EIGRP is a routing protocol developed by Cisco Systems and is widely used in enterprise networks. It is known for its advanced features, scalability, and fast convergence time. EIGRP operates within an autonomous system (AS) and uses the Diffusing Update Algorithm (DUAL) to calculate the best path for routing traffic. While EIGRP primarily focuses on optimizing network performance and efficiency, its design and functionality affect network security.

One of the key security benefits of EIGRP is its support for authentication. EIGRP provides a mechanism for securing routing updates and preventing unauthorized access to routing information. Network administrators can ensure that only trusted routers can participate in EIGRP routing exchanges by implementing authentication. This helps mitigate the risk of rogue routers or unauthorized devices influencing the routing decisions within the network.

Another important aspect of EIGRP’s impact on network security is its interaction with other security measures, such as access control lists (ACLs) and firewall policies. EIGRP allows network administrators to define filters and distribute access lists to control which routes are advertised or accepted by neighbouring routers. By selectively filtering routes based on various criteria, administrators can implement granular control over the flow of network traffic, improving security by limiting the exposure of sensitive information.

Moreover, EIGRP supports using Virtual Private Networks (VPNs) for secure communication between geographically dispersed networks. By leveraging EIGRP with VPN technologies, organizations can create secure tunnels over public or untrusted networks, ensuring the confidentiality and integrity of data transmitted between sites. This capability is particularly valuable for businesses with branch offices or remote locations that need to exchange sensitive information securely.

However, it is crucial to note that while EIGRP offers certain security features, it is not a comprehensive security solution on its own. Network security requires a layered approach that includes multiple measures, such as encryption, intrusion detection and prevention systems (IDPS), and regular security audits. EIGRP should be viewed as one piece of the overall security puzzle, complementing other security measures to establish a robust and resilient network infrastructure.

To maximize the security benefits of EIGRP, network administrators should follow the best practices and guidelines recommended by networking and security experts. These include implementing strong authentication mechanisms, regularly updating access control policies, and staying up to date with security advisories and patches released by vendors.

In conclusion, EIGRP plays a significant role in network security by providing authentication mechanisms, supporting access control, and facilitating secure communication through VPNs. Understanding the impact of EIGRP on network security is vital for network administrators and security professionals to build and maintain secure network infrastructures. However, it is important to remember that network security is a holistic endeavour, requiring a combination of technologies, practices, and vigilant monitoring to protect against evolving threats effectively.

Interior Gateway Protocols (IGPs)

IGPs are used for routing within an autonomous system (AS) or an internal network. They help routers exchange routing information and make routing decisions within the boundaries of the AS. Some common IGPs include Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Intermediate System to Intermediate System (IS-IS). IGPs are typically used to facilitate communication and routing between routers within a single organization or network.

Key characteristics of IGPs:

1. Used for routing within a single autonomous system or internal network.
2. Exchange routing information between routers within the same network domain.
3. Typically focus on factors such as shortest path or link cost when making routing decisions.
4. Examples include RIP, OSPF, IS-IS.

Exterior Gateway Protocols (EGPs):

EGPs, on the other hand, are used for routing between autonomous systems (ASes) or different networks operated by separate organizations. Their primary purpose is to exchange routing information between different ASes on the internet. The most widely used EGP is the Border Gateway Protocol (BGP), which enables routers to exchange routing information across multiple networks and make routing decisions that span across AS boundaries.

Key characteristics of EGPs:

1. Used for routing between autonomous systems or different networks.
2. Exchange routing information between routers in different ASes.
3. Focus on factors such as AS path, policies, and external reachability when making routing decisions.
4. Examples include Border Gateway Protocol (BGP).

In summary, IGPs are employed for internal routing within a network or autonomous system, while EGPs are used for routing between autonomous systems or different networks. The scope, routing decision factors, and the protocols used are the primary distinctions between these two types of gateway protocols.

I just had a break after finishing the Stub Area lab. Yeah, I ate a lot today. One whole chicken chop with Naples’s aglio e olio, crunchy pork knuckle, bitter gourd salad, and banana shake. After a heavy meal, I became drowsy. Then, I sipped 2 cups of Cafe Latte. And, I think I am back. I’m good and I can still count from 1 to 10.

We are back with OSPF areas discussion and this time we will tackle about the Totally Stubby Area. You have to pronounce it right though if you know what I mean.

