Monday, 14 November 2011

Objective 5

Here we are going to perform unequal cost load balancing accross the 256kbps and 128kbps link via EIGRP.  This is done via the variance command which is set to 1 by default, which means it will only load balance with equal links (bandwidth speed).

To load balance we will use the variance 2 command, which means "I will load balance accross links that are twice as bad as my primary"

If we check the topology table we shall see the metric for each route;

BB-Router# show ip eigrp topology
IP-EIGRP Topology Table for AS(90)/ID(172.30.8.1)

P 10.1.2.0/24, 1 successors, FD is 10514432
         via 10.1.34.2 (10514432/28160), Serial0/1
         via 10.1.24.2 (20537600/281600), Serial0/0

The primary route has a metric of 10514432 (256kbps) and the fessiable sucessor has a metric of 20537600 (128kbps) which is rougly twice as bad;

10514432 x 2 = 21028864

So by using the variance command using a multiplier of 2 (as this will would encompass the 128kbps links metric) we can load balance


BB-Router(config)#router eigrp 90
BB-Router(config-router)#variance ?
  <1-128>  Metric variance multiplier
BB-Router(config-router)#variance 2

Lets check the routing table now;

BB-Router#show ip route

     172.30.0.0/16 is variably subnetted, 10 subnets, 2 masks
C       172.30.2.0/24 is directly connected, Loopback2
C       172.30.3.0/24 is directly connected, Loopback3
D       172.30.0.0/21 is a summary, 00:00:20, Null0
C       172.30.0.0/24 is directly connected, Loopback0
C       172.30.1.0/24 is directly connected, Loopback1
C       172.30.6.0/24 is directly connected, Loopback6
C       172.30.7.0/24 is directly connected, Loopback7
C       172.30.4.0/24 is directly connected, Loopback4
C       172.30.5.0/24 is directly connected, Loopback5
C       172.30.8.0/24 is directly connected, Loopback8
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
D       10.1.2.0/24 [90/10514432] via 10.1.34.2, 00:00:20, Serial0/1 
                    [90/20537600] via 10.1.24.2, 00:00:20, Serial0/0
C       10.1.24.2/32 is directly connected, Serial0/0
D       10.1.25.0/24 [90/10642432] via 10.1.34.2, 00:00:20, Serial0/1 <--- load balancing
                     [90/20640000] via 10.1.24.2, 00:00:20, Serial0/0           <--- load balancing


Now we can see we are load balancing over both links, EIGRP will intelligent load balance over the links, for every 2 packets send over the 256kbps link it will send 1 packet of the 128kbps .... AWESOME!
Objective 4

For this objective we need to summarise 172.30.0.0 172.30.7.255 into a single network, we cant include 172.30.8.0/24 as the summarisation will not be as efficient

 1     1    1  1  1                            5 bits needed
128 64 32 16 8 4 2 1   

   8                  8            5                        = bits
11111111.11111111.11111000.0-------   = 248

mask = 255.255.248.0 /21 in CIDR notation


Routing table BEFORE

R2>show ip route


Gateway of last resort is 10.1.2.3 to network 192.168.1.0

     172.30.0.0/24 is subnetted, 9 subnets
D       172.30.2.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.3.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.0.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.1.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.6.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.7.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.4.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.5.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
D       172.30.8.0 [90/10665472] via 10.1.2.3, 01:08:09, Ethernet0/0
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       10.1.2.0/24 is directly connected, Ethernet0/0
C       10.1.24.1/32 is directly connected, Serial0/0
C       10.1.25.0/24 is directly connected, Loopback2
C       10.1.24.0/30 is directly connected, Serial0/0
D       10.1.34.0/30 [90/10537472] via 10.1.2.3, 01:08:12, Ethernet0/0
D*   192.168.1.0/24 [90/10537472] via 10.1.2.3, 01:08:09, Ethernet0/0


BB-Router(config)#int ser0/0
BB-Router(config-if)#ip summary-address eigrp 90 172.30.0.0 255.255.248.0


R2>show ip route

Gateway of last resort is 10.1.2.3 to network 192.168.1.0

     172.30.0.0/16 is variably subnetted, 10 subnets, 2 masks
D       172.30.2.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.3.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.0.0/21 [90/20640000] via 10.1.24.1, 00:00:15, Serial0/0  <---- there it is
D       172.30.0.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.1.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.6.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.7.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.4.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.5.0/24 [90/10665472] via 10.1.2.3, 01:10:11, Ethernet0/0
D       172.30.8.0/24 [90/10665472] via 10.1.2.3, 00:00:15, Ethernet0/0
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       10.1.2.0/24 is directly connected, Ethernet0/0
C       10.1.24.1/32 is directly connected, Serial0/0
C       10.1.25.0/24 is directly connected, Loopback2
C       10.1.24.0/30 is directly connected, Serial0/0
D       10.1.34.0/30 [90/10537472] via 10.1.2.3, 00:00:15, Ethernet0/0
D*   192.168.1.0/24 [90/10537472] via 10.1.2.3, 00:00:15, Ethernet0/0

