EIGRP This and That

Securing EIGRP

EIGRP supports Message Digest 5 (MD5) hashing to ensure the integrity of EIGRP messages and to prevent the injection of false routing information into the EIGRP domain.

EIGRP message authentication consists of several steps;

  • Configuring a key chain name in global configuration mode
  • Configuring one or more keys within the key chain
  • Configuring a key string for the key
  • Configure EIGRP to use Message Digest 5 (MD5) authentication
  • Configuring EIGRP to use the key chain and key(s)

Router1(config)#key chain Router2-EIGRP-AUTH
Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string CCIE
Router1(config-keychain-key)#exit
Router1(config-keychain)#exit
Router1(config)#interface serial 0/0
Router1(config-if)#ip authentication mode eigrp 100 md5
Routre1(config-if)#ip authentication key-chain eigrp 100 Router2-EIGRP-AUTH

Also EIGRP keys can be configured to only be accepted and come live at a set time and to deactivate at a set time too. This can be accomplished by running the following command set under the key-chain processor;

Router1(config-keychain-key)#accept-lifetime start-time [infinite | end-time | duration <seconds>]

Router1(config-keychain-key)#send-lifetime start-time [infinite | end-time | duration <seconds>]

Default Routing Using EIGRP

EIGRP supports numerous ways to dynamically advertise the gateway or network of last resort to other routers within the routing domain. These methods are as follows;

  • Using the ip default-network command, legacy method.
  • Using the network command to advertise network 0.0.0.0/0, network 0.0.0.0
  • Redistributing the default static route, ip route 0.0.0.0 0.0.0.0 [interface] – redistribute static metric 1500 100 255 1 1500
  • Using the ip summary-address eigrp [asn] [network] [mask] command on the interface  which is pointing downwards into your network.

Split Horizon

Split horizon is a Distance Vector protocol feature that mandates that routing information cannot be sent back out of the same interface through which it was received. This prevents the re-advertising of information back to the source from which it was learned.  While this characteristic is a great loop prevention mechanism, however, it is also a significant drawback, especially in hub-and-spoke networks. By default, EIGRP split horizon is enabled for WAN interfaces connected to packet switched networks, such as Frame Relay. So when we have a hub and two spoke topology, the hub router will know all the routes that both spoke routers are advertising but the hub router will not pass these routes down to the other spoke router. So both spoke routers will never have a route to any networks on the other spoke router.

To work around these drawbacks that split horizon brings we can do one of three thing;

  1. On the hub router we could advertise a default route down to both spoke routers, ip summary-address eigrp [AS] 0.0.0.0 0.0.0.0, note this command is configured on the physical interface and not the sub-interfaces.
  2. On the hub router we can disable split horizon on the interface the spoke routers are hanging off, no ip split-horizon eigrp [AS]
  3. On all router  manually configure EIGRP neighbors, neighbor x.x.x.x

Router ID

The primary use of the EIGRP RID is to prevent routing loops. The RID is used to identify the originating router for external routes. If an external route is received with the same RID as the local router, the route is discarded. This feature is designed to reduce the possibility of routing loops in networks were route redistribution is being performed on more than one ASBR. When determining the Router ID, EIGRP will select the highest IP address that is configured on the router. If Loopback interfaces are also configured on the router, those interfaces are preferred, since a Loopback interface is the most stable interface that can exist on a router. The RID will never change unless the EIGRP process is removed, if the router ID is manually configured. The RID will always be listed in the EIGRP Topology Table:

Router2#sh ip eigrp topology

IP-EIGRP Topology Table for AS(100)/ID(2.2.2.2)

It is important to understand that the RID and the neighbor ID will typically be different, although this may be the case in routers with a single interface

The EIGRP RID is configured using the eigrp router-id [address] router configuration command. When this command is entered, the RID is automatically updated with the new address in the EIGRP Topology Table. This will also reset you neighbor relationship(s). When choosing a router ID there are two IP addresses that cannot be used;

  • o.o.o.o
  • 255.255.255.255

So after configuring your router ID this will now be seen on all external routes that the router will redistribute.

Router2#sh ip eigrp topology 3.0.0.0/8

IP-EIGRP (AS 100): Topology entry for 3.0.0.0/8

State is Passive, Query origin flag is 1, 1 Successor(s), FD is 256

Routing Descriptor Blocks:

0.0.0.0, from Rstatic, Send flag is 0x0

Composite metric is (256/0), Route is External

Vector metric:

Minimum bandwidth is 10000000 Kbit

Total delay is 0 microseconds

Reliability is 0/255

Load is 0/255

Minimum MTU is 1500

Hop count is 0

External data:

Originating router is 2.2.2.2 (this system)

AS number of route is 0

External protocol is Static, external metric is 0

Administrator tag is 0 (0x00000000)

EIGRP Loggin & Reporting

EIGRP event logging configuration parameters are configured in router configuration mode;

Router(config-router)#eigrp ?

event-log-size         Set EIGRP maximum event log entries

event-logging          Log IP-EIGRP routing events

log-neighbor-changes   Enable/Disable IP-EIGRP neighbor logging

log-neighbor-warnings  Enable/Disable IP-EIGRP neighbor warnings

The eigrp event-logging router configuration command is the default eigrp logging on your router. This EIGRP command enables the router to store a log of EIGRP events, such as when a metric for a route changes and an Update message is sent to a neighbor or group of neighbors. The contents of the EIGRP log can be viewed by issuing the show ip eigrp events command. By default, the EIGRP event log stores up to 500 lines of events. This default behavior can be change by running the command, under router processor, event-log-size <0-443604>. The eigrp log-neighbor-changes router configuration command allows the router to log EIGRP neighbor relationship changes. This command is enabled by default. The eigrp log-neighbor-warnings [seconds] router configuration command is also enabled by default. This command logs EIGRP neighbor warning messages at 10-second intervals.