Categories R&S

IPv6 – Advanced EIGRPv6

Back to IPv6, this time for more advanced configuration.

In this post I will focus on EIGRPv6.

 

IPv6 – Advanced EIGRPv6 –Network Diagram:

IPv6 – Advanced EIGRPv6

 

IPv6 – Advanced EIGRPv6 – configuration:

 

I have already setup the basic EIGRPv6 configuration, which means that all the routers interfaces are part of EIGRP 100.

From SW51, we can reach the 3 vlans interfaces on SW11.

SW51#ping 2001:DB8:10:10::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:10:10::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/20 ms
SW51#ping 2001:DB8:10:11::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:10:11::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW51#ping 2001:DB8:10:12::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:10:12::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

IPv6 – Advanced EIGRPv6 – Summarization:

We want to make sure that the 3 IPv6 prefixes configure on SW11 (2001:0db8:10:10:: /64, 2001:0db8:10:11:: /64 and 2001:0db8:10:12:: /64) are sent as a summary route to R1 and to the rest of the network.

 

To achieve this, I need to make sure that I get the proper summary address.

Our 3 IPv6 addresses are different on the 4th 16bit field.

Using calculator in programmer mode we change the hex in binary which gives us:

Hex 10 = 0000000000001000 bin

Hex 11 = 0000000000010001 bin

Hex 12 = 0000000000010010 bin

 

In green I add the last bit with 0s to reflect the 16bits.

So the first 14th bits are the same.

The first three hextets are the same and in the 4th octet we have 11 bits the same, our mask will be /59  and our summary address will be 2001:0db8:10:10::

 

Let’s configure that, but first here is the route seen on SW51.

SW51#sh ipv6 route  2001:DB8:10:10::
Routing entry for 2001:DB8:10:10::/64
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:35:41 ago

SW51#sh ipv6 route  2001:DB8:10:11::
Routing entry for 2001:DB8:10:11::/64
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:35:45 ago

SW51#sh ipv6 route  2001:DB8:10:12::
Routing entry for 2001:DB8:10:12::/64
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:35:48 ago

 

Here is the summarization configuration on SW11. Note that EIGRPv6 summarization is configured under the af-interface when using EIGRP named mode.

SW11(config)#router eigrp EIGRP-100
SW11(config-router)# address-family ipv6 unicast autonomous-system 100
SW11(config-router-af)#af-interface eth 0/0
SW11(config-router-af-interface)#summary-address 2001:0db8:10:10::/59

 

On SW51, we can see that the 3 routes are now seen via the summary address.

SW51#sh ipv6 route  2001:DB8:10:10::
Routing entry for 2001:DB8:10::/59
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:01:11 ago

SW51#sh ipv6 route  2001:DB8:10:11::
Routing entry for 2001:DB8:10::/59
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:01:15 ago

SW51#sh ipv6 route  2001:DB8:10:12::
Routing entry for 2001:DB8:10::/59
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:520, Ethernet0/0
      Last updated 00:01:18 ago

 

 

IPv6 – Advanced EIGRPv6 – Prefix filtering:

 

What we want to achieve here is that vlan 51 prefix (2001:0db8:30:11:: /64) from SW51 is not advertised to the rest of the network.

At this time, from SW11, the route to 2001:0db8:30:11:: /64 looks like that.

SW1#sh ipv6 route 2001:0db8:30:11::
Routing entry for 2001:DB8:30:11::/64
  Known via "eigrp 100", distance 90, metric 358656, type internal
  Route count is 1/1, share count 0
  Routing paths:
    FE80::A8BB:CCFF:FE00:320, Ethernet0/0
      Last updated 00:43:36 ago

 

Let’s perform the configuration on R5.

I first configure a prefix-list that match the vlan 51 prefix.

R5(config)#ipv6 prefix-list FROM_SW51-VLAN51 deny 2001:0db8:30:11::/64
R5(config)#ipv6 prefix-list FROM_SW51-VLAN51 permit ::/0 le 128

 

Then we use this prefix-list under the EIGRPv6 process.

R5(config)#router eigrp EIGRP-100
R5(config-router)#address-family ipv6 unicast autonomous-system 100
R5(config-router-af)#topology base
R5(config-router-af-topology)#distribute-list prefix-list FROM_SW51-VLAN51 in

 

After applying the prefix-list, we are no longer seeing the route on SW11.

SW11#sh ipv6 route 2001:0db8:30:11::
% Route not found

 

 

IPv6 – Advanced EIGRPv6 – Default routing:

 

Let’s check out all the EIGRPv6 routes received on SW31.

