CCNP Route Lab 2-5, EIGRP Authentication and Timers

CCNP Route Lab 2-5, EIGRP Authentication and Timers

Topology

ccnp-route-lab-eigrp-authentication-timers

Objectives

  • Review a basic configuration of EIGRP.
  • Configure and verify EIGRP authentication parameters.
  • Configure EIGRP hello interval and hold time.
  • Verify the hello interval and hold time.

Background
As a network engineer, you have weighed the benefits of routing protocols and deployed EIGRP in your corporation’s network. Recently, a new Chief Information Officer replaced the previous CIO and outlined a new network policy detailing more robust security measures. The CIO has also drawn up specifications to allow more frequent checking between neighboring routers so that fewer packets are lost in transit during times of instability. In this lab, you implement the CIO’s specifications on the network.

Note: This lab uses Cisco 1841 routers with Cisco IOS Release 12.4(24)T1 and the advanced IP services image c1841 -advipservicesk9-mz.124-24.T1 .bin. The switch is a Cisco WS-C2960-24TT-L with the Cisco IOS image c2960-lanbasek9-mz.122-46.SE.bin. You can use other routers (such as a 2801 or 2811) and Cisco IOS Software versions if they have comparable capabilities and features. Depending on the router or switch model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.

Required Resources

  • 3 routers (Cisco 1841 with Cisco IOS Release 12.4(24)T1 Advanced IP Services or comparable)
  • 1 switch (Cisco 2960 with the Cisco IOS Release 12.2(46)SE C2960-LANBASEK9-M image or comparable)
  • Serial and Ethernet cables

Step 1: Configure the hostname and interface addresses.
Using the addressing scheme in the diagram, apply IP addresses to the loopback, serial, and Fast Ethernet interfaces on R1, R2, and R3. Set the serial interface bandwidth on each router with the interface-level bandwidth bandwidth command. Specify the bandwidth as 64 kb/s on each serial interface. Specify the clock
rate on the DCE end of each serial link using the clock rate 64000 command.

Note: If you have WIC-2A/S serial interfaces, the maximum clock rate is 128 kb/s. If you have WIC-2T serial interfaces, the maximum clock rate is much higher (2.048 Mb/s or higher depending on hardware), which is more representative of a modern network WAN link. However, this lab uses 64 kb/s and 128 kb/s settings.You can copy and paste the following configurations into your routers to begin.

Note: Depending on the router model, the interfaces might be numbered differently than those listed and might require you to alter the interface designation accordingly.

Router R1

Router R2

Router R3

Step 2: Configure basic EIGRP.
a. Configure EIGRP AS 1 as in the previous EIGRP labs. Run EIGRP on all connections in the lab, and leave auto-summarization on. Advertise networks 10.0.0.0/8, 172.16.0.0/16, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 from their respective routers.

b. Use the show ip eigrp neighbors command to check which routers have EIGRP adjacencies.

Did you receive the output that you expected?
You should see the output shown above.

c. Run the following Tcl script on all routers to verify full connectivity.

You should get ICMP echo replies for every address pinged.

Step 3: Configure authentication keys.
Before you configure a link to authenticate the EIGRP adjacencies, you must configure the keys that are used for the authentication. EIGRP uses Cisco IOS generic router key chains as storage locations for keys. These key chains classify keys into groups, enabling keys to be easily changed periodically without bringing down adjacencies.

a. Use the key chain name command in global configuration mode to create a chain of keys with the label EIGRP-KEYS.

b. Issue the show key chain command. You should have the same output on every router.

You can set a time span for sending a key to other routers and during which a key is accepted from other routers. Although lifetime values are not explored in the route labs, you should keep it in mind for production networks when you are rolling from one set of authentication strings to another. For now, you simply want to authenticate the EIGRP adjacencies for security reasons.

Step 4: Configure EIGRP link authentication.
When configuring EIGRP link authentication, you must first associate the key chain with a particular EIGRP process (or autonomous system) running on the interface using the ip authentication key-chain eigrp as_number key key_chain_label command. Then you activate the MD5 authentication for that EIGRP process using the ip authentication mode eigrp as_number md5 command.

a. Apply the following commands on all active EIGRP interfaces.

