EIGRP Authentication
Hi All,
As per the EIGRP Authentication steps:
Key chain configuration steps:
A) First we need to configure key chain in global configuration mode.
B) Under key chain we need to configure key number. Key number must be match on both side of router and should be active. If multiple key numbers configure on router, then router select lowest number for authentication.
C) Once you configure key number you need to issue authentication string.
Suppose if have a key chain have two key identifiers in R1 and in R2 like below ..will it work ?
R1 - Key chain one
Key 1
key-string cisco
key 2
key-string admin
and in R2 - Key chain two
key 10
key-string cisco
key 15
key-string admin
And also what is use / need for more than one key identifier in a key chain ..how eigrp will process this
Regards,
Gan
Hi kazim,
Just to make me understand, just in case if i am not configuring any life time value for a key string, then the lowest value key identifier sting is considered as the Key string for authentication.
R1
Key chain one
Key 1
Key-string cisco ( this is key value will be considered by the eigrp packets for authentication) -- Sending EIGRP messages: Use the lowest key number among all currently valid keys.
Key 2
Key-sting admin
Suppose in R2 ....
I configured as below
Key chain two
Key 10
Key-string admin
Key 15
Key-sting cisco
So in the above the case the received EIGRP packets can be checked with the all the key identifiers / it will be only check the least valu key identifier value alone. - Receiving EIGRP message: Check the MD5 digest using ALL currently valid keys for match.
Regards,
Gan
Similar Messages
-
EIGRP authentication in named mode breaks vrf aware DMVPN
Hi Friends,
I build a vrf aware DMVPN, and advertise the GRE ip in EIGRP named mode. All works well till I enable authentication in af-interface tunnel 0.
Once I enable the authentication "hmac-sha256'', it breaks the crypto and DMVPN.
Any advice on whats the solution to bring the crypto and DMVPN up with EIGRP authentication in named mode ?
Regards
rYsHi,
I attached the config I did, till I apply the authentication in EIGRP,
once I applied the below config, the dmvpn will break
""router eigrp EIGRP
add ipv4 autonom 45678
af-interface tu0
authentication mode hmac-sha256 KEY""
See any more configs I need to add in the crypto to make the dmvpn up.
Thanks -
EIGRP Authentication still working after removing it
HI Guys,
a few days ago I have experienced an issue with eigrp md5 authentication on uplink interface. Basicaly authentication was not there but was on other nieghbors, even though neighbor with no md5 was still learning routes from others and neighborship never failed. Once switch 4948 was reloaded nieghborship lost and no routes have been learned. My question is why it did not fail before (authentication has been removed from interface 5 months ago) and it was working fine until last Tuesday (reload)
ThanksHi Prashant
I agree it should not be possible but it happend and last for over 5 months untill we reloaded the swtich, 4 CCIE lads were loking at it and they are supprissed as we all are.
thanks anyway -
EIGRP Password String on Live Network
Hi,
I want to use an EIGRP password between routers and layer 3 switches in our environment. Is it possible to implement a EIGRP string on a live environment without any downtime?
Thank youThis is kind of what I'm referring to. Set the routers with an accept and send-time but, have not end time.
key chain <name_of_keychain>
key <#>
key-string <string_used_for_PSK>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>
Copied this from
http://gregandthenetwork.blogspot.com/2011/05/eigrp-authentication.html -
I know how to create eigrp authentication to form neighborship.........but I need to clear the concept
FortWorth#configure terminal
FortWorth(config)#key chain MYCHAIN
FortWorth(config-keychain)#key 1
FortWort(config-keychain-key)#key-string securetraffic
FortWort(config-keychain-key)#end
------ I want to know the definition of
1. key−chain
2. key
3. key-string
----- what these commands actually define......what are the difference between them.......??Hi, indrajith,
All these concept are for the authentication purpose. i will try to explain each points
1. key−chain
You are making a keychain with name of MYCHAIN. in side of this key chain iu can make many keys .
Its like the bundle of your house key. each key bundle have many keys for different rooms or stores
2. key- one key from budle of keys
Each key can use for authentication . and u can specify wich period each key need to use
eg
key-1 mandy to friday
key 2 satuday only
key 3 sunday only
3. key-string
It is the simple password for the authentication ( can be clear test or MD5)
by
shiji varughese -
EIGRP SHA Authentication for Cisco ASA
Hi,
I was just wondering if anyone knew if Cisco was going to implement EIGRP SHA authentication in to the ASAs? My organization is migrating from classic to named EIGRP for SHA authentication and right now I'm stuck at the ASA's. Static routing everything just to remove MD5 authentication doesn't sound very fun, if you know what I mean. :)
Thanks!Hello Mohammad,
I would recommend you to advertise them via EIGRP, better funcionality, escalability,etc,etc,etc.
Regards -
Vrf aware dmvpn with ipsec profile breaks while enabling authentication in EIGRP named mode
Hi Friends,
I build a vrf aware dmvpn using IPSec profile and I got the DMVPN and IPSec crypto as UP and able to do advertise using EIGRP.
But the crypto and DMVPN breaks while I enabled the authentication in EIGRP named mode.
Once i remove the authentication, it works fine.
Any advice, how to solve this issue ? Any crypto commands need to add to make this work ?
Regards
Riyas RasheedHi,
I attached the config I did, till I apply the authentication in EIGRP,
once I applied the below config, the dmvpn will break
""router eigrp EIGRP
add ipv4 autonom 45678
af-interface tu0
authentication mode hmac-sha256 KEY""
See any more configs I need to add in the crypto to make the dmvpn up.
Thanks -
VPN Access to an IP that can be accessed via EIGRP
I have a question. I have a VPN that sits on the external interface using the IP of 10.5.79.X/20. I have a production network connected to a corporate network using MPLS and EIGRP to share the routes. The production network can access the corporate network, but the the VPN users can't. I need to be able to access anything on that network which is mainly a 172.18.0.0 summarized by EIGRP network. I had this working before, but can't get it working again about my Firewall dumped on me.
