取消
显示结果 
搜索替代 
您的意思是: 
cancel
2170
查看次数
0
有帮助
4
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2020-2-11 15:37 编辑
一.测试拓扑
133526dyl788h0h07d9qh0.png
测试总结:
1.EIGRP互指邻居单播报文能从透明墙的高安全区抵达低安全区,但是不能像RIP单播报文那样,能从低安全区到高安全区
2.EIGRP默认情况下,Hello和Quest报文为组播,Update,Reply,Ack报文都为单播
3.ASA透明模式,EIGRP没有互指邻居的情况下,需要Inside和Outside都放单播和到224.0.0.10的组播EIGRP报文
二.基本配置
1.R1路由器

interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASA防火墙
firewall transparent
interface Ethernet0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface Ethernet1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置EIGRP
1.R1路由器

router eigrp 10
network 1.1.1.1 0.0.0.0
network 12.1.1.1 0.0.0.0
passive-interface Loopback0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 R1
2.R2路由器
router eigrp 10
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
passive-interface Loopback0
no auto-summary
key chain R2
key 1
key-string Cisc0123
interface FastEthernet0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 R2
四.测试EIGRP单播更只能从高安全区到低安全区穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志

R1#debug eigrp packets all
EIGRP Packet debugging is on
R1#
*Feb 11 05:34:32.175: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:32.175: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:36.619: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:36.619: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:41.059: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:41.059: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
2.配置EIGRP单播更新
①.R1路由器
router eigrp 10
neighbor 12.1.1.2 FastEthernet 0/0
②R21路由器
router eigrp 10
neighbor 12.1.1.1 FastEthernet 0/0
③可以看到R2上面虽然能建立邻居,但是很快断开
R2(config-router)#
*Feb 11 05:37:58.351: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#end
R2#show i
*Feb 11 05:39:03.483: %SYS-5-CONFIG_I: Configured from console by consolep
R2#show ip ei
R2#show ip eigrp nei
R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 12.1.1.1 Fa0/0 13 00:01:10 1 5000 1 0
R2#
*Feb 11 05:39:17.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is down: retry limit exceeded
*Feb 11 05:39:21.087: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
④在R1上debug可以看到,只发出Hello报文,没有收到Hello报文
R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Feb 11 05:44:26.259: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:26.259: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:30.531: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:30.531: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:35.223: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:35.223: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
⑤在R2上debug可以看到,可以收到Hello报文
R2#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R2#
*Feb 11 05:45:12.471: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:12.471: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:12.471: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:13.255: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:13.255: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:45:13.687: EIGRP: Sending UPDATE on Fa0/0 - paklen 40 nbr 12.1.1.1, retry 6, RTO 5000 tid 0
*Feb 11 05:45:13.687: AS 10, Flags 0x1:(INIT), Seq 6/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:16.791: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:16.791: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
⑥在ASA的outside接口放行策略
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 12.1.1.1
access-group Outside-eigrp in interface outside
⑦R1和R2能正常学习到对方的路由
R1#show ip route eigrp | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#
R2#show ip route eigrp | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#
五.测试EIGRP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到EIGRP不仅仅有组播报文还有单播报文
132613clqvbz9vhbhnetz9.png
2.防火墙放行策略
access-list Inside-eigrp extended permit eigrp host 12.1.1.1 host 224.0.0.10
access-list Inside-eigrp extended permit eigrp host 12.1.1.1 host 12.1.1.2
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 224.0.0.10
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 12.1.1.1
access-group Inside-eigrp in interface inside
access-group Outside-eigrp in interface outside
3.R1和R2能正常学习到对方的路由
R1#show ip route eigrp | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#
R2#show ip route eigrp | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#
评论
one-time
Level 13
Level 13
感谢楼主分享,谢谢~
robortlin
Spotlight
Spotlight
感谢楼主分享,谢谢~
Tony Luo
Level 1
Level 1
感谢楼主分享,学习中
likuo
Spotlight
Spotlight
测试很好。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接