CCIE Security V4 Technology Labs  Section 5: Perimeter

Security and Services - ASA Firewalls


EIGRP
Last updated: May 10, 2013
EIGRP
Enhanced Interior Gateway Routing
Protocol - (EIGRP) is an open routing
protocol loosely based on their original
IGRP created by Cisco. EIGRP is an
advanced distance-vector routing
Task protocol, with optimizations to minimize
both the routing ...
Disable OSPF on the connection to SW4 and configure EIGRP instead.
Authenticate the EIGRP adjacency
More onusing
Wikipedia
the password CISCO.
(http://www.grammarly.com/?
utm_source=dict&utm_medium=link&utm_campaign=chrome_plg)
Overview
EIGRP is not a recent addition to the ASA code. This routing protocol is proprietary to Cisco, and you may need it in
a purely Cisco environment. EIGRP is a sophisticated distributed (diffused) computations-based and scalable
protocol. However, its configuration is relatively simple and requires just a few steps:

1. Enable the EIGRP routing process on the firewall. You must know the Autonomous System number used
by neighboring routers to enter the command router eigrp <AS#>. If the AS numbers mismatch, the
routers will not form an adjacency.

2. Activate EIGRP on selected interfaces, using the command network <IP> <Mask>. This is similar to
OSPF configuration, although this time you don’t specify the area number. EIGRP will start sending HELLO
packets out of all matching interfaces as well as advertising the matching subnets to its neighbors. Disable
automatic route summarization (not needed in modern networks) using the command no auto-summary.

3. Authenticate EIGRP adjacency on the interfaces where this is required. EIGRP supports only secure MD5-
hash based authentication. You may enable it at the interface level using the following commands.

authentication mode eigrp X md5

authentication key eigrp X <KEY> key-id N

4. Configure the opposing IOS router for EIGRP authentication as well. The IOS syntax is a bit different and
requires you to create a key chain first:

key chain <KEY-CHAIN>

key N
key-string <KEY>
interface FastEthernet X/Y
ip authentication mode eigrp X md5
ip authentication key eigrp X <KEY-CHAIN>

Ensure that the key identifiers match at both sides for authentication to succeed.
Configuration
ASA1:

router ospf 1
no network 136.1.124.0 255.255.255.0
!
router eigrp 1
no auto-summary
network 136.1.124.0 255.255.255.0
!
interface Ethernet 0/2.124
authentication key eigrp 1 CISCO key-id 1
authentication mode eigrp 1 md5

SW1:

router eigrp 1
network 136.1.124.0 0.0.0.255
!
key chain EIGRP
key 1
key-string CISCO
!
interface Vlan124
ip authentication mode eigrp 1 md5
ip authentication key eigrp 1 EIGRP

Verification
Start your verifications by checking the EIGRP adjacency state. Note that the SRTT value should be reasonably
small (this is the average time to reach the neighbor over the segment) and the “Q” field (outstanding queries) should
be zero in a stable network. If the authentication keys mismatch, the adjacency will never come up.

Rack1ASA1# show eigrp neighbors

EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 136.1.124.4 Et0/2.124 11 00:00:36 5 300 0 2
Rack1ASA1#

Verify the EIGRP interface settings. You may see that authentication is actually enabled using this command’s
output. If you need to check the authentication keys, use the command more system:running-config.
Rack1ASA1# show eigrp interfaces detail dmz2
EIGRP-IPv4 interfaces for process 1

Xmit Queue Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
dmz2 1 0/0 5 0/1 50 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 1/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 1
Retransmissions sent: 1 Out-of-sequence rcvd: 0
Topology-ids on interface - 0
Authentication mode is md5, key is "<removed> key-id 1"
Rack1ASA1#