ASA Version 8.4(2)
hostname hp-asa-5510-DR
enable password 1qF1n5PuI7A.2DV. encrypted
passwd 1qF1n5PuI7A.2DV. encrypted
names
dns-guard
interface Ethernet0/0
speed 100
duplex full
nameif external
security-level 0
ip address *142.189.26 255.255.255.252
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.5.64.6 255.255.240.0
interface Ethernet0/1.1
vlan 2
nameif Guest
security-level 90
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup external
dns domain-lookup internal
dns server-group DefaultDNS
name-server 208.67.222.222
dns server-group Guest
name-server 10.5.64.197
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.5.65.239
host 10.5.65.239
object network obj-10.5.65.253
host 10.5.65.253
object network obj-10.5.65.42
host 10.5.65.42
object network obj-10.5.65.219
host 10.5.65.219
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Cegedim
subnet 10.5.250.0 255.255.255.248
description dendrite site to site VPN
object network dfb
subnet 10.5.0.0 255.255.0.0
object network lausanne
subnet 192.168.250.0 255.255.255.0
description Lausanne
object network dfbgroup
subnet 10.5.0.0 255.255.0.0
object network DPT
subnet 10.5.16.0 255.255.240.0
object network hpbexch
host 10.5.64.198
object network hpbmsvpn
host 10.5.64.196
object network kacehost
host 10.5.65.189
object network hpbsentry
host 10.5.64.194
object network hpbMDM
host 10.5.64.195
object network hperoom
host 10.5.65.211
description healthpoint eroom server
object network spintranet
host 10.5.65.185
description sharepoint intranet
object network spsales
host 10.5.65.194
description sharepoint sales
object network spteams
host 10.5.65.183
description sharepoint teams
object network Guest
subnet 192.168.3.0 255.255.255.0
object network Crystal
host 10.5.65.203
object network ERPLN
host 10.5.65.234
object network ERPLNDB
host 10.5.65.237
object service dpt
service tcp source range 1 65000 destination range 1 65000
description dpt ports
object network Documentum
host 10.5.17.216
object network DPTDocumentum
host 10.5.17.216
description Documentum
object network EzDocs
host 10.5.17.235
description EzDocs
object network Aerosol
subnet 10.5.32.0 255.255.240.0
object network Brooks
subnet 10.5.128.0 255.255.240.0
object network DPTScience
subnet 10.5.48.0 255.255.240.0
object network LakeWood
subnet 10.5.80.0 255.255.240.0
object network Plant
subnet 10.5.0.0 255.255.240.0
object network warehouse
subnet 10.5.240.0 255.255.240.0
object network NotesApps
host 10.5.65.235
object network DPTNotes
host 10.5.17.246
object network DNSServer
host 10.5.64.197
object network GuestNetwork
subnet 192.168.3.0 255.255.255.0
object network KACE
host 10.5.65.189
object network mdm2
host 10.5.64.195
object network guesterooms
host 10.5.65.211
object network DNSServer2
host 10.5.64.199
object network asa_LAN
host 10.5.64.6
object network guestspsales
host 10.5.65.194
object network JohnsonControlServer
host 10.5.65.33
description JC Server
object network guestexchange
host 10.5.64.198
description Guest Exchange
object network guestmobile2
host 10.5.64.194
object network DPTDocB
host 10.5.17.215
object-group service EDI tcp
port-object eq 50080
port-object eq 6080
port-object eq www
object-group service Exchange tcp
port-object eq 587
port-object eq www
port-object eq https
port-object eq smtp
object-group service Lotus-Sametime tcp
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object eq 8081
port-object range 8082 8084
port-object range 9092 9094
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPN-MS tcp-udp
port-object eq 1701
port-object eq 1723
port-object eq 4500
port-object eq 500
object-group network Verizon-Servers
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.216.16.211 255.255.255.255
object-group network FDA_SecureEmail
network-object host 150.148.2.65
network-object host 150.148.2.66
object-group network Web-Server-Stuff
network-object host 204.71.89.34
network-object host 204.71.89.35
network-object host 204.71.89.33
network-object host 66.240.207.149
network-object host 68.168.88.169
network-object host 50.112.164.102
object-group service DFB-eRoom tcp
port-object eq www
port-object eq https
object-group network EDI-Customers
network-object host 129.33.204.13
network-object host 143.112.144.25
network-object host 160.109.101.195
network-object host 198.89.160.113
network-object host 199.230.128.125
network-object host 199.230.128.85
network-object host 205.233.244.208
network-object host 198.89.170.134
network-object host 198.89.170.135
network-object host 199.230.128.54
object-group service MDM tcp
description MobileIron ports
port-object eq 9997
port-object eq 9998
port-object eq https
object-group network OpenDNS
description OpenDNS Servers
network-object host 208.67.220.220
network-object host 208.67.222.222
network-object host 8.8.8.8
network-object host 68.113.206.10
object-group network healthpoint
network-object 10.5.64.0 255.255.240.0
object-group network vpnpool
network-object 10.5.79.0 255.255.255.0
object-group network dfb_group
network-object object dfbgroup
object-group network lausanne_group
network-object 192.168.250.0 255.255.255.0
object-group network DPTNetwork
network-object object DPT
network-object object Aerosol
network-object object Brooks
network-object object LakeWood
network-object object Plant
object-group network DM_INLINE_NETWORK_1
network-object object Cegedim
network-object object lausanne
group-object DPTNetwork
network-object object DPTNotes
object-group service DFB-Allow tcp
port-object eq 1025
port-object eq 1119
port-object eq 1120
port-object range 1222 1225
port-object eq 1433
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object range 16384 16403
port-object eq 1755
port-object eq 1919
port-object eq 1935
port-object range 2195 2196
port-object eq 3050
port-object eq 3080
port-object eq 3101
port-object eq 3244
port-object eq 3264
port-object eq 3306
port-object eq 3389
port-object eq 3724
port-object eq 4000
port-object eq 402
port-object range 4080 4081
port-object eq 4085
port-object eq 50080
port-object eq 5085
port-object range 5220 5223
port-object eq 5297
port-object eq 5298
port-object eq 5353
port-object eq 5550
port-object eq 5678
port-object eq 58570
port-object eq 5900
port-object eq 6080
port-object eq 6112
port-object eq 6114
port-object eq 6900
port-object eq 7800
port-object eq 8010
port-object eq 8080
port-object eq 8084
port-object eq 81
port-object eq 9081
port-object eq 9090
port-object eq 9997
port-object eq aol
port-object eq citrix-ica
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
port-object eq sip
port-object eq sqlnet
port-object eq ssh
port-object eq 442
object-group network webservers
network-object host 204.71.89.34
network-object host 204.71.89.35
object-group network DM_INLINE_NETWORK_2
network-object object KACE
network-object object guesterooms
network-object object guestspsales
network-object object JohnsonControlServer
network-object object mdm2
object-group network DM_INLINE_NETWORK_3
network-object host 10.5.65.230
network-object host 10.5.65.232
network-object object hpbexch
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service kace tcp
port-object eq 52230
port-object eq www
port-object eq https
port-object eq 445
port-object eq netbios-ssn
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network VLAN_Switches
network-object host 192.168.10.10
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.16
network-object host 192.168.10.17
network-object host 192.168.10.1
object-group network Crystal_ERP
description Crystal Enterprise and Infor LN
network-object object Crystal