Each EIGRP adjacency should flap (go down and come back up) when you implement MD5
authentication on one side of the link before the other side has been configured. In a production network, flapping causes some instability during a configuration, so make sure you implement MD5 outside of peak usage times.

b. Check the configuration with the show ip eigrp interfaces detail command.

At this point, the interfaces are authenticating each adjacency with the EIGRP-KEYS key chain. Make sure that you verify the number of neighbors out each interface in the above output. Notice that the number of peers is the number of adjacencies established out that interface.

When EIGRP has a key chain associated with an autonomous system on a given interface and EIGRP isauthenticating its adjacencies, you have successfully completed the initial work.

c. Use the debug eigrp packets command to see the authenticated hellos.

d. Issue the undebug all command to stop the debugging output.

Step 5: Manipulate EIGRP timers.
The CIO also ordered you to change the hello and dead intervals on point-to-point serial interfaces so that dead neighbors are detected in roughly half the time that they are detected by default.

a. To view the default timers, use the show ip eigrp interfaces detail command.

The default hello interval for point-to-point serial links is 5 seconds, regardless of the bandwidth, and 5 seconds for LAN interfaces. The default hold time is three times the length of the hello interval.

The hello interval determines how often outgoing EIGRP hellos are sent, while the hold time defines how long other neighbors tolerate the loss of the hello packets You are more concerned with the hold time than the hello interval, because the hold time detects a dead neighbor. However, you also want the neighbors to send the same number of hellos as under normal circumstances before declaring a neighbor dead.

The requirements from the CIO specify that the hold time should be roughly half of the default, which is 15 seconds, so a new hold time of 7 or 8 seconds would be appropriate. A shorter hold time allows a dead neighbor to be detected more quickly. A hello interval of 2 seconds results in detecting new neighbors more rapidly.

b. Change both the hello interval and the hold time for AS 1 for serial 0/0/0 on R1 and R2 using the ip hellointerval eigrp 1 2 and ip hold-time eigrp 1 8 commands. If necessary, use the ? to investigate what
each parameter does.

c. Verify that the hello interval has been successfully changed on routers R1 and R2 using the show ip eigrp 1 interfaces detail serial 0/0/0 command.

d. Verify that the hold time has been successfully changed with the show ip eigrp neighbors command.

e. Configure the same hello interval and hold time on each active serial interface in the topology.

f. Make sure that all of the EIGRP neighbor relationships remain up during the configuration process. Use the show ip eigrp neighbors command to verify the hold time, and the show ip eigrp interfaces detail command to verify the hello interval.

g. Run the Tcl script again to make sure you still have full connectivity after making the changes to the EIGRP default configuration. You should receive all ICMP echo replies back successfully.

Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface
#1
Ethernet Interface
#2
Serial Interface
#1
Serial Interface
#2
1700 Fast Ethernet 0
(Fa0)
Fast Ethernet 1
(Fa1)
Serial 0 (S0) Serial 0/0/1
(S0/0/1)
1800 Fast Ethernet 0/0
(Fa0/0)
Fast Ethernet 0/1
(Fa0/1)
Serial 0/0/0
(S0/0/0)
Serial 0/0/1
(S0/0/1)
2600 Fast Ethernet 0/0
(Fa0/0)
Fast Ethernet 0/1
(Fa0/1)
Serial 0/0 (S0/0) Serial 0/1 (S0/1)
2800 Fast Ethernet 0/0
(Fa0/0)
Fast Ethernet 0/1
(Fa0/1)
Serial 0/0/0
(S0/0/0)
Serial 0/0/1
(S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. Rather than list all combinations of configurations for each router class, this table includes identifiers for the possible combinations of Ethernet and serial interfaces in the device. The table does not include any other type of interface, even though a specific router might contain one. For example, for an ISDN BRI interface, the string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.

Device Configurations (Instructor version)
Router R1

Router R2

Router R3

More Resources

About the author

Scott

Leave a Comment