Verify the routing topology with show ip eigrp neighbors. This command will give you information about the ip address of the peer neighbor, its interface, and the order in which neighborship was established. The hold uptime is how many seconds it will wait to hear from its neighbors before declaring it unreachable.
To check the local interface configured in the EIGRP topology use the command show ip eigrp interfaces.
The command show ip eigrp neighbors detail will show the neighbor relations more in detail. To verify that the EIGRP protocol is running on the router we can check with the command show ip protocols. With running this command we can see that EIGRP is running on this router with autonomous-system number 1. It’s router-id is 1.1.1.1. Its administrative distance for internal routes is 90 and 170 for external routes. We can also see the networks that are configured to run EIGRP. Tune timers between HQ router and Branch1:
First let's verify the hello and hold timers on the HQ router using show ip eigrp interfaces detail gigabitEthernet 0/0 command. We can see that it is set to hello-interval 5 and hold-time 15. We will adjust these timers so that hello-interval is 1 and hold-time is 5.
HQ(config)# int gigabitEthernet 0/0 ip hello-interval eigrp 1 1 ip hold-interval eigrp 1 5 !
Branch1(config)# int gigabitEthernet 0/0 ip hello-interval eigrp 1 1 ip hold-interval eigrp 1 5 !
Another command we can use to verify the timers set on a EIGRP interface is show ip eigrp interfaces detail. We can see that the change was successful.
Run the command show ip eigrp topology all-links to check the feasible distance, reported distance, successor routes, and the feasible successor routes to a destination. This command will display all the paths to a destination.
Configure EIGRP stub routing between Branch1 and BranchOffice routers:
At the moment the branch1 router is advertising all routes to the branchOffice router. We will configure the branch1 router as a stub so the branch router will not receive any EIGRP routes from it. Branch1(config)# router eigrp 1 eigrp stub !
We can now see that the only routes being advertised to the branchOffice router by the Branch1 router are its loopback interfaces and its directly connected interface. Configure EIGRP IPv4 summaries on DIST router:
The summary address will be 172.16.96.0/16 and we will configure it on both interfaces 0/0 &0/1 of the DIST router.
interface GigabitEthernet0/0 ip summary-address eigrp 1 172.16.0.0 255.255.0.0 !
interface GigabitEthernet0/1 ip summary-address eigrp 1 172.16.0.0 255.255.0.0 !
We can see above that the 172.16.96.0/24, 172.16.112.0/24, 172.16.128.0/24 networks have been summarized to 172.16.0.0/16. Redistribute EIGRP default routes:
HQ has a default route pointing to the ISP. We also have a static route on router ISP for the acknowledgment process of ping which uses ICMP (Internet Control Message Protocol) to send synchronize and acknowledgement packets. We will redistribute this into its EIGRP network.
We can verify on the branch1 and the peer routers that the default route is present in the routing table. To verify that the static routes are working and redistributed into EIGRP, we will test pinging the ISPs loopback 0 interface from the branch routers.
The ping worked and we can see that the traceroute command on Branch2 router shows the correct path to ISP.
Configure EIGRP Load Balancing:
The DIST router is using both routes at once to talk to the HQ router. After adjusting the delay we will see that both gigabit ethernet links will have different feasible distance values. We can also see that the DIST router will use its 10.10.4.1 as its feasible successor. We will do the same thing on the HQ router so load balancing starts on both sides. DIST(config)# interface gigabitethernet 0/1 delay 1000 !
The interface gigabitEthernet 0/1 is the chosen route and is the successor route to the HQ router. We will apply load balancing so the distribution center router takes both paths and utilizes both links.
We can see before issuing the variance command that the DIST router only has one successor to the HQ router. We will issue a variance of 2 so both links are successors and show up int the routing table. DIST(config)# router eigrp 1 variance 2 !
HQ(config)# router eigrp 1 variance 2 !
Before variance command:
After variance command:
Enable MD5 Authentication between HQ and Branch1 Routers:
We will configure MD5 authentication between Branch1 router and HQ. We will start off by creating a key chain and using the first key for this instance. The key will have a timer that lasts forever. We can modify the timer to adjust it for how long we want the key to last.