network-object object ERPLN
network-object object ERPLNDB
network-object object NotesApps
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group network GuestDNS
description DNS Servers for Guest
network-object object DNSServer
network-object object DNSServer2
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq 3390
object-group network DM_INLINE_NETWORK_4
group-object healthpoint
group-object vpnpool
access-list external_access_out extended permit object-group DM_INLINE_SERVICE_1 192.168.3.0 255.255.255.0 any
access-list external_access_out remark Production ACL
access-list external_access_out extended permit tcp any any object-group DFB-Allow
access-list external_access_out extended permit icmp any any
access-list external_access_out extended permit tcp any object-group Web-Server-Stuff
access-list external_access_out remark Site to Site connections
access-list external_access_out extended permit ip any object-group DM_INLINE_NETWORK_1
access-list external_access_out extended permit udp any object-group OpenDNS eq domain
access-list external_access_out extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list split standard permit 10.5.64.0 255.255.240.0
access-list split standard permit 10.5.250.0 255.255.255.248
access-list split standard permit 10.5.128.0 255.255.240.0
access-list split standard permit 10.5.144.0 255.255.240.0
access-list split standard permit 10.5.16.0 255.255.240.0
access-list split standard permit 10.5.32.0 255.255.240.0
access-list split standard permit 10.5.96.0 255.255.240.0
access-list split standard permit 10.5.80.0 255.255.240.0
access-list split standard permit 10.5.48.0 255.255.240.0
access-list split standard permit 10.5.0.0 255.255.240.0
access-list split remark lausanne
access-list split standard permit 192.168.250.0 255.255.255.0
access-list split standard permit 172.18.0.0 255.255.0.0
access-list split remark HP
access-list external_access_in extended permit object-group DM_INLINE_SERVICE_2 any 192.168.3.0 255.255.255.0
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spsales object-group DM_INLINE_TCP_2
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spteams object-group DM_INLINE_TCP_1
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spintranet object-group DM_INLINE_TCP_0
access-list external_access_in remark healthpoint erooms
access-list external_access_in extended permit tcp any object hperoom object-group DFB-eRoom
access-list external_access_in remark MDM2 VSP
access-list external_access_in extended permit tcp any object hpbMDM object-group MDM
access-list external_access_in remark New Sentry
access-list external_access_in extended permit tcp any object hpbsentry eq https
access-list external_access_in remark kace mgmt appliacne
access-list external_access_in extended permit tcp any object kacehost object-group kace
access-list external_access_in remark authentication server
access-list external_access_in extended permit object-group TCPUDP any object hpbmsvpn object-group VPN-MS
access-list external_access_in extended permit gre any object hpbmsvpn
access-list external_access_in remark HPB.NET new forest Exchange
access-list external_access_in extended permit tcp any object hpbexch object-group Exchange
access-list external_access_in remark EDI Inbound
access-list external_access_in extended permit tcp any host 10.5.65.42 object-group EDI
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list external_cryptomap extended permit ip object-group healthpoint object Cegedim
access-list external_cryptomap_1 extended permit ip object-group dfb_group object-group lausanne_group
access-list external_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DPTNetwork
access-list Guest_access_in extended deny tcp 192.168.3.0 255.255.255.0 object-group GuestDNS object-group DM_INLINE_TCP_3 inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group GuestDNS inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Guest_access_in extended deny ip 192.168.3.0 255.255.255.0 10.5.64.0 255.255.240.0
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list Guest_access_out extended permit ip any any inactive
access-list Guest_access_out extended permit ip any 192.168.3.0 255.255.255.0
no pager
logging enable
logging buffer-size 1045786
logging asdm informational
mtu external 1500
mtu internal 1500
mtu Guest 1500
mtu management 1500
ip local pool HPVPNClients 10.5.79.0-10.5.79.254 mask 255.255.255.0
ip verify reverse-path interface external
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any external
icmp permit any internal
asdm image disk0:/asdm-645.bin
no asdm history enable
arp external *142.189.93 0024.c4c0.4cc0
arp timeout 14400
nat (internal,external) source static dfb dfb destination static vpnpool vpnpool route-lookup
nat (internal,external) source static dfb dfb destination static lausanne lausanne
nat (internal,external) source static healthpoint healthpoint destination static Cegedim Cegedim
nat (external,internal) source static DPTNetwork DPTNetwork destination static Crystal_ERP Crystal_ERP no-proxy-arp
nat (internal,external) source static healthpoint healthpoint destination static DPTDocumentum DPTDocumentum unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTDocB DPTDocB unidirectional
nat (internal,external) source static healthpoint healthpoint destination static EzDocs EzDocs unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTNotes DPTNotes unidirectional
object network obj-10.5.65.239
nat (internal,external) static *142.189.82
object network obj-10.5.65.253
nat (internal,external) static *142.189.83
object network obj-10.5.65.42
nat (internal,external) static *142.189.84
object network obj-10.5.65.219
nat (internal,external) static *142.189.87
object network obj_any
nat (internal,external) dynamic interface dns
object network hpbexch
nat (internal,external) static *142.189.91
object network hpbmsvpn
nat (internal,external) static *142.189.82
object network kacehost
nat (internal,external) static *142.189.90
object network hpbsentry
nat (internal,external) static *142.189.92
object network hpbMDM
nat (internal,external) static *142.189.93
object network hperoom
nat (internal,external) static *142.189.88
object network spintranet
nat (internal,external) static *142.189.85
object network spsales
nat (internal,external) static *142.189.89
object network spteams
nat (internal,external) static *142.189.94
object network GuestNetwork
nat (Guest,external) dynamic interface
access-group external_access_in in interface external
access-group external_access_out out interface external
access-group Guest_access_in in interface Guest
access-group Guest_access_out out interface Guest
route external 0.0.0.0 0.0.0.0 *142.189.25 1
route external 10.5.16.0 255.255.240.0 *142.189.25 1
route external 10.5.32.0 255.255.240.0 *142.189.25 1
route external 10.5.80.0 255.255.240.0 *142.189.25 1
route external 10.5.128.0 255.255.240.0 *142.189.25 1
route external 10.5.240.0 255.255.240.0 *142.189.25 1
route external 10.5.250.0 255.255.255.248 *142.189.25 1
route internal 172.18.0.0 255.255.255.255 10.5.64.1 1
route external 192.168.250.0 255.255.255.0 *142.189.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-RADAuth protocol radius
aaa-server VPN-RADAuth (internal) host 10.5.65.253
key *****
radius-common-pw *****
aaa-server VPN-RADAuth (internal) host 10.5.65.240
key *****
aaa-server VPN-RADAuthHPB protocol radius
aaa-server VPN-RADAuthHPB (internal) host 10.5.64.196
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.5.0.0 255.255.0.0 internal
