情况四:

*Dec 13 12:23:50.674:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

*Dec 13 12:23:51.582: EIGRP: pkt authentication key id = 2, key not defined  

*Dec 13 12:23:51.582: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication)//对方发送的是key id 2对应的密码,而本端没有定义


5.passive 被动接口  不接收也不发送hello报文

一般配置在连接终端设备的接口,不会影响发送路由信息

注意:千万不要配置在路由器相连接的接口

router eigrp 90

 network 11.1.1.0 0.0.0.255

 network 12.1.1.0 0.0.0.255

 network 13.1.1.1 0.0.0.0

 network 15.1.1.0 0.0.0.255

 passive-interface default   //抑制所有使能EIGRP的接口

 no passive-interface Ethernet0/2   //关闭抑制功能

 no passive-interface Serial1/0

 no passive-interface Serial1/1

 

6.一边单播,一边组播不可以建立邻居关系

两边要不都是组播,要不都是单播才可以建立邻居关系

 

R1(config)#router eigrp 90

R1(config-router)#neighbor 15.1.1.5 e0/2   //单播指定对方直连接口ip地址,加出接口

 

*Apr 10 13:36:37.572: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: Static peer replaces multicast

 

7.过滤 EIGRP的报文

 

ip access-list extended EIGRP

 deny   eigrp any any

 

interface Ethernet0/2

 ip address 15.1.1.5 255.255.255.0

 ip access-group EIGRP in

 

R5#show ip access-lists

Extended IP access list EIGRP

    5 permit ip any any (4 matches)

    10 deny eigrp any any (31 matches)