BSCI: LAB EIGRP – Authentication and Timers
Avant-dernier lab. sur l’EIGRP avec l’authentification et les Timers.
Authentication
Voici comment configurer les clés d’authentification sur chaque routeur participant au processus de routage EIGRP:
R1# conf t R1(config)# key chain EIGRP-KEYS R1(config-keychain)# key 1 R1(config-keychain-key)# key-string cisco R2# conf t R2(config)# key chain EIGRP-KEYS R2(config-keychain)# key 1 R2(config-keychain-key)# key-string cisco
Vérification des clés
R1# show key chain Key-chain EIGRP-KEYS: key 1 -- text "cisco" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now]
Maintenant que nos clés sont configurée dans le routeur, on doit les appliquer à chaque interfaces sur lesquels on souhaite de l’authentification.
R1# conf t R1(config)# interface serial 1/0 ! ip authentication key-chain eigrp as_number key_chain_label. R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS ! la commande suivante envoi un Hash MD5 des clés, plutôt que de l'envoyer en clair.. c'est plus sécurisé. R1(config-if)# ip authentication mode eigrp 1 md5 R2# conf t R2(config)# interface serial 1/0 R2(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R2(config-if)# ip authentication mode eigrp 1 md5
Petite vérification de la configuration:
R1#show ip eigrp interfaces detail IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 4 0/12 50 0 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 10/28 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 5 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast
Et un petit débug pour voir les paquets d’authentification arriver sur notre interface:
R1#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,SIAREPLY) *Oct 4 16:10:51.090: EIGRP: Sending HELLO on Serial0/0/1 *Oct 4 16:10:51.090: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Oct 4 16:10:51.190: EIGRP: received packet with MD5 authentication, key id =1 *Oct 4 16:10:51.190: EIGRP: Received HELLO on Serial0/0/1 nbr 172.16.13.3 *Oct 4 16:10:51.190: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 *Oct 4 16:10:51.854: EIGRP: received packet with MD5 authentication, key id =1 *Oct 4 16:10:51.854: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.1.2 *Oct 4 16:10:51.854: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 *Oct 4 16:10:53.046: EIGRP: received packet with MD5 authentication, key id =1
EIGRP Timers
Nous pouvons voir les Timers Hello ici:
R1# show ip eigrp interfaces detail IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 17 10/380 448 0 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 6 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast
Par défaut, les timers HELLO sont à 5 secondes, et le HOLD-TIME à 15.
Mais nous allons voir comment les modifier.
R1# conf t R1(config)# interface serial 1/0 ! changement de la valeur des intervalles entre HELLO à 2 secondes R1(config-if)# ip hello-interval eigrp 1 2 ! changement de la valeur hold-time à 8 secondes R1(config-if)# ip hold-time eigrp 1 8 R2# conf t R2(config)# interface serial 1/0 R2(config-if)# ip hello-interval eigrp 1 2 R2(config-if)# ip hold-time eigrp 1 8
Petite vérification de nos modifications:
R1# show ip eigrp 1 interfaces detail serial 1/0 IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 17 10/380 448 0 Hello interval is 2 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 6 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast R1# show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq 0 172.16.12.2 Se0/0/0 6 01:23:39 17 2280 0 73
Attention à ce que tout les routeurs participant au routage dans votre AS contiennent bien les même timers, sinon, les adjacences ne pourront être créées dans la table de voisinage (neighbors) !!
Benoit
Network engineer at CNS Communications. CCIE #47705, focused on R&S, Data Center, SD-WAN & Automation.
Follow Me:
Comments are Disabled