Securing EIGRP
EIGRP supports Message Digest 5 (MD5) hashing to ensure the integrity of EIGRP messages and to prevent the injection of false routing information into the EIGRP domain.
EIGRP message authentication consists of several steps;
- Configuring a key chain name in global configuration mode
- Configuring one or more keys within the key chain
- Configuring a key string for the key
- Configure EIGRP to use Message Digest 5 (MD5) authentication
- Configuring EIGRP to use the key chain and key(s)
Router1(config)#key chain Router2-EIGRP-AUTH
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string CCIE
Router1(config-keychain-key)#exit
Router1(config-keychain)#exit
Router1(config)#interface serial 0/0
Router1(config-if)#ip authentication mode eigrp 100 md5
Routre1(config-if)#ip authentication key-chain eigrp 100 Router2-EIGRP-AUTH
Also EIGRP keys can be configured to only be accepted and come live at a set time and to deactivate at a set time too. This can be accomplished by running the following command set under the key-chain processor;
Router1(config-keychain-key)#accept-lifetime start-time [infinite | end-time | duration <seconds>]
Router1(config-keychain-key)#send-lifetime start-time [infinite | end-time | duration <seconds>]
Default Routing Using EIGRP
EIGRP supports numerous ways to dynamically advertise the gateway or network of last resort to other routers within the routing domain. These methods are as follows;
- Using the ip default-network command, legacy method.
- Using the network command to advertise network 0.0.0.0/0, network 0.0.0.0
- Redistributing the default static route, ip route 0.0.0.0 0.0.0.0 [interface] – redistribute static metric 1500 100 255 1 1500
- Using the ip summary-address eigrp [asn] [network] [mask] command on the interface which is pointing downwards into your network.
Split Horizon
Split horizon is a Distance Vector protocol feature that mandates that routing information cannot be sent back out of the same interface through which it was received. This prevents the re-advertising of information back to the source from which it was learned. While this characteristic is a great loop prevention mechanism, however, it is also a significant drawback, especially in hub-and-spoke networks. By default, EIGRP split horizon is enabled for WAN interfaces connected to packet switched networks, such as Frame Relay. So when we have a hub and two spoke topology, the hub router will know all the routes that both spoke routers are advertising but the hub router will not pass these routes down to the other spoke router. So both spoke routers will never have a route to any networks on the other spoke router.
To work around these drawbacks that split horizon brings we can do one of three thing;
- On the hub router we could advertise a default route down to both spoke routers, ip summary-address eigrp [AS] 0.0.0.0 0.0.0.0, note this command is configured on the physical interface and not the sub-interfaces.
- On the hub router we can disable split horizon on the interface the spoke routers are hanging off, no ip split-horizon eigrp [AS]
- On all router manually configure EIGRP neighbors, neighbor x.x.x.x
Router ID
The primary use of the EIGRP RID is to prevent routing loops. The RID is used to identify the originating router for external routes. If an external route is received with the same RID as the local router, the route is discarded. This feature is designed to reduce the possibility of routing loops in networks were route redistribution is being performed on more than one ASBR. When determining the Router ID, EIGRP will select the highest IP address that is configured on the router. If Loopback interfaces are also configured on the router, those interfaces are preferred, since a Loopback interface is the most stable interface that can exist on a router. The RID will never change unless the EIGRP process is removed, if the router ID is manually configured. The RID will always be listed in the EIGRP Topology Table:
Router2#sh ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(2.2.2.2)
It is important to understand that the RID and the neighbor ID will typically be different, although this may be the case in routers with a single interface
The EIGRP RID is configured using the eigrp router-id [address] router configuration command. When this command is entered, the RID is automatically updated with the new address in the EIGRP Topology Table. This will also reset you neighbor relationship(s). When choosing a router ID there are two IP addresses that cannot be used;
- o.o.o.o
- 255.255.255.255
So after configuring your router ID this will now be seen on all external routes that the router will redistribute.
Router2#sh ip eigrp topology 3.0.0.0/8
IP-EIGRP (AS 100): Topology entry for 3.0.0.0/8
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 256
Routing Descriptor Blocks:
0.0.0.0, from Rstatic, Send flag is 0x0
Composite metric is (256/0), Route is External
Vector metric:
Minimum bandwidth is 10000000 Kbit
Total delay is 0 microseconds
Reliability is 0/255
Load is 0/255
Minimum MTU is 1500
Hop count is 0
External data:
Originating router is 2.2.2.2 (this system)
AS number of route is 0
External protocol is Static, external metric is 0
Administrator tag is 0 (0x00000000)
EIGRP Loggin & Reporting
EIGRP event logging configuration parameters are configured in router configuration mode;
Router(config-router)#eigrp ?
event-log-size Set EIGRP maximum event log entries
event-logging Log IP-EIGRP routing events
log-neighbor-changes Enable/Disable IP-EIGRP neighbor logging
log-neighbor-warnings Enable/Disable IP-EIGRP neighbor warnings
The eigrp event-logging router configuration command is the default eigrp logging on your router. This EIGRP command enables the router to store a log of EIGRP events, such as when a metric for a route changes and an Update message is sent to a neighbor or group of neighbors. The contents of the EIGRP log can be viewed by issuing the show ip eigrp events command. By default, the EIGRP event log stores up to 500 lines of events. This default behavior can be change by running the command, under router processor, event-log-size <0-443604>. The eigrp log-neighbor-changes router configuration command allows the router to log EIGRP neighbor relationship changes. This command is enabled by default. The eigrp log-neighbor-warnings [seconds] router configuration command is also enabled by default. This command logs EIGRP neighbor warning messages at 10-second intervals.