EIGRP建立鄰居的條件

EIGRP 建立鄰居條件

EIGRP 建立鄰居的條件：

1.相鄰的設備AS號要相同

 

2.AS內的所有設備K值要相同  默認情況下 K值 K1=1, K2=0, K3=1, K4=0, K5=0

K1=帶寬 K2=負載 K3=延遲 K4=可靠性 K5=MTU

配置：

router eigrp 90

 metric weights 0 1 1 1 1 1  //修改K值爲 K1=1 K2=1 K3=1, K4=1, K5=1

R1#show eigrp protocols

EIGRP-IPv4 Protocol for AS(90)

  Metric weight K1=1, K2=1, K3=1, K4=1, K5=1

 

*Apr 10 13:14:33.507: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: K-value mismatch

 

 

3.主接口，主地址在最小範圍內要ping通，掩碼長度可以不同

 

*Apr 10 13:21:38.656: %DUAL-6-NBRINFO: EIGRP-IPv4 90: Neighbor 150.1.1.5 (Ethernet0/2) is blocked: not on common subnet (15.1.1.1/24)

 

4.認證 EIGRP支持密文認證，在命名模式的EIGRP下還支持HMAC認證

配置：

第一步：配置鑰匙串及密鑰

key chain QYT   //指定鑰匙串,本端有效，建議配置兩端都一樣

 key 1   //指定密鑰ID

  key-string cisco   //指定密鑰的password

 

第二步：開啓認證

interface Ethernet0/2

 ip address 15.1.1.5 255.255.255.0

 ip authentication mode eigrp 90 md5   //先開啓MD5認證

 ip authentication key-chain eigrp 90 QYT  //調用key-chain

 

R5#show ip eigrp interfaces detail e0/2

EIGRP-IPv4 Interfaces for AS(90)

                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending

Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes

Et0/2                    0        0/0       0/0           0       0/2           50           0

  Hello-interval is 5, Hold-time is 15

  Split-horizon is enabled

  Next xmit serial <none>

  Packetized sent/expedited: 31/4

  Hello's sent/expedited: 518/2

  Un/reliable mcasts: 0/21  Un/reliable ucasts: 36/18

  Mcast exceptions: 1  CR packets: 1  ACKs suppressed: 4

  Retransmissions sent: 1  Out-of-sequence rcvd: 2

  Topology-ids on interface - 0

  Authentication mode is md5,  key-chain is "QYT"  //接口已經使能MD5認證，調用key-chain "QYT"

 

R5#debug eigrp packet //通過debug 命令來解析認證

情況一：

*Dec 13 12:01:47.374: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 1 (missing authentication or key-chain missing)  //接口開啓MD5認證,但是沒有調用key-chain

R5#

*Dec 13 12:01:49.227: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication or key-chain missing)

 

情況二：

*Dec 13 12:04:59.751: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (missing authentication)    //本端開啓MD5,已經調用key-chain

*Dec 13 12:05:00.602: EIGRP: Sending HELLO on Et0/2 - paklen 60

*Dec 13 12:05:00.602:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

 

情況三：

*Dec 13 12:07:18.086: EIGRP: Sending HELLO on Et0/2 - paklen 60

*Dec 13 12:07:18.086:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

*Dec 13 12:07:18.953: EIGRP: pkt key id = 1, authentication mismatch

*Dec 13 12:07:18.953: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication) //說明對方已經開啓認證，但是無效的認證，可能認證的密碼不匹配

 

情況四：

*Dec 13 12:23:50.674:   AS 90, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

*Dec 13 12:23:51.582: EIGRP: pkt authentication key id = 2, key not defined  

*Dec 13 12:23:51.582: EIGRP: Et0/2: ignored packet from 15.1.1.1, opcode = 5 (invalid authentication)//對方發送的是key id 2對應的密碼，而本端沒有定義

5.passive 被動接口  不接收也不發送hello報文

一般配置在連接終端設備的接口，不會影響發送路由信息

注意：千萬不要配置在路由器相連接的接口

router eigrp 90

 network 11.1.1.0 0.0.0.255

 network 12.1.1.0 0.0.0.255

 network 13.1.1.1 0.0.0.0

 network 15.1.1.0 0.0.0.255

 passive-interface default   //抑制所有使能EIGRP的接口

 no passive-interface Ethernet0/2   //關閉抑制功能

 no passive-interface Serial1/0

 no passive-interface Serial1/1

 

6.一邊單播，一邊組播不可以建立鄰居關係

兩邊要不都是組播，要不都是單播纔可以建立鄰居關係

 

R1(config)#router eigrp 90

R1(config-router)#neighbor 15.1.1.5 e0/2   //單播指定對方直連接口ip地址，加出接口

 

*Apr 10 13:36:37.572: %DUAL-5-NBRCHANGE: EIGRP-IPv4 90: Neighbor 15.1.1.1 (Ethernet0/2) is down: Static peer replaces multicast

 

7.過濾 EIGRP的報文

 

ip access-list extended EIGRP

 deny   eigrp any any

 

interface Ethernet0/2

 ip address 15.1.1.5 255.255.255.0

 ip access-group EIGRP in

 

R5#show ip access-lists

Extended IP access list EIGRP

    5 permit ip any any (4 matches)

    10 deny eigrp any any (31 matches)