Study on authentication of neighboring router EIGRP
Hello
I'm studying for my OFFICE. There is an area called "the EIGRP neighbor router authentication." Because it's safer and I don't have rear security on the ground, find it me difficult to understand all thoe MD5, key, key ring, key etc. chain.
Can someone please recommend me a note for me to read and understand what these things are, how they really work etc?
Thanks in advance!
Hi, a very good link to CCO for your purpose is:
Kind regards.
Hope this helps, so pls if rate post
Tags: Cisco Security
Similar Questions
-
AAA authentication in Cisco router
I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.
Thanks in advance
Hello
If you want to create users in the local database of the router, you must use the following command
username cisco password privilege 5 test
AAA new-model
AAA authentic login default local
AAA exec default local author
Thank you
Sujit
-
LDAP authentication on vty router login
I'm trying to deploy authentication ldap (AD MS) for a connection vty router. I used the manual like this - http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ldap/configuration/15-2mt/sec_conf_ldap.html
But my scenario was unlucky
My config is...
_____
AAA new-model
!
!
AAA server ldap ad1 group
test server
!
AAA authentication login default group local ad1
AAA authorization exec default authenticated if
!
jump...
!
map1 LDAP attribute-map
user name of card type sAMAccountName
!
test LDAP server
IPv4 172.16.107.145
attribute map map1
Retransmission Timeout 20
bind authenticates root-dn CN = Administrator, CN = users, DC = fabrikam, dc = com password 7 02050D 480809
base-dn CN = users, DC = fabrikam, dc = com
_____
instead of "ldap attribute-map map1" I tried to use "search user-object-type-filter name. No effect
I used wireshark for sniffer of cisco to AD packages. No package at the port of AD (389 or 3268) have been captured.
I used the ldap debugging all the
This is the output
* Jun 9 19:38:45.414: LDAP: LDAP: AAA Queuing 117 of treatment application
* Jun 9 19:38:45.414: LDAP: received the queue event, new demand for AAA
* Jun 9 19:38:45.414: LDAP: LDAP authentication request
* Jun 9 19:38:45.414: LDAP: no attributes to check username mental health
* Jun 9 19:38:45.414: LDAP: name of user/password validation test failed!
* Jun 9 19:38:45.414: LDAP: LDAP not suport interactive logon
Note the last string. Is that what it means I can't use ldap for this?
What I've done wrong?
I am grateful for!
LDAP on IOS support is limited to the VPN authentication and unfortunately cannot be used for authentication of the Admin (exec).
CSCug65194 Document nonsupport LDAP for authentication of connection
AAA does not support using a LDAP method for interactive logon authentication. Customers can configure 'aaa authentication login default group ldap', but when an interactive session (Terminal) attempts to authenticate via the LDAP protocol, the
following message is syslogged:
"LDAP: LDAP does not support interactive logon [sic]."
This is due to the aaa/ldap/src/ldap_main.c of next record ldap_authen_req():
If (intf & intf-> ATS) {}
LDAP_EVENT ("LDAP don't suport interactive logon");
ldap_method_failover (proto_req);
Jatin kone
-Does the rate of useful messages- -
Authenticating users with router 2800
Hello Experts,
Press RETURN to get started.
* 11 May 15:04:18.063: AAA/BIND (00000010): link i / f
* 15:04:18.063 may 11: AAA/AUTHENTIC/LOGIN (00000010): list of selection method '123'User access audit
Username: john
Password:ACS-router > en
Password:
* 15:04:41.935 may 11: AAA: analyze name = tty0 BID type =-1 ATS = - 1
* 15:04:41.935 may 11: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
* 15:04:41.935 may 11: AAA/MEMORY: create_user (0x469AA7F4) user = ruser 'john' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = ASCII = service ENABLE priv = 15 initial_task_id = '0', vrf = (id = 0)
* 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): port = "tty0" list = "action = LOGIN service = ENABLE
* 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): enable console - by default to activate the password (if any)
* 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): method = ENABLE
* 11 May 15:04:41.935: AAA/AUTHENTIC (4129385217): status = GETPASS
ACS-router #.