Totally Stubby Area is a Cisco proprietary feature which works like a Stub Area but a stricter area type. If Stub Area do not allow certain LSA Types like Type 4 and Type 5 LSAs, Totally Stubby area do not allow it as well plus no Type 3 LSA too. The result is even smaller routing table.

To configure Totally Stubby area, we have to add the “no-summary” command after the “stub” command. And, this should be done on the ABR only and not to the routers inside the Totally Stub area. Since my ABR is Anopheles router, I am going to do it here and Aedes stays with my previously configured “stub” command.

Anopheles#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Anopheles(config)#router ospf 2
Anopheles(config-router)#area 20 stub no-summary
Anopheles(config-router)#end
Anopheles#

Anopheles#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Anopheles(config)#router ospf 2
Anopheles(config-router)#area 20 stub
Anopheles(config-router)#end
Anopheles#

On the left is the Stub area result when doing show ip route while on the right is right after we configured it as Totally Stubby area. What did you notice on the routing table? There are no Inter-Area (IA) routes or Type 3 LSA. It converted it with the default route going to the Anopheles router.

Let’s check the difference between a Stub and Totally Stub database:

Totally Stub restricts Type 3 LSA and only allow a default route. The 192.168.1.0, 192.168.2.0, 192.168.12.0 are gone and all that’s left is the default route.

The routing table of Anopheles doesn’t make any difference.

Looking at the database, there is a change like what happened to Aedes router. Of course, they have the same database because they are in the same area.

Let’s check how we can confirm that the area type is Totally Stubby area:

Aedes still showing as a stub area but the Totally Stubby area can be identified on Anopheles. It is showing that it is also a Stub area but there are no-summary LSA which confirms that our area 20 is a Totally Stubby area.

Our topic for today is not about Sergeant Stubby but how a Stub network can be not so stubby. Isn’t it exciting?

Not-So-Stubby Area (NSSA) behaves like Stub area. It allows Inter-Area (O IA), Intra-Area, and default routes. LSA Type 1, Type 2, Type 3 are allowed but unlike the Stub area, External LSAs are allowed in NSSA area. External LSA in an NSSA area is not using Type 5 LSA but Type 7 LSA. Type 7 LSA tricks the OSPF area but in fact, it is the same as a Type 5 LSA. Type 5 LSA cannot propagate through an NSSA area and in order to do that a Type 5 to Type 7 translation (vice-versa) is being done by the ABR. Thus, it allows routes to be redistributed from an ASBR into that area with the use of Type 7 LSA.

In any case, the router in your Stub network needs to be connected to a new external network, then you need to configure it as NSSA. As discussed in my previous post, a Stub network will not be able to redistribute the routes as External LSA.

Let us redistribute Loopback 30 into Aedes and assigned both Aedes and Anopheles as NSSA network.

Aedes(config)#router ospf 3
Aedes(config-router)#no area 20 stub
Aedes(config-router)#area 20 nssa
Aedes(config-router)#area 20 nssa
Aedes(config-router)#redistribute connected subnets
Aedes(config-router)#end

Anopheles#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Anopheles(config)#router ospf 2
Anopheles(config-router)#no area 20 stub
Anopheles(config-router)#area 20 nssa

Now that we have done redistribution, the routing table and database for Culex are changed:

Culex learned external network 172.30.200.0 via Anopheles and tagged it as O E2 in the routing table. OSPF External Type 2 metric is the default since we did not configure it manually.

And finally, we got Type 5 LSA in the Culex routing table with 192.168.2.1 (Anopheles router ID) as the advertising router.

Let’s check what happened to Anopheles routing table and database.

It has learned the external network 172.30.200.0 and tagged it as “O N2.” In Culex, it is tagged as “O E2” because the router is not in NSSA Area, unlike Anopheles.

The Anopheles database should match exactly with Culex and Aedes.

.Going to Aedes, let us check the routing table and the database.

It has the same routing table as when we configured it is a stub. However, notice that there is no default route for Inter-Area. Why there is no default route being injected to the Aedes router automatically like what Stub does? It is how OSPF NSSA is designed. You can never argue if it is really how it is designed. However, this opens up another big discussion as it is all about the OSPF route preference which is the way OSPF calculates SPF and chooses the best path. For now, let be like that but if you still insist to have the default route, you can actually explicitly enter this command in the ABR:

Anopheles(config)#router ospf 2
Anopheles(config-router)#area 20 nssa default-information originate

As you can see, there is no Type 5 LSA but only Type 7 LSA. Its database is exactly the same as Anopheles.

I will use the same lab in my previous post. I just changed the configuration on the Anopheles router and put the “no-summary” command.