http 0.0.0.0 0.0.0.0 external
http 0.0.0.0 0.0.0.0 internal
snmp-server host internal 10.5.65.210 community ***** version 2c
snmp-server location Healthpoint.Vickery
snmp-server contact Jonathan Henry
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map external_map 1 match address external_cryptomap
crypto map external_map 1 set peer 64.126.222.190
crypto map external_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 2 match address external_cryptomap_1
crypto map external_map 2 set pfs
crypto map external_map 2 set peer 109.164.216.164
crypto map external_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 3 match address external_cryptomap_2
crypto map external_map 3 set peer 12.197.232.98
crypto map external_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map external_map interface external
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 4b54478c1754b7
30820563 3082044b a0030201 0202074b 54478c17 54b7300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 3837301e 170d3131 30313036 31393533
33395a17 0d313331 31323932 31343730 315a305b 311a3018 06035504 0a13112a
2e686561 6c746870 6f696e74 2e636f6d 3121301f 06035504 0b131844 6f6d6169
6e20436f 6e74726f 6c205661 6c696461 74656431 1a301806 03550403 13112a2e
6865616c 7468706f 696e742e 636f6d30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 c6609ef2 c19c47e9 016ce654 d151146e
5d213545 ca896f4e cbb2624c 5ea6d7f0 7f18a82b e441020b 74d6ebd4 b7ef34c9
97b80ce0 6eb1c1cc 3b296909 8a0a2ad7 2473fb60 ff0c9320 ec9b3fe3 82a501c4
3c3855bd e0822ce1 e1d1fb03 4609639f 9359653b 091b6b48 5ce22806 234a55e5
6f80ebba cfb68a22 6cd1e64e 756f22b5 13a6178d 9ffcfbbb 5ca4b773 50089a8b
7e966a23 d4711a49 44c101fc a6b68e26 6a8d57f3 2fed1f6f ce6b0535 498c5c97
bf0577fa 9d9a1e37 4ff3b9f0 913dac74 3f4d26c9 09aac485 ccd5dfb9 7aa226e8
89075829 eff0cf99 b642e679 5a9dfe74 e5899e30 e07b6bbf a92fab33 cb8d7f65
1d974861 8b02d78b bc7908a9 e70b1b59 02030100 01a38201 ba308201 b6300f06
03551d13 0101ff04 05300301 0100301d 0603551d 25041630 1406082b 06010505
07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205 a0303306
03551d1f 042c302a 3028a026 a0248622 68747470 3a2f2f63 726c2e67 6f646164
64792e63 6f6d2f67 6473312d 32382e63 726c304d 0603551d 20044630 44304206
0b608648 0186fd6d 01071701 30333031 06082b06 01050507 02011625 68747470
733a2f2f 63657274 732e676f 64616464 792e636f 6d2f7265 706f7369 746f7279
2f308180 06082b06 01050507 01010474 30723024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105
05073002 863e6874 74703a2f 2f636572 74696669 63617465 732e676f 64616464
792e636f 6d2f7265 706f7369 746f7279 2f67645f 696e7465 726d6564 69617465
2e637274 301f0603 551d2304 18301680 14fdac61 32936c45 d6e2ee85 5f9abae7
769968cc e7302d06 03551d11 04263024 82112a2e 6865616c 7468706f 696e742e
636f6d82 0f686561 6c746870 6f696e74 2e636f6d 301d0603 551d0e04 16041475
346fa066 c4b0cb48 a6aaf4d5 d03124fd 1babaf30 0d06092a 864886f7 0d010105
05000382 01010080 81fec403 103ecd08 88f17283 68154d3e 92da6355 58c50ea9
b6d2a2d1 86428614 44b3f27b ae00352d 0339f481 22d2bc3c 1f7a8458 495a337f
f939fa9d 76c9635c ac1f5452 8ec504ae 6c90dfc2 70e3b620 c34aedb3 12f8facd
ce45e918 af358576 b6711324 f5d53b62 77c2bb0d 6ff7a26c 1863c7fe eae6ee42
c1855066 e994db91 af755c47 b257545f ee29c6ab 57104a27 890f7f9c f95898c8
ed30eda7 9e86ebd4 c6007d3b 640e2312 3875410b 79ddff84 11454b83 7126ebbb
ce9c916a d5839e2b 095310e0 51e7e0cd d71c4830 ec1177c8 0407c147 afa2a33a
d058fa1b de4b2771 8af206c6 27e17249 1afbd515 d3f2845d a3699196 a9a7044c
5738a868 e01e59
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable external
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.5.0.0 255.255.0.0 internal
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.5.0.0 255.255.0.0 internal
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.65.242 source internal
ssl trust-point ASDM_TrustPoint0 external
webvpn
enable external
enable internal
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
anyconnect profiles HP_Basic disk0:/HP_Basic.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy HPVPN internal
group-policy HPVPN attributes
banner value You are now connected to Healthpoint, Ltd.
wins-server none
dns-server value 10.5.64.199 10.5.64.197
dhcp-network-scope none
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
ip-comp disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value hpb.net
split-dns none
split-tunnel-all-dns disable
user-authentication-idle-timeout none
address-pools value HPVPNClients
client-firewall none
client-access-rule none
webvpn
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect profiles value HP_Basic type user
anyconnect ask enable default anyconnect timeout 5
http-comp none
username bcline password Wpo.Polan03mKRJ9 encrypted privilege 15
username jhenry password wX50UveiwuBH7p7v encrypted privilege 15
username ittemp password zpQoWfp93rOS3NU7 encrypted privilege 5
tunnel-group HPVPN type remote-access
tunnel-group HPVPN general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuth
authentication-server-group (external) VPN-RADAuth
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPVPN webvpn-attributes
group-alias HPVPN enable
tunnel-group HPVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 64.126.222.190 type ipsec-l2l
tunnel-group 64.126.222.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 109.164.216.164 type ipsec-l2l
tunnel-group 109.164.216.164 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 12.197.232.98 type ipsec-l2l
tunnel-group 12.197.232.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB type remote-access
tunnel-group HPB general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuthHPB
authentication-server-group (external) VPN-RADAuthHPB
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPB webvpn-attributes
group-alias HPB disable
group-alias HPVPN_NEW enable
tunnel-group HPB ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f3c293700f62ee55af87105015fe4cd0
: endYou have to options:
1. The router that is internal must have a static route to the ASA to reach the VPN networks and must have a distribute static so that other routers that form part of EIGRP know how to route to the VPN networks.
2. You can configure on the ASA "set reverse-route" on the crypto map then configure EIGRP on the ASA and add redistribute static so that routes learned via VPN (considered static routes) can be pushed through EIGRP. -
Nexus 6004 EIGRP Relationship between the two switches
Hi All,
I will try to explain this as best as I can. In our current TEST LAB we have a Pair of Cisco ASA5585x running in Active/Passive mode. We use a VRF transit to connect the 10 GB interface to a Pair of Cisco Nexus 6004 (L3) switches running vPC between them. Downstream we also have a pair of Cisco 9372 switches (L2) also running vPC between the two.
As of right now we have EIGRP neighbor relationship formed between the two N6K's and the ASA.
ASA
ciscoasa# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.230.9 Te0/8.451 12 01:30:25 1 200 0 52
0 172.16.230.10 Te0/8.451 12 01:30:25 1 200 0 48
The ASA formed relationship with both N6K's
SWITCH1
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
SWITCH2
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Both Nexus Switches formed EIGRP neighbors using the vPC Peer-Link. There is enough documentation out there that strongly suggest not to use vPC Peer-Links for EIGRP anything.
We do have additional interfaces available on the 6K's that we can use as a cross connect for EIGRP. What we are having trouble understanding how we can force EIGRP traffic over those ports?