* 15:04:49.099 may 11: AAA/AUTHENTIC/CONT (4129385217): continue_login (user = '(undef)')
* 11 May 15:04:49.099: AAA/AUTHENTIC (4129385217): status = GETPASS
* 15:04:49.099 may 11: AAA/AUTHENTIC/CONT (4129385217): method = ENABLE
* 11 May 15:04:49.107: AAA/AUTHENTIC (4129385217): status = PASS
* 15:04:49.107 may 11: AAA/MEMORY: free_user (0x469AA7F4) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)The output is the router console 2800, I m trying to authenticate a user to the ACS server john, but I m not sure it performs the authentication or not by the output above, when I specify a different password to the AEC and the router it does'nt accept the ACS password it takes rather the local password configured for john.
run for router 2800 SH:
ACS-router #sh running-config
Building configuration...Current configuration: 1141 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
ACS-router host name
!
boot-start-marker
start the flash c2800nm-ipvoicek9 - mz.151 - 1.T.bin system
boot-end-marker
!
forest-meter operation of syslog messages
enable secret 5 $1$ $6MYC v0SoHopUNgCSXx08iEfcU0
!
AAA new-model
!
!
AAA authentication login 123 group Ganymede + local
!
!
AAA - the id of the joint session
!
dot11 syslog
IP source-route
!
!
IP cef
!
!
no ip domain search
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
Username password 0 cisco12345 Jean
Archives
The config log
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
automatic duplex
automatic speed
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
!
!
!
!
!
RADIUS-server host 192.168.10.3 port 49 timeout 2 keys cisco12345
!
control plan
!
!
Line con 0
authentication of connection 123
line to 0
line vty 0 4
authentication of connection 123BUT
When the same configuration I have with the 2960 switch it works very well for the user, it accepts different password for the ACS and the local when I disconnect the ACS from the local network.
Can someone tellwhat I m missing here. ???
Thank you
The followiing:
* 11 May 15:44:33.678: HIGHER (00000013) 0 / / READ: errno 254
Suggests a secret do not match between the 2800 and GANYMEDE server +.
-
AAA authentication for external router through PIX 515
I have been in vain, to get the authentication AAA works to my external router, through the PIX.
When I connect the router directly within that network (bypassing the PIX) AAA works fine, so I know the configuration of the AAA works between the router and the ACS server.
Initially, I got the PIX configured with a static map between a global external address 192.x.x.12 and a 10.200.1.187 for the ACS server local address, but that didn't work either. So, currently I am using NAT exemption for the ACS server, but it does not work either.
If I activate the debug on the PIX package, I see the ACS authentication request and response between the router and GBA when I try to connect to the router, but it is not successful. After the three way TCP handshake, the router repeats it is last receipt, and then the ACS asked an RST.
The attached diagram shows the simple connection that I'm trying to create.
The configuration of the PIX is also attached. (too large messages size):
Thanks in advance for your help. I tried EAC for two days and have not found solutions that look like this.
Ron Buchalski
What to do is:
1 PIX:
-static map the ACS/GANYMEDE to a public IP address
static (inside, outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255
-otherwise, if you have enough public IP, use the port forwarding for card IP ACS to PIX outside IP of the interface, IE x.x.x.2, via a specific TCP 49:
public static tcp (indoor, outdoor) interface 49 10.1.1.25 49 netmask 255.255.255.255
* allow ACS talk to external router via public IP
Create/add entry for ACL applied to the outside interface to allow the GANYMEDE Protocol + switch router external to the ACS:
access outside permit tcp host XXX1 host x.x.x.10 eq 49 list (Ganymede + use tcp 49)
outside access-group in external interface
* x.x.x.1 = outside the router
2 ACS
-Add the outside router IP (FastEthernet face PIX outside interface) interface as a client of the AAA
-Making of course secret key is identical at ACS and router
3. the outside router
-Add the ACS as radius-server using its IP public, as mapped in PIX which is x.x.x.10.
-check the key AAA statement is accurate.
The test without saving the config is outside the router. Save ok once confirmed.
I have similar facility before, and it worked very well.