We can see the new summary route taking affect, but R2 is still learning about this network from 10.1.2.3 (R3) REMEMBER regardless of Admin distance or speed of link, if a router has a more SPECIFIC mask for a network, it will use that route!!!


lets fix that;

BB-Router(config)#int serial0/1
BB-Router(config-if)#ip summary-address eigrp 90 172.30.0.0 255.255.248.0

R2>show ip route

     172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.30.0.0/21 [90/10665472] via 10.1.2.3, 00:14:38, Ethernet0/0 <-- summary
D       172.30.8.0/24 [90/10665472] via 10.1.2.3, 00:14:38, Ethernet0/0 <--
     10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C       10.1.2.0/24 is directly connected, Ethernet0/0
C       10.1.24.1/32 is directly connected, Serial0/0
C       10.1.25.0/24 is directly connected, Loopback2
C       10.1.24.0/30 is directly connected, Serial0/0
D       10.1.34.0/30 [90/10537472] via 10.1.2.3, 00:16:07, Ethernet0/0
D*   192.168.1.0/24 [90/10537472] via 10.1.2.3, 00:14:38, Ethernet0/0


Excellent! notice we have the 172.30.8.0/24 route too, this is becuase the summary is only advertising; 172.30.0.0 --> 172.30.7.255 and the network statement on EIGRP catches the rest of the 172 network;


router eigrp 90
 passive-interface default
 no passive-interface Serial0/0
 no passive-interface Serial0/1
 network 10.1.0.0 0.0.255.255
 network 172.30.0.0
 network 192.168.1.0
 no auto-summary

Job done
3rd Objective;


PASSIVE INTERFACES

If we look at R2, this router has an interface in 10.1.25.0/24, there is no other router on this segment yet R2 is sending hello's out this interface trying to actively form a relationship with an EIGRP neighbour.  This is a HUGE security hole as someone could plug in there own router and get EIGRP up and running and start injecting routes into the network, or better yet he could pull off a man in the middle attack and be packet sniffing all the traffic and forwarding it on.

One approach would be to remove the network from EIGRP, BUT this now means you are not advertising this network.....

This is where passive interfaces come in, as they disable the hello messages on that interface meaning no neighbour can form BUT it will still advertise the network to the rest of your EIGRP topology :0)


R2(config)#router eigrp 90
R2(config-router)#passive-interface loopback 2

(Im doing loopback2 as i didnt have another fastethernet port like on the CBT/network diagram)

So now, no hello messages will be sent out to 10.1.25.0/24 and no neighbourships will form and no routes learnt *dusts hands*

This is very different to what RIP's passive interface does;
It wont send updates out the interface (RIP doesn't form neighbours like EIGRP,just sends updates via broadcast or multicast depending on version) BUT it will still accept updates from other RIP routers and add them updates to the routing table.

----------------------------------------------------------------------------------
RIP's passive interface NOT as secure as EIGRP's passive interface
--------------------------------------------------------------------------------


Now lets secure the BackBone router, we have aload of interfaces (loopbacks in this example, but hey!) It would be alot more secure and easier for us to set all interfaces by default as passive

BB-Router(config)#router eigrp 90
BB-Router(config-router)#passive-interface default
BB-Router(config-router)#
00:36:33: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.24.2 (Serial0/0) is down: interface passive
00:36:33: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.34.2 (Serial0/1) is down: interface passive


Obviously this downs the neighbours straightaway as we have disabled the hello messages from talking to the neighbour, to get it up and running again we use the no command;

BB-Router(config-router)#no passive-interface serial0/0
BB-Router(config-router)#no passive-interface serial0/1
00:37:31: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.24.2 (Serial0/0) is up: new adjacency
00:37:31: %SYS-5-CONFIG_I: Configured from console by vty1 (10.1.34.2)
00:37:34: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.34.2 (Serial0/1) is up: new adjacency

heres it all together in the running config;

BB-Router#show run | s eigrp
router eigrp 90
 passive-interface default
 no passive-interface Serial0/0
 no passive-interface Serial0/1
 network 10.1.0.0 0.0.255.255
 network 172.30.0.0
 network 192.168.1.0
 no auto-summary