请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 542|回复: 3

【原创】EIGRP穿越ASA透明墙建邻居测试

[复制链接]
发表于 2020-2-11 12:22:10 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-2-11 15:37 编辑

一.测试拓扑

测试总结:
1.EIGRP互指邻居单播报文能从透明墙的高安全区抵达低安全区,但是不能像RIP单播报文那样,能从低安全区到高安全区
2.EIGRP默认情况下,Hello和Quest报文为组播,Update,Reply,Ack报文都为单播
3.ASA透明模式,EIGRP没有互指邻居的情况下,需要Inside和Outside都放单播和到224.0.0.10的组播EIGRP报文
二.基本配置
1.R1路由器

interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.1 255.255.255.0
    no shutdown
2.ASA防火墙
firewall transparent
interface Ethernet0
    bridge-group 1
    nameif inside
    security-level 100
    no shutdown
interface Ethernet1
    bridge-group 1
    nameif outside
    security-level 0
    no shutdown
interface BVI1
    ip address 12.1.1.10 255.255.255.0
3.R2路由器
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.2 255.255.255.0
    no shutdown
三.配置EIGRP
1.R1路由器

router eigrp 10
    network 1.1.1.1 0.0.0.0
    network 12.1.1.1 0.0.0.0
    passive-interface Loopback0
    no auto-summary
key chain R1
    key 1
      key-string Cisc0123
interface FastEthernet0/0
   ip authentication mode eigrp 10 md5
    ip authentication key-chain eigrp 10 R1
2.R2路由器
router eigrp 10
    network 2.2.2.2 0.0.0.0
    network 12.1.1.2 0.0.0.0
    passive-interface Loopback0
    no auto-summary
key chain R2
    key 1
      key-string Cisc0123
interface FastEthernet0/0
   ip authentication mode eigrp 10 md5
    ip authentication key-chain eigrp 10 R2
四.测试EIGRP单播更只能从高安全区到低安全区穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志

R1#debug eigrp packets all

EIGRP Packet debugging is on
R1#
*Feb 11 05:34:32.175: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:32.175:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:36.619: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:36.619:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:34:41.059: EIGRP: Sending HELLO on Fa0/0 - paklen 60
*Feb 11 05:34:41.059:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
2.配置EIGRP单播更新
①.R1路由器
router eigrp 10
    neighbor 12.1.1.2 FastEthernet 0/0
②R21路由器
router eigrp 10
    neighbor 12.1.1.1 FastEthernet 0/0
③可以看到R2上面虽然能建立邻居,但是很快断开
R2(config-router)#
*Feb 11 05:37:58.351: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#end
R2#show i
*Feb 11 05:39:03.483: %SYS-5-CONFIG_I: Configured from console by consolep
R2#show ip ei
R2#show ip eigrp nei
R2#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   12.1.1.1                Fa0/0                    13 00:01:10    1  5000  1  0
R2#
*Feb 11 05:39:17.867: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is down: retry limit exceeded
*Feb 11 05:39:21.087: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 12.1.1.1 (FastEthernet0/0) is up: new adjacency
④在R1上debug可以看到,只发出Hello报文,没有收到Hello报文
R1#debug eigrp packets
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
*Feb 11 05:44:26.259: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:26.259:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:30.531: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:30.531:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:44:35.223: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.2
*Feb 11 05:44:35.223:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
⑤在R2上debug可以看到,可以收到Hello报文
R2#debug eigrp packets
    (UPDATE, REQUEST, QUERY, REPLY, HELLO, UNKNOWN, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R2#
*Feb 11 05:45:12.471: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:12.471: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:12.471:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:13.255: EIGRP: Sending HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
*Feb 11 05:45:13.255:   AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Feb 11 05:45:13.687: EIGRP: Sending UPDATE on Fa0/0 - paklen 40 nbr 12.1.1.1, retry 6, RTO 5000 tid 0
*Feb 11 05:45:13.687:   AS 10, Flags 0x1:(INIT), Seq 6/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/1
*Feb 11 05:45:16.791: EIGRP: received packet with MD5 authentication, key id = 1
*Feb 11 05:45:16.791: EIGRP: Received HELLO on Fa0/0 - paklen 60 nbr 12.1.1.1
⑥在ASA的outside接口放行策略
access-list Outside-eigrp extended permit eigrp host 12.1.1.2 host 12.1.1.1
access-group Outside-eigrp in interface outside
⑦R1和R2能正常学习到对方的路由
R1#show ip route eigrp | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
D        2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#


R2#show ip route eigrp | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
D        1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#
五.测试EIGRP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到EIGRP不仅仅有组播报文还有单播报文

2.防火墙放行策略
access-list Inside-eigrp extended permit eigrp host 12.1.1.1  host 224.0.0.10
access-list Inside-eigrp extended permit eigrp host 12.1.1.1  host 12.1.1.2
access-list Outside-eigrp extended permit eigrp host 12.1.1.2  host 224.0.0.10
access-list Outside-eigrp extended permit eigrp host 12.1.1.2  host 12.1.1.1
access-group Inside-eigrp in interface inside
access-group Outside-eigrp in interface outside
3.R1和R2能正常学习到对方的路由
R1#show ip route eigrp | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
D        2.2.2.0 [90/156160] via 12.1.1.2, 00:00:16, FastEthernet0/0
R1#

R2#show ip route eigrp | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
D        1.1.1.0 [90/156160] via 12.1.1.1, 00:01:14, FastEthernet0/0
R2#

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-11 14:05:23 | 显示全部楼层
感谢楼主分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-12 20:00:13 | 显示全部楼层
感谢楼主分享,谢谢~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-12 21:30:23 | 显示全部楼层
感谢楼主分享,学习中
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-3-28 22:56 , Processed in 0.085941 second(s), 38 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表