Pls note all useful message (s)
AK
-
What are the differences between the command
(1) Auto-resume
(2) to the ex: ip address summary eigrp 1 90.0.0.0 255.255.0.0
We might consider Auto-resume for classes but IP summary summarizing the prefixes coming out of an interface for the supernet network nearest (VLSM)
See you soon!
Sumit
-
Hello
Relocation of the production LABORATORY and I can't get the HUB router to participate in EIGRP. I see in the neighbouring newspapers not found (10.1.2.192), which is the interface of the satellite mission tunnel.
HUBS:
Tunnel1 interface
10.1.2.1 IP address 255.255.255.0
no ip redirection
IP 1400 MTU
no ip next-hop-self eigrp 3111
no ip split horizon eigrp 3111
authentication of the PNDH IP TEST
dynamic multicast of IP PNDH map
PNDH network IP-1 id
property intellectual PNDH holdtime 300
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/0
multipoint gre tunnel mode
tunnel key 123
Shared protection ipsec TEST-DMVPN tunnel profile
...........
Router eigrp 3111
10.0.0.0 network
EIGRP router id 10.120.0.10
............
R4-2911-HUB #show ip eigrp neighbors
IPv4-EIGRP Neighbors for ACE (3111)
........
Ms 3 23:18:21.264: EIGRP: Neighbor (10.1.2.192) not found
................
SPEAKS:
Tunnel1 interface
IP 10.1.2.192 255.255.255.0
no ip redirection
IP 1400 MTU
authentication of the PNDH IP TEST
map of PNDH 10.1.2.1 IP 205.234.20.11
PNDH network IP-1 id
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 10.1.2.1
IP tcp adjust-mss 1360
source of tunnel GigabitEthernet0/1
multipoint gre tunnel mode
tunnel key 123
Shared protection ipsec TEST-DMVPN tunnel profile
.........
Router eigrp 3111
10.0.0.0 network
connected EIGRP stub
..........
IPv4-EIGRP Neighbors for ACE (3111)
H address Interface Hold Uptime SRTT RTO Q Seq
(s) (ms) NTC Num
1 10.1.2.1 Tu1 13 00:00:10 1 5000 1 0
2 10.192.11.1 Gi0/0.1 14 00:07:05 16 100 0 39
10.192.2.1 00:07:06 148 888 14 Gi0/0.2 0 0 36
.......
* 3 sep 23:19:18.675: down: Peer 10.1.2.1 total = 0 2 heel, heel iidb = 0 iid - all = 0
* 3 sep 23:19:18.675: EIGRP: manage a deallocation failure [1]
* 3 sep 23:19:18.675: EIGRP: neighbour 10.1.2.1 descended upon Tunnel1.
* 3 sep 23:19:22.943: EIGRP: new peer 10.1.2.1.
* 3 sep 23:19:22.943: % NBRCHANGE-5-DOUBLE: 3111 IPv4 EIGRP: neighbour 10.1.2.1 (Tunnel1) is in place: new adjacency...
Can someone help me? I for the life of me can't understand why the rays can peers but the HUB is impossible.
Hello
Usually, the RADIUS is configured with the PNDH ip map 205.234.20.11 multicast on his love interface. I do not see this line in your mission satellite configuration - could you add it?
Also, you happen to use any command of nearby in your EIGRP configuration on the hub or the RADIUS?
Best regards
Peter
-
EIGRP running between the router and ASA by switch
Hello
Is that possible I can running an EIGRP between router and ASA by switch?
Router and ASA connected to the switch with static route.
Hi Tommy Chin.
It is possible, we must advertise to the route between the router and ASA.
Please provide your connectivity diagram to better explain.
For example...
interface GigabitEthernet0/0
Description links to WAN router
nameif OUTSIDE
security-level 50
IP 10.1.1.1 255.255.255.192 ensures 10.1.1.2
Summary-address eigrp 100 10.1.0.0 255.255.0.0 1
!
Confiuration Protocol EIGRP
standard access list eigrpACL_FR allow a
!
Router eigrp 100
eigrpACL_FR distribute-list in the interface outside
neighbor 10.1.1.3 OUTSIDE interface
neighbor 10.1.1.2 OUTSIDE interface
Network 10.1.1.0 255.255.255.192
redistribute connected
redistribute static
!