Here is a complete Switch config:
Switch1
Nexus6-1# sh run
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 1
peer-keepalive destination 10.200.50.2 source 10.200.50.1 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan651
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/6
interface Ethernet1/7
description vPC Peer Link 1.7 to Nexus 9372 PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/9
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/7
description vPC Peer Link 2.1 to Nexus SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet8/1
description keep-alive peer-link to ALNSWI02
no switchport
vrf member peer-keepalive
ip address 10.200.50.1/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
interface Ethernet8/3
interface mgmt0
vrf member management
ip address 172.16.52.3/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
passive-interface default
default-information originate
vrf Inside
autonomous-system 100
default-information originate
poap transit
Nexus6-1#
Nexus6-1# sh ip eigrp neighbors vrf inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 11 01:28:28 1 50 0 45
1 172.16.230.10 Vlan451 13 01:28:28 1 50 0 46
2 172.16.230.11 Vlan451 10 01:28:00 4 50 0 13
Nexus6-1#
Nexus6-1# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.2) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-1# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-1# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8c60.4f2d.2ffc
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33219 (priority 32768 sys-id-ext 451)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Desg FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0652
Spanning tree enabled protocol rstp
Root ID Priority 33420
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33420 (priority 32768 sys-id-ext 652)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
VLAN0680
Spanning tree enabled protocol rstp
Root ID Priority 33448
Address 1005.caf5.88ff
Cost 2
Port 4197 (port-channel102)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 33448 (priority 32768 sys-id-ext 680)
Address 8c60.4f2d.2ffc
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Desg FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Nexus6-1#
Switch2
Nexus6-2# sh run
!Command: show running-config
!Time: Sat Feb 12 19:02:44 2011
version 7.0(1)N1(1)
hostname Nexus6-2
feature telnet
cfs eth distribute
feature eigrp
feature interface-vlan
feature lacp
feature vpc
feature lldp
vlan 1
vlan 451
name P2P_VRF_SVI
vlan 652
name Management
vlan 680
name Inside
vrf context Inside
vrf context P2P_Inside_VRF
vrf context management
ip route 0.0.0.0/0 172.16.52.1
vrf context peer-keepalive
vpc domain 99
role priority 2
peer-keepalive destination 10.200.50.1 source 10.200.50.2 vrf peer-keepalive
delay restore 120
interface Vlan1
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.10/29
ip router eigrp 100
no ip passive-interface eigrp 100
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.3/22
ip router eigrp 100
interface port-channel99
switchport mode trunk
spanning-tree port type network
vpc peer-link
interface port-channel102
switchport mode trunk
vpc 102
interface Ethernet1/1
description vPC Peer Link 1.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet1/2
interface Ethernet1/6
interface Ethernet1/7
description vPC Link 1.7 to Nexus 9372 SEC
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet1/8
interface Ethernet1/12
interface Ethernet2/1
description vPC Peer Link 2.1
switchport mode trunk
speed auto
channel-group 99
interface Ethernet2/2
interface Ethernet2/6
interface Ethernet2/7
description vPC Link 2.1 to Nexus PRI
switchport mode trunk
speed auto
channel-group 102 mode active
interface Ethernet2/8
interface Ethernet2/12
interface Ethernet8/1
description keep-alive peer-link to ALNSWI01
no switchport
vrf member peer-keepalive
ip address 10.200.50.2/30
interface Ethernet8/2
description Uplink to ASA
switchport mode trunk
switchport trunk allowed vlan 1,451,652,680
interface Ethernet8/3
interface Ethernet8/20
interface mgmt0
vrf member management
ip address 172.16.52.4/23
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.0.1.N1.1.bin
boot system bootflash:/n6000-uk9.7.0.1.N1.1.bin
router eigrp 100
vrf Inside
autonomous-system 100
default-information originate
poap transit
logging logfile messages 6
Nexus6-2#
Nexus6-2#
Nexus6-2# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 172.16.8.2 Vlan680 14 01:30:11 23 138 0 48
0 172.16.230.9 Vlan451 13 01:30:11 480 2880 0 50
1 172.16.230.11 Vlan451 13 01:29:48 1598 5000 0 13
Nexus6-2#
Nexus6-2# sh ip eigrp topology vrf Inside
IP-EIGRP Topology Table for AS(100)/ID(172.16.8.3) VRF Inside
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.8.0/22, 1 successors, FD is 2816
via Connected, Vlan680
P 172.16.230.8/29, 1 successors, FD is 2816
via Connected, Vlan451
Nexus6-2#
Nexus6-2#
Nexus6-2# sh vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 99
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
vPC Peer-link status
id Port Status Active vlans
1 Po99 up 1,451,652,680
vPC status
id Port Status Consistency Reason Active vlans
102 Po102 up success success 1,451,652,6
80
Nexus6-2#
Nexus6-2#
Nexus6-2# sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 1005.caf5.88ff
Cost 3
Port 4194 (port-channel99)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 8c60.4f2d.777c
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
Po99 Root FWD 1 128.4194 (vPC peer-link) Network P2p
Po102 Root FWD 1 128.4197 (vPC) P2p
Eth8/2 Desg FWD 2 128.1026 P2p
Eth8/3 Desg FWD 2 128.1027 P2p
VLAN0451
Spanning tree enabled protocol rstp
Root ID Priority 33219
Address 8cJon,
Are you ready for the mass confusion?
when Looking at the ASA EIGRP neighbors output here is what I see.
ASA# sh eigrp neighbors
EIGRP-IPv4 neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
3 172.16.230.1 Te0/8.450 13 16:45:14 1 200 0 64
2 172.16.230.2 Te0/8.450 11 16:45:14 1 200 0 84
1 172.16.230.10 Te0/8.451 11 16:45:20 1 200 0 178
0 172.16.230.9 Te0/8.451 13 16:45:20 1 200 0 148
For simplicity sake lets just concetrate on Interface TenGigabit0/8.451 which is the SVI on the Nexus switch that is VLAN451
From the Nexus Switch 6004 that is directly connected to the ASA here is what I see
SWI01# sh ip eigrp neighbors vrf Inside
IP-EIGRP neighbors for process 100 VRF Inside
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.8.3 Vlan680 10 17:04:30 54 324 0 177
1 172.16.230.10 Vlan451 11 16:59:10 819 4914 0 178
2 172.16.230.11 Vlan451 14 16:53:48 24 144 0 20
The Inside VRF that is tied to both SVI's on the Switch vlans 451 and 680 is in EIGRP 100 on the switch
SWI01# sh run int vlan 451
interface Vlan451
description Inside p2p to ASA
no shutdown
vrf member Inside
ip address 172.16.230.9/29
ip router eigrp 100
no ip passive-interface eigrp 100
SWI01# sh run int vlan 680
interface Vlan680
description Inside Network
no shutdown
vrf member Inside
ip address 172.16.8.2/22
ip router eigrp 100
hsrp 1
authentication text test
preempt
priority 250
ip 172.16.8.1
so you with me so far?
