BSCI: LAB EIGRP – Authentication and Timers
Avant-dernier lab. sur l’EIGRP avec l’authentification et les Timers.
Authentication
Voici comment configurer les clés d’authentification sur chaque routeur participant au processus de routage EIGRP:
R1# conf t R1(config)# key chain EIGRP-KEYS R1(config-keychain)# key 1 R1(config-keychain-key)# key-string cisco R2# conf t R2(config)# key chain EIGRP-KEYS R2(config-keychain)# key 1 R2(config-keychain-key)# key-string cisco
Vérification des clés
R1# show key chain Key-chain EIGRP-KEYS: key 1 -- text "cisco" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now]
Maintenant que nos clés sont configurée dans le routeur, on doit les appliquer à chaque interfaces sur lesquels on souhaite de l’authentification.
R1# conf t R1(config)# interface serial 1/0 ! ip authentication key-chain eigrp as_number key_chain_label. R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS ! la commande suivante envoi un Hash MD5 des clés, plutôt que de l'envoyer en clair.. c'est plus sécurisé. R1(config-if)# ip authentication mode eigrp 1 md5 R2# conf t R2(config)# interface serial 1/0 R2(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS R2(config-if)# ip authentication mode eigrp 1 md5
Petite vérification de la configuration:
R1#show ip eigrp interfaces detail IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 4 0/12 50 0 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 10/28 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 5 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast
Et un petit débug pour voir les paquets d’authentification arriver sur notre interface:
R1#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY,SIAREPLY) *Oct 4 16:10:51.090: EIGRP: Sending HELLO on Serial0/0/1 *Oct 4 16:10:51.090: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Oct 4 16:10:51.190: EIGRP: received packet with MD5 authentication, key id =1 *Oct 4 16:10:51.190: EIGRP: Received HELLO on Serial0/0/1 nbr 172.16.13.3 *Oct 4 16:10:51.190: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 *Oct 4 16:10:51.854: EIGRP: received packet with MD5 authentication, key id =1 *Oct 4 16:10:51.854: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.1.2 *Oct 4 16:10:51.854: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 *Oct 4 16:10:53.046: EIGRP: received packet with MD5 authentication, key id =1
EIGRP Timers
Nous pouvons voir les Timers Hello ici:
R1# show ip eigrp interfaces detail IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 17 10/380 448 0 Hello interval is 5 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 6 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast
Par défaut, les timers HELLO sont à 5 secondes, et le HOLD-TIME à 15.
Mais nous allons voir comment les modifier.
R1# conf t R1(config)# interface serial 1/0 ! changement de la valeur des intervalles entre HELLO à 2 secondes R1(config-if)# ip hello-interval eigrp 1 2 ! changement de la valeur hold-time à 8 secondes R1(config-if)# ip hold-time eigrp 1 8 R2# conf t R2(config)# interface serial 1/0 R2(config-if)# ip hello-interval eigrp 1 2 R2(config-if)# ip hold-time eigrp 1 8
Petite vérification de nos modifications:
R1# show ip eigrp 1 interfaces detail serial 1/0 IP-EIGRP interfaces for process 1 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Se0/0/0 1 0/0 17 10/380 448 0 Hello interval is 2 sec Next xmit serial Un/reliable mcasts: 0/0 Un/reliable ucasts: 17/37 Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 6 Retransmissions sent: 0 Out-of-sequence rcvd: 0 Authentication mode is md5, key-chain is "EIGRP-KEYS" Use unicast R1# show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq 0 172.16.12.2 Se0/0/0 6 01:23:39 17 2280 0 73
Attention à ce que tout les routeurs participant au routage dans votre AS contiennent bien les même timers, sinon, les adjacences ne pourront être créées dans la table de voisinage (neighbors) !!