Kind regards
Srinivas.
Note: if it solves your problem it mark it as resolved.
-
Announcement of network user VPN via eigrp route
I can't have the VPN client user network advertising via eigrp, here is what I have so far. 10.55.1.0 is not announced.
Router eigrp xx
No Auto-resume
no default - information in
no default-information
by default 10000 100 255 1 1500 metric
Network 10.55.0.0 255.255.255.0
Network 10.55.1.0 255.255.255.0
passive-interface default
no interface passive inside
redistribute static
I already have about 30 static routes and they have redistributed successfully, the only way I can think to announce that the VPN, it is inside the neighbor is using a card of route-attached to the static method redistribute. The ACL roadmap would then 30 networks of the static routes in and the VPN. I really don't want to do that. Because every time someone adds a new static route, they would also have to be added to the ACL for the road map. Any ideas appriciated.
Hi Matthew,
Please, add the following command under your dynamic crypto map:
test of dynamic-map of crypto-map 10
the value reverse-road
HTH.
Portu.
-
Redistribution of Routes between OSPF and EIGRP
We have a network of test with the topology below. We have two networks connected to a L3 switch. Both networks have an ASA firewall with a tunnel from site to site between them. They also have a connection in conjunction with each other. We want to implement a scenerio where the concert connection is the main route but if that route fails, then it switches to the routethat is above the tunnel from site to site. We have eigrp running on two basic switches so that the roads on the concert connection function properly. However Networking cannot be learned on the second road that goes over the vpn tunnel. We have running ospf on the asa and we are redistrubuting routes in eigrp. Which apparently correct? Look like the SAA they learn on ospf routes correctly however when we go to basic switches and show ip eigrp topology we do not see the routes possible successor. Any ideas on how to make this work?
Hello
The initial Setup looks that you have summarized automatic enabled on core switches, also to the asa eigrp process your redistribution measures doesn't look right about the delay/load/reliability-whats the reasoning behind this? Could you try the following:
Switch main 1 & 2
Router eigrp 100
No Auto-resume
ASA 1 & 2
Router eigrp 100
Redistribute ospf 1 100000 1 255 1 1500 metric
Could you also post the out-of - show ip eigrp topology all-links
RES
Paul
Please do not forget to note all messages that have been useful.
Thank you.
-
Problem setting 7606 router for authentication GANYMEDE +.
Hello community support.
I have two routers Cisco 7606 I tried in vain to have users authenticated using servers GANYMEDE +. As noted below, I have two servers (1.1.1.1 and 2.2.2.2) accessible via vrf OAM which is accessible from desktop to ssh login. The real IPS and FFS have been changed because it's a router of the company.
I use two servers to authenticate on a lot other devices Cisco network that they work properly.
I can reach the vrf servers and the source in use interface. I can also port telnet 49 if the source interface servers and the vrf.
The server key is hidden, but at the time of configuration, I can see that it is correct.
The problem is that after confuring for authentication RADIUS, the router always uses the password to enable instead of GANYMEDE. While debug output shows "incorrect password", why not the router authenticates using GANYMEDE? Why is he using the enable password?
Please review the outputs below and help point out what I may need to change.
PS: I have tried many other combinations, including obsolete without success, including the method proposed in this page.