Anopheles#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Anopheles(config)#router ospf 2
Anopheles(config-router)#area 20 nssa no-summ
Anopheles(config-router)#area 20 nssa no-summary
Anopheles(config-router)#end

Aedes(config)#router ospf 3
Aedes(config-router)#no area 20 stub
Aedes(config-router)#
Aedes(config-router)#area 20 nssa

It would be better to check the differences between NSSA and Totally NSSA using the before and after the output of the NSSA configuration.

Unlike NSSA, Totally NSSA once configured on the ABR, will automatically inject the default route to advertise Type 3 LSAs. So, there is no need to explicitly configure it. Am I repeating the same thing?

Just like what happened in the Totally Stubby Area database, Type 3 LSAs are restricted and all that is left is the Type 1 LSA, Type 7 LSA and the default route advertised by 192.168.2.1.

My posts regarding OSPF Area types are not yet done. If you will take a closer look, there are many things that I haven’t touched yet or clarified yet. Like if you check the database output, why some LSAs are missing even though it is allowed in this kind of area? This is going to be another discussion in my future posts.

It is very easy to understand Stub Area if you are going to configure and apply it in the laboratory. A few years ago, what I did is just memorize the concepts of OSPF Stub Area. But after being away from the Academy for so long, my own brain failed to store my memories about it. As we all know the brain is flexible in storing lots of lots information about what you’ve learned, experienced, your everyday life since birth, and so on. However, it is not a reliable storage most especially if you are not doing it every day (And it is not that quite memorable enough to be remembered).

One day, I was asked by an Erudite about the Stub Area.

“What is that again?” I asked my brain.

My brain whispered, “Uhm… I don’t know… I think there is nothing special on it.”

“What on bits-and-bytes!”

Analyzing the routing table and the result after configuration will help you understand the Stub area better than reading it a hundred times.

Assuming that you have configured the interfaces and the OSPF adjacencies are established on each router, let us configure Aedes router and Anopheles router as part of the Stub Area:

Aedes#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Aedes(config)#router ospf 3
Aedes(config-router)#area 20 stub
Aedes(config-router)#end


Anopheles#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Anopheles(config)#router ospf 2
Anopheles(config-router)#area 20 stub
Anopheles(config-router)#end
Anopheles#

Easy?

Now, this is the fun part. Let’s take a look at the routing tables of each router before and after we configure Aedes and Anopheles routers as stub.

The output above is captured from Culex. Culex’ neighborship with Anopheles is still up. The loopback network address of Anopheles, 192.168.2.0 (appearing as “O“), is learned by Culex through the directly connected interface address 192.168.12.2 of Anopheles.  Aedes network 192.168.3.0 and the 192.168.23.0 network configured between Aedes and Anopheles appeared as “O IA” before and after Aedes and Anopheles are configured as Stub Area. Therefore, since Culex is in Area 0 and not configured as part of Stub Area, it’s routing table did not change after I configured Aedes and Anopheles router as part of Stub network.

The same goes with its database:

Router Link State (LSA Type 1) shows router IDs of Culex and Anopheles, while the Summary Net (LSA Type 3) shows the 192.168.3.0 and 192.168.23.0 network being generated and advertised by Anopheles.

If you are thinking that there are some changes on the Anopheles router, we’ll there is none on the routing table and OSPF adjacencies.

Before and after screenshot shows that Anopheles is still converged with Culex and Anopheles and the routing table still shows that there are 3 directly connected links and 2 OSPF neighbors (192.168.1.0 and 192.168.3.0).

However, the Anopheles database has changed. The Summary Net Link States(LSA Type 3) now shows the default route 0.0.0.0 being advertised to the Aedes router.

Looking at the Aedes router, though the neighborship is still the same, its routing table is changed after it was configured as part of Stub Area network. A Type 3 LSA is injected into the area by Anopheles to act as a default route. This allows Aedes to connect to other routers outside the stub area.

Lastly, what did you notice on the database of each router? Aren’t they the same?

Anopheles, since it is the ABR, has the database of both Area 0 and Area 20. It has the same database with Culex in Area 0 and same database with Aedes in Area 23. We, therefore, conclude, that it is true that OSPF maintains the same database in each area. Amazing, right?