SW31#sh ipv6 route eigrp
IPv6 Routing Table - default - 20 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D   2001:DB8:1::/126 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::4/126 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::8/126 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::C/126 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::10/126 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::14/126 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:1::18/126 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:10::/59 [90/333056]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:10:2::/124 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:20:10::/64 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:20:11::/64 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:30:2::/124 [90/332800]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:30:10::/64 [90/333056]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0

 

Because of our topology, there is no need to SW31 to receive all the EIGRP routes from his neighbor.

We can replace all those entries by a single default route.

 

Configuration will take place on R3. We will use a summary address to get this done.

R3(config)#router eigrp EIGRP-100
R3(config-router)# address-family ipv6 unicast autonomous-system 100
R3(config-router-af)#af-interface Eth 1/1
R3(config-router-af-interface)#summary-address ::/0

 

On SW31, we now received only one EIGRP route.

SW31#sh ipv6 route eigrp
IPv6 Routing Table - default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D   ::/0 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0

 

From SW31, I can reach SW11 vlan 10 IPv6 address.

SW31#ping 2001:DB8:10:10::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:10:10::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

IPv6 – Advanced EIGRPv6 – Summarization and leak-map:

Let’s say that we still want to receive SW11 vlan10 prefix (2001:DB8:10:10::1/64) in the routing table of SW31.

We can use a leak map in conjunction with our summarization.

 

Configuration should still take place on R3.

We first configure a route map.

R3(config)#ipv6 access-list SW31_LEAKMAP
R3(config-ipv6-acl)#permit ipv6 2001:DB8:10:10::/64 any
R3(config)#route-map RM_SW31_LEAKMAP permit
R3(config-route-map)#match ipv6 address SW31_LEAKMAP

 

Then we apply the router map under the EIGRPv6 configuration.

R3(config)#router eigrp EIGRP-100
R3(config-router)# address-family ipv6 unicast autonomous-system 100
R3(config-router-af)#af-interface Ethernet1/1
R3(config-router-af-interface)#summary-address ::/0 leak-map RM_SW31_LEAKMAP

 

On SW31, we receive now a default route and the specific route to SW11 vlan10.

SW31#sh ipv6 route eigrp
IPv6 Routing Table - default - 9 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D   ::/0 [90/307200]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0
D   2001:DB8:10:10::/64 [90/333056]
     via FE80::A8BB:CCFF:FE00:111, Ethernet0/0

 

 

IPv6 – Advanced EIGRPv6 – Authentication:

 

I want to make sure that the neighboring between the backbone routers (R2, R3, R4, R5) is secure so that no other devices can interfere with it.

 

To do so, I will configure EIGRPv6 authentication between those routers.

EIGRPv6 authentication can be configured using a key-chain and md5 like for EIGRP IPv4.

 

However there is a more secure way to configure it when using EIGRP named mode.

That’s what I’m going to configure.

 

Here is the configuration on R2.

R2(config)#router eigrp EIGRP-100
R2(config-router)#address-family ipv6 unicast autonomous-system 100
R2(config-router-af)#af-interface eth0/0
R2(config-router-af-interface)#authentication mode hmac-sha-256 CISCO
R2(config-router-af)#af-interface Eth 0/2
R2(config-router-af-interface)#authentication mode hmac-sha-256 CISCO

 

On R3, instead of activating authentication on the interfaces one-by-one, we can also configure it by default and then remove the interfaces that we don’t want to have authentication on.

R3(config)#router eigrp EIGRP-100
R3(config-router)#address-family ipv6 unicast autonomous-system 100
R3(config-router-af)#af-interface default
R3(config-router-af-interface)#authentication mode hmac-sha-256 CISCO

R3(config-router-af)#af-interface Eth 0/0
R3(config-router-af-interface)#no authentication mode
R3(config-router-af)#af-interface Ethernet1/1
R3(config-router-af-interface)#no authentication mode

 

On R3 we still get all our IPv6 neighbors.

R3#sh ipv6 eigrp neigh
EIGRP-IPv6 VR(EIGRP-100) Address-Family Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
3   Link-local address:     Et0/2                    10 00:00:48    1   100  0  10
    FE80::A8BB:CCFF:FE00:410
2   Link-local address:     Et0/1                    10 00:02:08   11   100  0  14
    FE80::A8BB:CCFF:FE00:200
1   Link-local address:     Et0/0                    10 00:03:11    6   100  0  87
    FE80::A8BB:CCFF:FE00:310
0   Link-local address:     Et1/0                    11 00:03:12    6   100  0  33

 

 

Well that’s it for EIGRPv6.

I hope this post has been informative.

Thank you for reading.

 

Check out my previous IPv6 posts:

IPv6 – The beginning – Addressing plans and adresses configuration

IPv6 – The beginning – Basic configuration –address assignment SLAAC/DHCPv6

IPv6 – Routing – OSPFv3

IPv6 – Routing – EIGRPv6

 

 

IPv6 – Advanced EIGRPv6

Leave a Reply

Your email address will not be published.