http://www.Cisco.com/en/us/docs/iOS/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER #sh running-config | s aaa
AAA new-model
AAA server Ganymede group + admin
Server name admin
Server name admin1
IP vrf forwarding OAM
Ganymede IP interface-source GigabitEthernet1
AAA authentication login admin group Ganymede + local activate
AAA - the id of the joint session
ROUTER #sh running-config | dry Ganymede
AAA server Ganymede group + admin
Server name admin
Server name admin1
IP vrf forwarding OAM
Ganymede IP interface-source GigabitEthernet1
AAA authentication login admin group Ganymede + local activate
GANYMEDE Server Admin
1.1.1.1 ipv4 address
button 7 XXXXXXXXXXXXXXXXXXXX
GANYMEDE Server admin1
2.2.2.2 ipv4 address
button 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
authentication admin login
ROUTER #sh Ganymede
GANYMEDE + - public server:
Server name: admin
Server address: 1.1.1.1
Server port: 49
Opening of socket: 15
Firm grip: 15
Write-offs of socket: 0
Socket errors: 0
Socket timeouts: 0
Failed connection attempts: 0
Total packets sent: 0
Recv packets total: 0
GANYMEDE + - public server:
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Opening of socket: 15
Firm grip: 15
Write-offs of socket: 0
Socket errors: 0
Socket timeouts: 0
Failed connection attempts: 0
Total packets sent: 0
Recv packets total: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): link i / f
22 Oct 12:38:57.587: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
22 Oct 12:39:04.335: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
22 Oct 12:39:10.679: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
ROUTER #sh worm
Cisco IOS software, software of c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Updated Saturday, March 30, 12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2 SRE (33r), RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS software, software c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)
The availability of ROUTER is 7 weeks, 5 days, 16 hours, 48 minutes
Availability for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by charging)
System restarted at 20:00:59 UTC Wednesday, August 28, 2013
System image file is "sup - bootdisk:c7600rsp72043 - advipservicesk9 - mz.151 - 3.S3.bin.
Last reload type: normal charging
Reload last reason: power
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
Processor CISCO7606 - S (M8500) Cisco (revision 1.1) with 3670016 K/K 262144 bytes of memory.
Card processor ID FOX1623G61B
PLINTH: RSP720
CPU: MPC8548_E, Version: 2.1 (0 x 80390021)
KERNEL: E500, Version: 2.2, (0 x 80210022)
CPU:1200 MHz, CCB:400 MHz, DDR:200 MHz,
L1: D-cache 32 KB active
I'm hiding active 32 KB
Last reset of tension
3 virtual Ethernet interfaces
76 of the gigabit Ethernet interfaces
8 ten interfaces Ethernet Gigabit
3964K bytes of non-volatile configuration memory.
500472K bytes of the map of PCMCIA ATA internal (512 bytes sector size).
Configuration register is 0 x 2102
To resolve this problem. Please replace the below listed order
AAA authentication login admin group Ganymede + local activate
with;
Enable AAA authentication login default local admin group
You have set the group name server as a list of methods and instead use admin as a group of servers, you used Ganymede +.
Note: Please ensure that you have local users and enable the password configured in the case of Ganymede inaccessible server.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Static route of VPN in EIGRP redistribution (FD is Inaccessible)
Hi all
I redistribute the site to site VPN static route in EIGRP, but what I noticed on the 6509 when I sh ip eigrp 200 topol, the static route to the ASA "FD is inaccessible."
6509 output:
Topology EIGRP-IPv4 for AS(200)/ID(10.33.95.34 table)
Code: P - passive, A - Active, U - update, Q - Query, R - reply,.
r response status, s - AIS status
P 199.x.x.240/28, successors 1, FD 53760, tag is 36539
through reallocation (53760/0)
P 10.64.129.0/24, successors 1, FD is 28416
Via 10.210.98.200 (28416/28160), Vlan98
P 10.1.2.0/24, 0 successors, FD is Inaccessible
Via 10.210.98.200 (28416/28160), Vlan98
P 10.210.98.0/24, successors 1, FD is 2816
Via connected, Vlan98
ASA5510 output:
Topology EIGRP-IPv4 for AS(200)/ID(10.64.129.253 table)
Code: P - passive, A - Active, U - update, Q - Query, R - reply,.
r response status, s - AIS status
P 10.1.2.0 255.255.255.0 successors 1, FD is 28160
Via Rstatic (28160/0)
P 10.64.129.0 255.255.255.0 successors 1, FD is 28160
Via connected, Ethernet0/0
P 199.x.x.240 255.255.255.240, successors 1, FD 79360, tag is 36539
Via 10.210.98.254 (79360/53760), Ethernet0/1
P 10.210.98.0 255.255.255.0 successors 1, FD is 28160
Via connected, Ethernet0/1
The ASA config:
200SW_EIGRP list standard access allowed 10.1.2.0 255.255.255.0
permissible static in eigrp route map 10
200SW_EIGR match ip address
Router eigrp 200
redistribute static static in eigrp route map
external route 10.1.2.0 255.255.255.0 x.x.x.
