EIGRP 建立邻居的条件:
1.相邻的设备AS号要相同
2.AS内的所有设备K值要相同 默认情况下 K值 K1=1, K2=0, K3=1, K4=0, K5=0
K1=带宽 K2=负载 K3=延迟 K4=可靠性 K5=MTU
配置:
router eigrp 90
metric weights 0 1 1 1 1 1 //修改K值为 K1=1 K2=1 K3=1, K4=1, K5=1
R1#show eigrp protocols
EIGRP-IPv4 Protocol for AS(90)
Metric weight K1=1, K2=1, K3=1, K4=1, K5=1
*Apr 10 13:14:33.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: K-value mismatch
3.主接口,主地址在最小范围内要ping通,掩码长度可以不同
*Apr 10 13:21:38.656: %DUAL-6-NBRINFO: EIGRP-IPv4 90: Neighbor 150.1.1.5 (Ethernet0/2) is blocked: not on common subnet (15.1.1.1/24)
4.认证 EIGRP支持密文认证,在命名模式的EIGRP下还支持HMAC认证
配置:
第一步:配置钥匙串及密钥
key chain QYT //指定钥匙串,本端有效,建议配置两端都一样
key 1 //指定密钥ID
key-string cisco //指定密钥的password
第二步:开启认证
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip authentication mode eigrp 90 md5 //先开启MD5认证
ip authentication key-chain eigrp 90 QYT //调用key-chain
R5#show ip eigrp interfaces detail e0/2
EIGRP-IPv4 Interfaces for AS(90)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Et0/2 0 0/0 0/0 0 0/2 50 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 31/4
Hello's sent/expedited: 518/2
Un/reliable mcasts: 0/21 Un/reliable ucasts: 36/18
Mcast exceptions: 1 CR packets: 1 ACKs suppressed: 4
Retransmissions sent: 1 Out-of-sequence rcvd: 2
Topology-ids on interface - 0
Authentication mode is md5, key-chain is "QYT" //接口已经使能MD5认证,调用key-chain "QYT"
R5#debug eigrp packet //通过debug 命令来解析认证
情况一:
*Dec 13 12:01:47.374: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 1 (missing authentication or key-chain missing) //接口开启MD5认证,但是没有调用key-chain
R5#
*Dec 13 12:01:49.227: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication or key-chain missing)
情况二:
*Dec 13 12:04:59.751: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication) //本端开启MD5,已经调用key-chain
*Dec 13 12:05:00.602: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:05:00.602: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
情况三:
*Dec 13 12:07:18.086: EIGRP: Sending HELLO on Et0/2 - paklen 60
*Dec 13 12:07:18.086: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:07:18.953: EIGRP: pkt key id = 1, authentication mismatch
*Dec 13 12:07:18.953: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication) //说明对方已经开启认证,但是无效的认证,可能认证的密码不匹配
情况四:
*Dec 13 12:23:50.674: AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Dec 13 12:23:51.582: EIGRP: pkt authentication key id = 2, key not defined
*Dec 13 12:23:51.582: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication)//对方发送的是key id 2对应的密码,而本端没有定义
5.passive 被动接口 不接收也不发送hello报文
一般配置在连接终端设备的接口,不会影响发送路由信息
注意:千万不要配置在路由器相连接的接口
router eigrp 90
network 11.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
network 13.1.1.1 0.0.0.0
network 15.1.1.0 0.0.0.255
passive-interface default //抑制所有使能EIGRP的接口
no passive-interface Ethernet0/2 //关闭抑制功能
no passive-interface Serial1/0
no passive-interface Serial1/1
6.一边单播,一边组播不可以建立邻居关系
两边要不都是组播,要不都是单播才可以建立邻居关系
R1(config)#router eigrp 90
R1(config-router)#neighbor 15.1.1.5 e0/2 //单播指定对方直连接口ip地址,加出接口
*Apr 10 13:36:37.572: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: Static peer replaces multicast
7.过滤 EIGRP的报文
ip access-list extended EIGRP
deny eigrp any any
interface Ethernet0/2
ip address 15.1.1.5 255.255.255.0
ip access-group EIGRP in
R5#show ip access-lists
Extended IP access list EIGRP
5 permit ip any any (4 matches)
10 deny eigrp any any (31 matches)