If you are you have noticed that on the ASA neighbors the ASA sees 172.16.230.11 as a neighbor which is the Secondary Nexus SW. That is becauise they all share the same subnet.
172.16.230.8/29
Brakedown:
PRI Nexus 6004 - 172.16.230.9
SEC NEXUS 6004 - 172.16.230.10
PRI ASA 5585x - 172.16.230.11
SEC ASA 5585x - 172.16.230.12
Because the ASA EIGRP network is a /29 it learns the Secondary Nexus via the Primary Nexus.
I am not sure that the link we created between the two Nexus Switches is doing anything but consuming ports right now.
SWI01# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Secondary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
SWI02# sh run int ethernet 8/9
interface Ethernet8/9
description EIGRP PORT to Primary Nexus
switchport mode trunk
switchport trunk allowed vlan 450-451
So the SVI's that go up to the ASA for inspection are 450 and 451. The network SVI's are 600 and 680 all of them live on the switch, and 680, and 600 are extended over the peer links down to the 9372's.
I think that we are breaking the golden rule of vPC BUT.. I am not 100% sure. Some of the documents read that we should not be allowing network vlans over peer links, but then how do you extend the vlans down to the leaf switch?
This is giving me nightmares at the moment…
does this make sense? -
Hi,
I'm trying to do some lab testing and tested named EIGRP. I was able to understand the EIGRPv6 configuration where you configure the EIGRP statement under the interface and by issuing "no shutdown" under the EIGRP process created. So basically all IPv6 networks that has to be advertised via EIGRP has to have the "ip eigrp xxx" statement under the interface.
Now, I'm trying to do named EIGRP. By simply creating the EIGRP multi-af process and by issuing "no shutdown" under the address-family ipv6 autonomous-system, all interfaces with IPv6 address are being advertised right away and EIGRP peering gets established as well.
Is this the normal behavior? So is it a general practice to shutdown the address-family ipv6 process first and af-interface default to shutdown state, then individually turn on specific af-interface for EIGRP IPv6 processing?
Thanks,
JL
Configuration Below:
R1#sh run
Building configuration...
Current configuration : 1030 bytes
! Last configuration change at 16:23:15 UTC Wed Oct 8 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 150.1.1.1 255.255.255.255
ipv6 address 2001:1:1:1::1/128
interface Loopback1
no ip address
ipv6 address 2001:1:1:1::11/128
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
interface FastEthernet0/1
ip address 155.1.12.1 255.255.255.0
speed auto
duplex auto
ipv6 address 2001:1:1:12::1/64
router eigrp multi_af
address-family ipv6 unicast autonomous-system 100
topology base
exit-af-topology
exit-address-family
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
R1#
R2#sh running-config
Building configuration...
Current configuration : 969 bytes
! Last configuration change at 16:23:26 UTC Wed Oct 8 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
interface Loopback0
ip address 150.1.2.2 255.255.255.255
delay 1
ipv6 address 2001:1:1:1::2/128
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
interface FastEthernet0/1
ip address 155.1.12.2 255.255.255.0
speed auto
duplex auto
ipv6 address 2001:1:1:12::2/64
router eigrp multi_af
address-family ipv6 unicast autonomous-system 100
topology base
exit-af-topology
exit-address-family
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
R2#
R1#sh ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
LC 2001:1:1:1::1/128 [0/0]
via Loopback0, receive
D 2001:1:1:1::2/128 [90/107520]
via FE80::C80C:10FF:FEF4:6, FastEthernet0/1
LC 2001:1:1:1::11/128 [0/0]
via Loopback1, receive
C 2001:1:1:12::/64 [0/0]
via FastEthernet0/1, directly connected
L 2001:1:1:12::1/128 [0/0]
via FastEthernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive
R1#
R2#sh ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
D 2001:1:1:1::1/128 [90/103040]
via FE80::C80A:10FF:FEF4:6, FastEthernet0/1
LC 2001:1:1:1::2/128 [0/0]
via Loopback0, receive
D 2001:1:1:1::11/128 [90/103040]
via FE80::C80A:10FF:FEF4:6, FastEthernet0/1
C 2001:1:1:12::/64 [0/0]
via FastEthernet0/1, directly connected
L 2001:1:1:12::2/128 [0/0]
via FastEthernet0/1, receive
L FF00::/8 [0/0]
via Null0, receive
R2#The only way I found to disable the automatic route advertisement is to shut the routing process right away after it was created. Go to IPv6 address-family and shut the af-interface default and turn on individual interface that needs to participate. If the routing process is turned on and you added an IPv6 address-family, all interfaces with IPv6 address will automatically participate. So if you already have an IPv4 address-family running in the first place and you want to add IPv6 under the same EIGRP process then it would be ideal to plot it through notepad and paste it to ensure you can have absolute control of the IPv6 advertisement.
That's how I see it and just correct me if I am wrong. -
DMVPN using GRE Configuration with EIGRP
Good morning to all,
What a pleasure to find a forum in our language and in our language to express any objection to our network and enlist the help of experts.
I want to express my case is as follows:
I configured DMVPN using tunnel to lift the VPN using Loopback interfaces on the spokes and the Hub, the VPN is properly UP, but I have a problem, I have not yet achieved the data sent is encrypted by the tunnel, I lack in the settings to accomplish this, send them here eh settings made in the Hub and spokes.
Spoke
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key NETWORKLESSONS address 0.0.0.0 0.0.0.0
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
crypto ipsec profile MGRE
set transform-set MYSET
interface Tunnel0
bandwidth 512
ip address 10.254.254.3 255.255.255.0
ip mtu 1500
ip nhrp authentication cisco
ip nhrp map multicast 10.2.32.21
ip nhrp map 10.254.254.1 10.2.32.21
ip nhrp network-id 1
ip nhrp nhs 10.254.254.1
ip tcp adjust-mss 1436
no ip split-horizon eigrp 100
tunnel source 10.60.5.32
tunnel destination 10.60.0.0
tunnel key 1
tunnel protection ipsec profile MGRE
interface Serial0/0/0.532 point-to-point
description CON ENLACE ASR-1000
bandwidth 256
ip address 10.2.32.22 255.255.255.252
frame-relay interface-dlci 532
class QoS-256kbps
ip access-list extended GRE
permit gre host 10.2.32.22 host 10.2.32.21
------------ HUB
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key NETWORKLESSONS address 0.0.0.0 0.0.0.0
crypto ipsec transform-set MYSET esp-aes esp-md5-hmac
crypto ipsec profile MGRE
set transform-set MYSET
interface Tunnel0
ip address 10.254.254.1 255.255.255.0
no ip redirects
ip flow ingress
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 100
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile MGRE
interface GigabitEthernet1/1/4.532
description Aeropuerto Maturin CTO:CEEAP-XXXX
bandwidth 256
encapsulation dot1Q 2532
ip address 10.2.32.21 255.255.255.252
service-policy output QoS-256Kbps
ASR-ROSAL-01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.60.0.0 10.60.5.32 QM_IDLE 22062 ACTIVE
IPv6 Crypto ISAKMP SA
Anyone have any idea regarding this configuration.