Thank you
Thomas,
When the flight director is not accessible in the EIGRP topology table, the router does not use this EIGRP route in its routing table.
Probably, the road is overridden by any other routing protocol that has the lowest administrative distance.
Could you please share the routing table?
Thank you.
-
Router Access List - where it is applied?
I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":
R - H1BR1 #sh run
Building configuration...Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
endR H1BR1 #.
I guess you are looking for
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY?
Best regards
Milan
-
Redistribution of BGP with EIGRP
Hi all
I'm trying to redistribute BGP, EIGRP, and vice versa. I'm succussfully EIGRP to BGP redistribution, but cannot get the EIGRP routes into BGP.
Here is my config. Any guidance or help would be very appreciated.
router eigrp 100
network 10.18.72.0 0.0.0.255
redistribute static route-map DEFAULT_ROUTE
redistribute bgp 65535
passive-interface default
no passive-interface FastEthernet0/0
!
router bgp 65535
bgp router-id 172.18.2.1
bgp log-neighbor-changes
redistribute eigrp 100 route-map EIGRP_REDISTRIBUTE
neighbor 172.18.2.2 remote-as 65535
neighbor 172.18.2.2 password ciscobgp
no auto-summary
ip access-list extended EIGRP_ROUTES_TO_BGP
permit ip any any
!
!
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
!
route-map EIGRP_REDISTRIBUTE permit 20
match ip address EIGRP_ROUTES_TO_BGP
!
route-map DEFAULT_ROUTE permit 10
match ip address prefix-list DEFAULT
Thanks in advance.
Neil
Add "internal to redistribute bgp' in your bgp process. By default, iBGP redistributed in a PGI. The reason for this is simply the amount of roads that can receive a bgp router can overload an igp very easily, if you want to filter routes during this operation.
After adding this, disable your bgp neighbors and you should start to see roads.
HTH,
JohnPlease note all useful messages *.
-
Hi all
I have a x 6880 and EIGRP running with our WAN service provider.
I have the following: -.
Router eigrp 200
Network 10.44.70.1 0.0.0.0
redistribute the static-Static_To_Eigrp route map
neighbor 10.44.70.4 Vlan970
neighbor 10.44.70.3 Vlan970
EIGRP redistributed static stubIP route 10.44.0.0 255.255.128.0 Null0 tag 919
Static_To_Eigrp allowed 10 route map
game 919 tagIn my statement of static route to the network 10.44.127.0 24 is this but ideally I don't want to advertise to this output. Is there a way to for me to filter this network with my current setup a spreadsheet of leak? OR the fact I am advertising a 17 mean this is not possible and I need to look at dropping my routes redistributed into more specific subnets?
Thank you
Hello GRANT3779,
Unfortunately, flight plan will be useful to accomplish what you are looking for here. There is no on the contrary, it helps you to advertise ('leakage') a specific subnet more in advertising a network summary a peer EIGRP using the command "ip summary-address eigrp.
You're right, in this scenario, you must break down the static route into more specific subnets.
I hope this helps.
Kind regards.
Maybe you are looking for
-
iPad blocked by pop-up that says to call technical support at 1-844-423-2466-how apple want to remove?
-
Day of EA I need to reconnect my gateway & LAN when good even they are connected. Why?
Since updating to 10.0.2 I need to reconnect my router & modem when good even they are already connected. If I try to access the line he tells me that it cannot find the server. I've set up with this several days & am tired of rebooting each and ever
-
Need driver for Satellite A300-22 x PSAGCE ethernet controller
Need driver for Toshiba Satellite A300 22 x PSAGCE ethernet controller
-
Discover color reversed on this node property - I have never seen this. What it means? Bug? Kind regards Jack
-
Hello world I have a Dv6000 intel motherboard that I bought from ebay Board no (434722-001) everything is good except the Ribbon clip about 1 "long brown keyboard who holds the keyboard Ribbon in place I have no idea where I can get one of Well actua