EIGRP Authentication & Load Balancing
Download as PPT, PDF•0 likes•582 views
The document discusses EIGRP authentication and load balancing. It explains that EIGRP authentication uses MD5 hashing and preshared keys to authenticate routing updates and prevent invalid routes. It also describes how to configure EIGRP authentication using key chains. The document then discusses how EIGRP supports both equal-cost and unequal-cost load balancing across multiple paths by default or through configuration of the variance parameter.
EIGRP Authentication & Load Balancing
- 1. EIGRP Authentication & Load Balancing
- 2. EIGRP Authentication • EIGRP authentication is used to prevent an attacker from forming the EIGRP neighbor relationship with your router and advertising incorrect routing information. By using the same preshared key (PSK) on all routers you can force EIGRP to authenticate every EIGRP message. That way you can ensure that your router accepts routing updates only from trusted sources. To authenticate every message, the MD5 (Message Digest 5) algorithm is used. • Three steps are required to configure EIGRP authentication: 1. creating a keychain 2. specifying a key string for a key 3. configuring EIGRP to use authentication
- 3. • EIGRP uses the concept of key chains. Each key chain can have many keys, just like in real life. You can specify a different lifetime interval of each key. That way the second key in a key chain can be used after the first one is expired, the third one after the second and so on. After you have created a key chain with the corresponding keys, you need to enable EIGRP authentication for a particular interface. • To configure a router to use EIGRP configuration the following commands are used: 1. (global-config) key chain NAME - creates a keychain 2. (config-keychain) key NUMBER - identifies the key number 3. (config-keychain-key) key-string STRING - specifies the key string for the key
- 4. • Next, we need to enable EIGRP authentication on an interface. From the interface mode, the following commands are used: 4. (config-if) ip authentication mode eigrp ASN md5 - enables EIGRP authentication on the interface 5. (config-if) ip authentication key-chain eigrp ASN KEY_CHAIN_NAME - specifies the name of the key chain that will be used for authentication • NOTE - for the authentication to work, the key number and the key string have to match on both routers! The key chain name doesn't have to be the same on both routers.
- 5. The following example shows how EIGRP authentication is configured. • To establish a time frame for the validity of a key, you need to configure the accept-lifetime and the send-lifetime parameters. The syntax of the commands is: (config-keychain-key) accept-lifetime start_time {infinite | end_time | duration seconds} (config-keychain-key) send-lifetime start_time {infinite | end_time | duration seconds}
- 6. • The first command specifies the time period during which the key will be accepted. The second command specifies the time period during which the key will be sent. • For example, if we want to use a key only from January 1st, 2015 to December 1st, 2015, the following commands are used:
- 7. EIGRP load balancing • By default, EIGRP supports equal-cost load balancing over four links. Equal-cost means that multiple routes must have the same metric to reach a destination, so that router can choose to load balance across equal cost links. • To better understand the equal-cost load balancing concept, consider the following example.
- 8. • All three routers are running EIGRP. Routers R2 and R3 are connected to the subnet 10.0.1.0/24. Both routers advertise the route to reach that subnet to R1. Router R1 receives the two routing updates for the subnet 10.0.1.0/24 with the same metric (the metric is the same because both routers connect to the subnet 10.0.1.0/24 and R1 across the links with the same bandwidth and delay values). Router R1 places both routes in the routing table and load balances across three links.
- 9. • You can verify that R1 is indeed using both paths by typing the show ip route command:
- 10. • One of the advantages of EIGRP is that, unlike OSPF and many other routing protocols, EIGRP also supports unequal- cost load balancing. You can set up your router to load balance over links with different metric to reach a destination. To accomplish unequal-cost load balancing, the variance command is used. The command takes one parameter, the multiplier, which tells the router to load balance across each link with the metric for the destination less than the feasible distance multiplied by the multiplier value. • NOTE - the multiplier value, by default, is 1. The maximum value is 128.
- 11. • Consider the following example.
- 12. All three routers are running EIGRP. Routers R2 and R3 are connected to the subnet 10.0.1.0/24. Both routers advertise the route to reach that subnet to R1. Router R1 chooses the route from R2 as the best route. Let's say that R1 calculated the metric of 40 for the path through R2. That route is placed in the R1's routing table. But what if we want to load balance traffic across the other link? The route through R3 has a feasible distance of 30, which is less than the metric of the successor route, so the feasibility condition has been met and that route has been placed in the R1's topology table. Let's say that R1 calculated the metric of 60 for the route through R3. To enable load balancing across that link, you need to use the variance command: • (router-eigrp) variance MULTIPLIER
- 13. • In this example, the variance 2 command can be used. This tells the router to load balance across any links with the metric less then 80 (because 40 times 2 is 80). The route through R3 is added to the routing table. • NOTE - a path has to be a feasible successor route to be used in unequal load balancing.