Thank you.hi Reza Sharifi ,
Thanks for the help i added the following configuration to the Routers:
R1 & R2:
Interface Tunnel0
ip hello-interval eigrp 100 60
ip hold-time eigrp 100 300
in this case it will have to miss 5 hello to declare the neighbor dead.
i will let you know if this fixed the problem or not.
Best Regards
Sensie -
Hi !
Our Management LAN for accessing the switch is reachable through a VRF.
I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
This vlxxx is member of this Managment-VRF.
But the switch does NOT send any TACACS request through that particular VRF.
Could you plz help me ?
thx
HansI'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
The config is as follows:
aaa new-model
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
ip vrf forwarding XXXX-General
ip tacacs source-interface GigabitEthernet0/0.9
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
ip vrf XXXX-General
rd 1:10
route-target export 1:10
route-target import 1:10
ip vrf XXXX-Guest
rd 1:30
route-target export 1:30
route-target import 1:30
ip vrf XXXX-Voice
rd 1:20
route-target export 1:20
route-target import 1:20
interface GigabitEthernet0/0
description port21-switch(10.27.1.30)-trunk
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding XXXX-General
ip address 10.27.1.1 255.255.0.0
interface GigabitEthernet0/0.2
encapsulation dot1Q 172
ip vrf forwarding XXXX-Guest
ip address 172.16.27.1 255.255.255.0
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip vrf forwarding XXXX-General
ip address 10.235.30.1 255.255.255.0
h323-gateway voip bind srcaddr 10.235.30.1
interface Serial0/0/0:1
description Sprint MPLS
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
service-policy output WAN-INGRESS
interface Serial0/0/0:1.301 point-to-point
ip vrf forwarding XXXX-General
ip address 10.150.1.1 255.255.255.240
frame-relay interface-dlci 301
interface Serial0/0/0:1.401 point-to-point
ip vrf forwarding XXXX-Voice
ip address 10.151.1.1 255.255.255.240
frame-relay interface-dlci 401
interface Serial0/0/0:1.501 point-to-point
ip vrf forwarding XXXX-Guest
ip address 10.152.1.1 255.255.255.240
frame-relay interface-dlci 501
router eigrp 100
no auto-summary
address-family ipv4 vrf XXXX-Voice
auto-summary
autonomous-system 20
exit-address-family
address-family ipv4 vrf XXXX-Guest
network 172.16.0.0
auto-summary
autonomous-system 30
exit-address-family
address-family ipv4 vrf XXXX-General
redistribute bgp 65001 metric 10000 100 255 1 1500
network 10.27.0.0 0.0.255.255
no auto-summary
autonomous-system 2
exit-address-family
router bgp 65001
no synchronization
bgp log-neighbor-changes
no auto-summary
address-family ipv4 vrf XXXX-Voice
neighbor 10.151.1.2 remote-as 1803
neighbor 10.151.1.2 password 7 153E0xxxxx3627
neighbor 10.151.1.2 version 4
neighbor 10.151.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-Guest
neighbor 10.152.1.2 remote-as 1803
neighbor 10.152.1.2 password 7 1062001xxx318180138
neighbor 10.152.1.2 version 4
neighbor 10.152.1.2 activate
no synchronization
exit-address-family
address-family ipv4 vrf XXXX-General
neighbor 10.150.1.2 remote-as 1803
neighbor 10.150.1.2 password 7 07232xxxx41816031719
neighbor 10.150.1.2 version 4
neighbor 10.150.1.2 activate
no synchronization
network 10.27.0.0 mask 255.255.0.0
network 10.235.30.0 mask 255.255.255.0
exit-address-family
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.49
tacacs-server directed-request
tacacs-server key 7 080Cxxxxxxxxxx
Any insight would be great.
[email protected]
Chris Serafin -
Inside interfaces only participate in EIGRP
i enabled EIGRP in 2911 router only the lan interfaces which has the ip nat inside enabled is showing in show ip eigrp interface:
st Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/0.116 0 0/0 0/0 0 0/0 0 0
Gi0/0.115 0 0/0 0/0 0 0/0 0 0
NV0 0 0/0 0/0 0 11/11 0
it dosent sow the other interfaces , i think the problem from the NV0 interfce (the virtual nat interface), which is take the the same IP as the internal interface 0/0.115:
GigabitEthernet0/0.115 192.168.15.2
NVI0 192.168.15.2
i traied to remove the NVI0 int by deleting nat enabler from the interfaces no ip nat enable and use the old nat ip nat inside/outside in the interfaces.
but i still see the NVI0 up and it still has the samip as the internal interface.
i even tried ospf and other routing protocols but it is still the sam problem only the internal interfaces are forwording the routing messagesbut why the NVI0 intrface has an IP of the internal interface.
ok this is my configurations:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Ben-GW
boot-start-marker
boot-end-marker
logging buffered 52000
no logging console
aaa new-model
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
no ip domain lookup
ip domain name aljeel.ly
ip cef
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
ip ssh authentication-retries 4
class-map match-any BAD-P2P
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol kazaa2
match protocol fasttrack
match protocol winmx
policy-map police
class BAD-P2P
drop
class class-default
police 20000000 conform-action transmit exceed-action drop violate-action drop
interface Loopback1
ip address x.x.x.x. 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
no ip route-cache
interface Tunnel4
ip address 172.28.9.2 255.255.255.252
ip mtu 1476
tunnel source 172.30.1.26
tunnel destination 172.30.1.13
interface Tunnel11
ip address 172.28.11.2 255.255.255.252
tunnel source 172.30.1.26
tunnel destination 172.30.1.3
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.115
encapsulation dot1Q 115
ip address 192.168.15.2 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
ip tcp adjust-mss 1452
interface GigabitEthernet0/0.116
encapsulation dot1Q 116
ip address 10.10.16.2 255.255.255.0
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/1.750
encapsulation dot1Q 750
ip address 172.21.2.100 255.255.255.0
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/1.751
encapsulation dot1Q 751
ip address 172.21.3.60 255.255.255.0
ip nat outside
ip virtual-reassembly in
pppoe enable group global
interface GigabitEthernet0/1.900
encapsulation dot1Q 900
ip address 172.30.1.26 255.255.255.248
ip nbar protocol-discovery
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
duplex auto
speed auto
interface SM1/0
no ip address
shutdown
!Application: CUE Running on SM
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
no ip route-cache
ip tcp adjust-mss 1452
interface Dialer1
ip unnumbered Loopback1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
encapsulation ppp
no ip route-cache
dialer pool 1
ppp authentication chap callin
ppp chap hostname BG-ALJEEL-OFFICE
ppp chap password 7 0026344B257721232A0D01612F3F2C3437
ppp ipcp route default
ppp ipcp address accept
no cdp enable
router eigrp 1
network 10.10.16.0 0.0.0.255
network 192.168.15.0
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
interface GigabitEthernet0/0.116
encapsulation dot1Q 116
ip address 10.10.16.2 255.255.255.0
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/1.750
encapsulation dot1Q 750
ip address 172.21.2.100 255.255.255.0
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/1.751
encapsulation dot1Q 751
ip address 172.21.3.60 255.255.255.0
ip nat outside
ip virtual-reassembly in
pppoe enable group global
interface GigabitEthernet0/1.900
encapsulation dot1Q 900
ip address 172.30.1.26 255.255.255.248
ip nbar protocol-discovery
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
duplex auto
speed auto
interface SM1/0
no ip address
shutdown
!Application: CUE Running on SM
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
no ip route-cache
ip tcp adjust-mss 1452
interface Dialer1
ip unnumbered Loopback1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in max-fragments 64 max-reassemblies 1024
encapsulation ppp
no ip route-cache
dialer pool 1
ppp authentication chap callin
ppp chap hostname BG-ALJEEL-OFFICE
ppp chap password 7 0026344B257721232A0D01612F3F2C3437
ppp ipcp route default
ppp ipcp address accept
no cdp enable
router eigrp 1
network 10.10.16.0 0.0.0.255
network 192.168.15.0
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
this is all of the configurations
regards -
Fellow networkers,
I am having difficulty setting up my tunnel correctly and synching time. I am hoping I could get some ideas or even a solution. Thank you much.