According to Cisco, OSPF area is a collection of logical OSPF networks (routers and links) that have the same area identification. Depending upon the design of your network, your routers can be part of a single area or multiple areas. Why do we have to complex things and put the router in different areas? Actually, there are many reasons, and one of the many reasons is that it reduces the size of OSPF database when OSPF network is divided into different areas. Think of it this way, dividing the routers into different areas, reduces the size of the database, reduces the frequency of SPF calculation and smaller routing table. Thus, fewer requirements on router memory and CPU. I am not saying that SPF calculation is exhausting the CPU and router memory but the sending and flooding of the new topology information does.

OSPF AREA TYPES

No matter what your OSPF design in your network, all areas you have created should be connected to the backbone area. Backbone area or Area 0 (0.0.0.0) is like the meeting points of all these non-backbone areas. So, it is not just an option or recommendation but a must in every OSPF network design. Although there is an option called virtual link, it is not a good network design but just a remedy to a broken OSPF design.

Now, not all LSA Types are allowed in different areas. Some LSA Types are restricted and depend upon which area type is configured. This further reduces the link state database and routing tables. Injecting too many external routes are also memory intensive. However, all LSA types are allowed in the Normal area. An area which is not configured as Stub, Totally Stub, NSSA, NSSA Totally Stub area is called Standard/Normal Area. We can say that the backbone area is behaving like a Normal /Standard Area as LSA Type 1-5 are not being restricted in this area. When the network is divided into different area numbers (non-zero), an ABR is used to connect the Standard area to the Backbone Area.

On my next post, I will introduce some of the area types which have their own rules in restricting LSA Types.

LSA Type 1 or called Router LSA, as the name implies, represents the router. Each router within an OSPF area will flood LSA Type 1 and it stays within an area.

Using the “show ip ospf database” command, it shows the router ID of directly connected neighbor and other information about its neighbors of adjacent routers within the same area. Multiple areas can be seen in ABR OSPF database.

LSA Type 2 or Network LSA is the LSA generated by designated router (DR). It contains information about the DR and lists all routers it is adjacent to. If the Link ID in LSA Type 1 is the router ID, the Link ID in LSA Type 2 is the interface IP address of the designated router. And, like the LSA Type 1, it is flooded between neighbors in the same area. This type of LSA can be seen on NBMA and Broadcast networks where DR/BDR is elected.

LSA Type 3 is the ABR Summary LSA. This LSA is generated by the Area Border Routers (ABR) to advertise network from one area to another area. It contains information about inter-area routes. If you see O IA entries in the routing table, these are Type 3 LSAs.

Looking at the screenshot above, the O IA are Type 3 LSAs which are advertised by ABR. Aedes is connected to my Anopheles ABR which has a router ID of 192.168.2.1. Take a look at the screenshot below to further check if it is really the Anopheles ABR advertising the Type 3 LSA route 192.168.12.0.

You can check the advertising routers for all OSPF LSA types by utilizing the “show ip ospf database.” You can further add more parameters whether you want to check advertising router of the external, network, summary, router, and other LSA types.

LSA Type 4 is the ASBR Summary LSA. This LSA is generated by the ABR that contains routes to Autonomous System Border Routers (ASBR). It identifies the ASBR IP address and location. Once ABR received information about ASBR, it will advertise LSA Type 4 and inject the route to area 0. Please note that ASBR itself does not generate LSA Type 4 rather it will generate LSA Type 1 regarding its networks.

LSA Type 5 is the External LSA. This LSA is generated by ASBR. ASBR creates a type 5 LSA for a subnet that is injected into OSPF from an external source or via a redistribute command. As it propagates to the network, the advertising router ID, which is the ASBR router ID, is not changed so router uses Type 4 LSA to know how to reach that ASBR. In the routing table, Type 5 LSA are the O E1 and O E2 entries.

LSA Type 6 is called Multicast LSA which is not generally in used today since the introduction of OSPFv3. To tell you honestly, I don’t even know how it was used before.

LSA Type 7 is the Not-So-Stubby-Area (NSSA) External LSA. This LSA is generated by NSSA ASBR. In an NSSA area, external routes are carried as Type 7 LSA. LSA Type 5 is somehow same with LSA Type 7 as they carry external routes information. However, LSA Type 5 is not allowed on stub areas that is why LSA Type 7 is used as a ploy. LSA Type 7 stays within an NSSA area in order for other routers in other areas know about the external routes, the NSSA ABR will convert the Type 7 LSA to Type 5 LSA and flooded in the area 0 and to the other areas in OSPF domain. If there are one or two NSSA ABRs, the NSSA ABR who has the highest router ID will be the one to do the translation.