We can verify that the key chain is created by using the command show key chain Configure authentication mode MD5 on the HQ and Branch1 routers interfaces respectively. We will also need to associate the key chain we created which will be used for authenticating EIGRP peers.
HQ(config)# interface gigabitEthernet 0/0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP_KEYS !
Branch1(config)# interface gigabitEthernet 0/0 ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP_KEYS ! GRE over IPSEC:
Topology:
Configure router interfaces and establish OSPF neighborship between all 4 routers.
Tunnel interface will be up and OSPF neighborship will be established between R1 and R4 through tunnel1 interface.
Next we will configure the IPSec VPN. We will be using ISAKMP (Internet Security Association and Key Management Protocol) for phase-1 (authentication and key-exchange) and IPSec transform-set for phase 2 (data encryption).
- Above we create an ISAKMP policy with priority 10 which will handle phase 1.ISAKMP policies are preferred based on highest priority. - The encryption algorithm used is AES (Advanced Encryption Standard) with default key length of 128 bits. - The configuration also states that both peers will use a shared secret key which is called ‘ciscokey’ and will use Diffie-Hellman group 2 for key exchange referring to the 1024-bit key exchange group.
Phase 2:
R1(config)# crypto ipsec transform-set CISCOT esp-aes esp-sha-hmac mode transport !
- The above commands create an IPSec transform-set named CISCOT.
- Encryption algorithm that will be used is AES. - For authentication and checking the encrypted data, we will use SHA (Secure Hash Algorithm)-HMAC (Hash-based Message Authentication Code). - There are two modes of packet transfer when using IPSec. They are tunnel mode and transport mode. Tunnel mode provides more security by encrypting both the header fields which store source and destination addresses as well as the payload. Transport mode only encrypts the payload which is where the data is stored. Tunnel mode is preferred when communicating between two routers and different networks while transport mode is used as a client-to-server service for example connecting a remote work from home office to your job.
R1(config)# crypto map VPN 10 ipsec-isakmp set peer 198.51.100.2 set transform-set CISCOT match address GRE-IN-IPSEC ! interface GigabitEthernet0/0 crypto map VPN ! ! ip access-list extended GRE-IN-IPSEC permit gre any any !
- Create a crypto map which will apply the IPSec policy to a specific interface. This will handle the traffic entering and exiting the interface. - The crypto map is named “VPN” and has a priority of 10. It is also stated the map will use IP w/ISAKMP. - The ip address of the remote peer is given with the set peer command and the transform-set is binded with the map as well. - Link the extended ACL to the crypto map. The ACL defines which traffic will be encrypted and sent through the VPN tunnel. In this case all traffic is being allowed. - The ACL is extended to run for gre and allows communication with any neighbors. - Lastly, we bind the crypto map to the physical interface gige0/0.
Same thing on R4.
R4# crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp key ciscokey address 0.0.0.0 ! crypto ipsec transform-set CISCOT esp-aes esp-sha-hmac mode transport ! crypto map VPN 10 ipsec-isakmp set peer 198.0.2.1 set transform-set CISCOT match address GRE-IN-IPSEC ! interface GigabitEthernet0/0 crypto map VPN !
Verification:
To check the phase one tunnel we use the show crypto isakmp sa command. To check the phase two tunnel we use the show crypto ipsec sa command.
In conclusion, we set up an ISAKMP instance for authentication. We state that the encryption algorithm we will use for this instance is AES (Advanced Encryption Standard) and both peers will use a one shared key and assign it to diffie-hellman group 2. We later gave it the key “ciscokey” and assigned it to any address using 0.0.0.0. After all this, we create an IPSec transform-set using AES as the encryption algorithm and SHA-HMAC (Secure Hash Algorithm Hash-based Message Authentication Code). We set the mode as transport which is the not so secure mode since the headers are not encrypted only the payload is. After all this we finally bind them together into a map and state that it will use IPSec and ISAKMP. We assign the peer on the other end and attach the transform-set we created for IPSec. Lastly, the map is configured with an extended ACL which is configured so anyone on the gre network can talk.
