本帖最后由 碧云天 于 2020-2-11 15:37 编辑 一.测试拓扑测试总结:1.EIGRP互指邻居单播报文能从透明墙的高安全区抵达低安全区,但是不能像RIP单播报文那样,能从低安全区到高安全区
2.EIGRP默认情况下,Hello和Quest报文为组播,Update,Reply,Ack报文都为单播
3.ASA透明模式,EIGRP没有互指邻居的情况下,需要Inside和Outside都放单播和到224.0.0.10的组播EIGRP报文
二.基本配置
1.R1路由器interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASA防火墙firewall transparent
interface Ethernet0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface Ethernet1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置EIGRP
1.R1路由器router eigrp 10
network 1.1.1.1 0.0.0.0
network 12.1.1.1 0.0.0.0
passive-interface Loopback0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 R1
2.R2路由器router eigrp 10
network 2.2.2.2 0.0.0.0
network 12.1.1.2 0.0.0.0
passive-interface Loopback0
no auto-summary
key chain R2
key 1
key-string Cisc0123
interface FastEthernet0/0
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 R2
四.测试EIGRP单播更只能从高安全区到低安全区穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志R1#debug eigrp packets all
EIGRP Packet debugging is on
R1#
*Feb 11 05:34:32.175: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:32.175: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:36.619: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:36.619: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:41.059: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:41.059: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
2.配置EIGRP单播更新①.R1路由器router eigrp 10
neighbor 12.1.1.2 FastEthernet 0/0
②R21路由器router eigrp 10
neighbor 12.1.1.1 FastEthernet 0/0
③可以看到R2上面虽然能建立邻居,但是很快断开R2(config-router)#
*Feb 11 05:37:58.351: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#end
R2#show i
*Feb 11 05:39:03.483: %SYS-5-CONFIG_I: Configured from console by consolep
R2#show ip ei
R2#show ip eigrp nei
R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 12.1.1.1 Fa0/0 13 00:01:10 1 5000 1 0
R2#
*Feb 11 05:39:17.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is down: retry limit exceeded
*Feb 11 05:39:21.087: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
④在R1上debug可以看到,只发出Hello报文,没有收到Hello报文R1#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Feb 11 05:44:26.259: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:26.259: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:30.531: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:30.531: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:35.223: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:35.223: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
⑤在R2上debug可以看到,可以收到Hello报文R2#debug eigrp packets
(UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R2#
*Feb 11 05:45:12.471: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:12.471: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:12.471: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:13.255: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:13.255: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:45:13.687: EIGRP: Sending UPDATE on Fa0/0 - paklen 40 nbr 12.1.1.1, retry 6, RTO 5000 tid 0
*Feb 11 05:45:13.687: AS 10, Flags 0x1:(INIT), Seq 6/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:16.791: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:16.791: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
⑥在ASA的outside接口放行策略access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 12.1.1.1
access-group Outside-eigrp in interface outside
⑦R1和R2能正常学习到对方的路由R1#show ip route eigrp | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#
R2#show ip route eigrp | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#
五.测试EIGRP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到EIGRP不仅仅有组播报文还有单播报文
2.防火墙放行策略
access-list Inside-eigrp extended permit eigrp host 12.1.1.1 host 224.0.0.10
access-list Inside-eigrp extended permit eigrp host 12.1.1.1 host 12.1.1.2
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 224.0.0.10
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 12.1.1.1
access-group Inside-eigrp in interface inside
access-group Outside-eigrp in interface outside
3.R1和R2能正常学习到对方的路由R1#show ip route eigrp | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#
R2#show ip route eigrp | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#