LSA Type 8 is the Link Local LSA for OSPFv3 while LSA Type 9 – 11 are Opaque LSAs. These are OSPF LSA extensions used for MPLS traffic engineering. I haven’t tried to lab these LSA types but I will somehow in the future.

The neighbour, topology, and routing tables are very important in implementing and troubleshooting EIGRP. I often neglect the topology and routing table before because what is important to me is that all neighbours are up. But this is not the case especially if you want to progress your learning to a higher Cisco certification level.

Let’s start with the neighbour table.

If you want to know whether you have established adjacency with neighbouring EIGRP router and also to know the uptime, then you go to the neighbour table.

H – Handle; it is the order in which the EIGRP adjacency is formed. It starts with 0 and so on so forth.

Address – This is your neighbour’s IP address, not the local IP address. Looking at the table it shows that the Nettle router has 2 adjacent neighbours: 192.168.103.3 and 192.168.102.2.

Interface – This is the interface of the neighbour connected.

Hold – this is the hold time value in seconds. This tells how long the router will hold a neighbour if it doesn’t receive a hello. There are two default values: 15 seconds and 180 seconds.  The 15 seconds default value is from the 5-second-hello packet on high bandwidth links like PPP, Ethernet, HDLC, point-to-point ATM and frame-relay subinterfaces, and others greater than T1 circuits. The 180 seconds value is from the 60-second hello packet of slower T1 circuits.

Uptime – It tells how long the local router has established adjacency to its neighbour router.

SRTT – is the acronym for Smooth Round Trip Time. Its value is in milliseconds and tells how long an EIGRP is to be sent to the neighbour and for the local router to receive an acknowledgement of that packet. The table, it is showing us the value of 66. It is ok unless the value is 0 because the value of 0 indicates that there are no acknowledgement packets being received.

RTO – short for Retransmission Timeout whose value is also in milliseconds. It tells how long the packet will be retransmitted from the retransmission queue of the neighbour.

Q Cnt – short for Queue Count. It is the number of EIGRP packets whether it is an update packet, query packet or reply packet that the software is waiting to send. On the table, it is showing 0 which means it is good as there are no pending packets in the queue. There is some sort of unidirectional or congestion issue if the Q Cnt value is not decrementing because that means nothing is being received or acknowledged.

Seq Num – it is the sequence number. It is the last used sequence number in which the EIGRP received the last packet.

EIGRP really hates the querying process so it always preferred to have a backup route in case the link to a destination is unreachable. And, that backup route is the feasible successor. A feasible successor is a backup path used in the event the successor route disappears. It can be seen in the EIGRP topology table and because of this, the router doesn’t need to recalculate the metric. It automatically chooses the feasible successor when successor route fails.

Now that you know the feasible successor, automatically you know what the successor is. The successor is the best route to the destination. Unlike feasible successor that can only be seen in the topology table, it is seen in the routing table. Of course, the routing table has the best routes.

So what is reported distance? Is it the same with advertised distance? Actually, they are just the same. Reported distance / advertised distance is the cost from the next hop router to the destination.

Once you know the reported distance, you’ll find it easy to know the feasible distance (FD). It is the route with the lowest metric in each network. It is the total cost from the local router to the destination.

Since the idea of the successor, feasible distance, reported distance, and the feasible successor is clear to you, let me introduce the feasibility condition. Not all successors have a feasible successor. This is because of the feasibility condition.

Here is the formula:

FC = AD of FS < FD of S

The feasible successor route will not be entered into the topology table if its AD is greater than the FD of the successor.

Let’s take a look at these three routers: Nettle, Porpita, and Cannonball. Let’s verify the FD.

Checking the interfaces:

What is inside Nettle’s topology?

Let us pick the 192.168.203.0 network. There are 2 routes to go to 192.168.203.0 network. The first route is via the 192.168.102.2 of Porpita on the S2/0 or via the 192.168.103.3 of Cannonball on the s2/1 interface. As you noticed, both have the same FD of 41024000. Both are installed in the topology table and since they have the same FD both will be installed in the routing table.

Let’s check Cannonball’s topology table:

Look at 192.168.2.0 network. There is no feasible successor for this route. Wonder why? Because the AD of 192.168.203.2 is equal to the FD of 192.168.103.1 which is 40640000. Remember, that in order to become a feasible successor it should meet the feasibility condition where its AD should not be greater than or equal to the successor’s FD. You can see the AD of 192.168.203.2 by using the “show ip eigrp topology 192.168.2.0/30” command.