I have two 3945s connected to each other. One 3945 (Enc1) is connected to our router and gets its time and synchs appropriately. The second 3945 (Enc2) is only connected to the first 3945 and does not synch its time nor create the tunnel. They use 15.2.1(T) Universal K9 as an OS; here are the abbreviated configs:
Update: My guess is ACL 103 needs modification because the log shows "list 103 deined eigrp from x.x.x.137" or ".138" which I believe is NTP related. But wouldnt the tunnel be created first and then eigrp traffic will just flow?
Enc1:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key three address x.x.x.138
crypto ipsec transform-set ESP_SHA_AES256_AH_MD5 ah-md5-hmac esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile Profile
set transform-set ESP_SHA_AES256_AH_MD5
set pfs group5
crypto map JACKSON 1 ipsec-isakmp
set peer x.x.x.138
set transform-set ESP_SHA_AES256_AH_MD5
match address 101
interface Tunnel3
ip address x.x.x.157 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination x.x.x.138
tunnel path-mtu-discovery
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface GigabitEthernet0/1
ip address x.x.x.137 255.255.255.252
ip access-group 103 in
ip verify unicast source reachable-via any
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp 7 md5
ip authentication key-chain eigrp 7 REGGIE
ip route-cache flow
duplex auto
speed auto
media-type sfp
no cdp enable
no mop enabled
crypto map JACKSON
router eigrp 10
passive-interface default
no passive-interface GigabitEthernet0/1
network x.x.x.x
no auto-summary
access-list 101 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any eq isakmp any
access-list 103 permit esp any any
access-list 103 deny ip any any log
Enc2:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 43200
crypto isakmp key three address x.x.x.137
crypto ipsec transform-set ESP_SHA_AES256_AH_MD5 ah-md5-hmac esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile Profile
set transform-set ESP_SHA_AES256_AH_MD5
set pfs group5
crypto map ADDIE 1 ipsec-isakmp
set peer x.x.x.137
set transform-set ESP_SHA_AES256_AH_MD5
match address 101
interface Tunnel3
ip address x.x.x.158 255.255.255.252
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination x.x.x.137
tunnel path-mtu-discovery
interface Loopback0
ip address x.x.x.x 255.255.255.255
interface GigabitEthernet0/1
ip address x.x.x.138 255.255.255.252
ip access-group 103 in
ip verify unicast source reachable-via any
no ip redirects
no ip unreachables
no ip proxy-arp
ip authentication mode eigrp 7 md5
ip authentication key-chain eigrp 7 REGGIE
ip route-cache flow
duplex auto
speed auto
media-type sfp
no cdp enable
no mop enabled
crypto map ADDIE
router eigrp 10
passive-interface default
no passive-interface GigabitEthernet0/1
network x.x.x.x
no auto-summary
access-list 101 permit gre any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any eq isakmp any
access-list 103 permit esp any any
access-list 103 deny ip any any logHi,
Thanks for your post; however, I didn't get much further with that guide. I can indeed contact the NTP time servers so I don't believe my firewall is too restrictive (perhaps my NTP configuration is not letting me synchronize with those time servers?). I do indeed see that my laptop has the server listed as a peer, but the time is still different from that of the server.
Walter -
I have implemented the key-rotation and it was successfully tested. However I have encountered a issue when devices are restarted. Once the device is restored the key chain has defaulted to Mar 1, 1993. Is this normal? is there a fix for this? I have seen others blog about the issue but have found no resolutions.
Hi Msahai,
Thanks for the response
Key 5
key-string
accept-lifetime 06:00:00 Oct 1 2014 06:00:00 Apr 1 2015
send-lifetime 0:6:00:00 Oct 1 2014 06:00:00 Apr 1 2015
Key 10.
accept-lifetime 06:00:00 Apr 1 2015 06:00:00 Oct 1 2015
send-lifetime 06:00:00 Apr 1 2015 06:00:00 Oct 1 2015
Key 9999
accept-lifetime 06:00:00 Sep 30 2014 infinite
send-lifetime 06:00:00 Sep 30 2014 infinite
interface port-channel1
description Core Port channel
ip address x.x.x.x x.x.x.x
ip authentication mode eigrp md5
ip authentication mode eigrp 22163 md5
ip authentication key-chain eigrp 1
ip authentication key-chain eigrp 22163
The core is my NTP
Maybe you are looking for
-
My Business Catalyst panel is not working even after re-importing the site. How do I fix it?
The only thing displayed in the panel is "siteNameTooltip(x)" I have also reinstalled dreamweaver, since I was previously getting javascript errors on load. I was able to clear the error by adding a missing reference to bc_main.js in BCModulePanel.ht
-
Hi, This topic is to be reconciled with this one : http://forums.adobe.com/message/3787868#3787868 This behaviour has very bad side effects as I am going to describe : - With Reader X installed one can reproduce the basic behaviour opening a windows
-
Can someone post the code from CharSequence.java. (not the stubby). Thanks and merry christmas
-
Duplicate Emails: Problem Solved
I JUST FIGURED OUT HOW TO STOP GETTING DUPLICATE EMAILS TO MY MAC COMPUTER AND PHONE. ALL YOU NEED TO DO IS GO TO MAIL, PREFERENCES, ACCOUNTS AND REMOVE THE MOBILE ME ACCOUNT. THAT FIXED IT FOR ME! SOOOOOOO THANKFUL. THE DUPLICATE EMAILS WERE DRIVING
-
Ipad video doesn't work properly.
I seem to be having a number of issues with the iPad Video App. 1. To be able to access the home sharing in the app I have to have at least 1 video on the iPad, other wise the share tab will not show. This is lame as I don't want waste space on my iP