(but also for ATM and ISDN PRI), it is important to understand that all neighbors share the bandwidth equally. That is, EIGRP uses the bandwidth command on the physical interface divided by the number of Frame Relay neighbors connected on that physical interface to calculate the bandwidth attributed to each neighbor. EIGRP configuration should reflect the correct percentage of the actual available bandwidth on the line.Each installation has a unique topology and requires a unique configuration. Differing CIR values often require a hybrid configuration that blends the characteristics of point-to-point circuits with multipoint circuits.When configuring multipoint interfaces, configure the bandwidth to represent the minimum CIR multiplied by the number of circuits. This approach may not fully use the higher speed circuits, but it ensures that the circuits with the lowest CIR are not overdriven. If the topology has a small number of very low-speed circuits, these interfaces are typically defined as point-to-point so that their bandwidth can be set to match the provisioned CIR.
Content 2.4 Implementing Advanced EIGRP Features 2.4.9 Configuring EIGRP in a Frame Relay Hub-and-Spoke Topology As described earlier, you can use the ip bandwidth-percent eigrp as-number percent command to specify the maximum percentage of the bandwidth of an interface that EIGRP will use.Figure displays a common hub-and-spoke design configuration topology with ten virtual circuits to the ten remotes sites (only four of the ten remote sites are shown in the slide). The configurations for routers C and G, using EIGRP AS 200, are also shown.The circuits are provisioned as 56-kbps links, but there is insufficient bandwidth at the interface to support this allocation. For example, if the hub tries to communicate to all remote sites at the same time, the bandwidth that is required exceeds the available link speed of 256 kbps for the hub: 10 times the CIR of 56 kbps equals 560 kbps.In a point-to-point topology, all virtual circuits are treated equally. The interfaces and subinterfaces are therefore all configured with a bandwidth equal to one-tenth of the available link speed (25 kbps).On each interface and subinterface, the EIGRP allocation percentage is raised to 110 percent of the specified bandwidth in an attempt to ensure that EIGRP packets are delivered through the Frame Relay network. This adjustment causes EIGRP packets to receive approximately 28 kbps of the provisioned 56 kbps on each circuit. This extra configuration restores the 50–50 ratio that was tampered with when the bandwidth was set to an artificially low value.
Content 2.4 Implementing Advanced EIGRP Features 2.4.10 Configuring EIGRP in a Hybrid Multipoint Topology Figure presents an example of a hybrid solution. There is only one lower speed circuit; the other circuits are all provisioned to the same CIR.The preferred configuration on router C shows the low-speed circuit configured as point-to-point, with the bandwidth set to the CIR value. The remaining circuits are designated as a multipoint subinterface, and their CIRs are added together to set the bandwidth for the subinterface.In multipoint interfaces, the bandwidth is shared equally among all circuits. In this case, the bandwidth is set to 768 kbps, which is the sum of the three CIRs (3 * 256 = 768). Each link is allocated one-third of this bandwidth, resulting in 256 kbps each.
Content 2.5 Configuring EIGRP Authentication 2.5.1 EIGRP Router Authentication You can prevent your router from receiving fraudulent route updates by configuring neighbor router authentication. By default, no authentication is used for routing protocol packets. When neighbor router authentication (also called neighbor router authentication or route authentication) has been configured, the router authenticates the source of each routing update packet that it receives, which is done by exchanging an authentication key or password that is known to both the sending and receiving routers.There are two types of authentication: Simple password authentication is supported by Integrated System-Integrated System (IS-IS), OSPF, and RIPv2. MD5 authentication is supported by RIPv2, OSPF, Border Gateway Protocol (BGP), and EIGRP. Simple password authentication sends an authenticating key over the wire. A key is configured on a router, and each participating neighbor router must be configured with the same key. MD5 sends a message digest instead. The key itself is not sent, preventing it from being read while it is being transmitted. MD5 authentication is a cryptographic authentication. A key and key ID are configured on each router. The router uses an algorithm based on the routing protocol packet, the key, and the key ID to generate a message digest (also called a hash) that is appended to the packet. Note
MD5 authentication is a recommended security practice. Simple password authentication is not recommended, because it is vulnerable to passive attacks. Anybody with a link analyzer could easily view the password. The primary use of simple password authentication is to avoid accidental changes to the routing infrastructure. Note
As with all keys, passwords, and other security secrets, it is imperative that you closely guard authenticating keys used in neighbor authentication. Also, when performing router management tasks via Simple Network Management Protocol (SNMP), do not ignore the risk associated with sending keys using unencrypted SNMP.
Content 2.5 Configuring EIGRP Authentication 2.5.2 MD5 Authentication EIGRP can be configured to use MD5 authentication. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false routing messages from unapproved sources. For MD5 authentication, a key ID and an authenticating key (sometimes referred to as a password) must be configured on both the sending and the receiving router. Each key ID has its own key, which is stored locally. Key chains are used to manage keys. The combination of the key chain and the interface uniquely identifies the key ID and key in use. Also, each key ID within the key chain can specify a time interval for which that key is valid. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key IDs from lowest to highest, and it uses the first valid key that it encounters. Keys cannot be used during time periods for which they are not activated. Therefore, it is recommended that for a given key chain, key activation times overlap to avoid any period of time during which no key is activated. If no key is activated, neighbor authentication cannot occur, and routing updates fail.The router needs to know the time to be able to rotate through keys in synchronization with the other participating routers so that all routers are using the same key at the same moment.
Content 2.5 Configuring EIGRP Authentication 2.5.3 Configuring MD5 Authentication To configure MD5 authentication for EIGRP, complete the following steps: Step 1 Enter configuration mode for the interface on which you want to enable authentication. Step 2 Specify MD5 authentication for EIGRP packets using the ip authentication mode eigrp md5 command, as shown in Figure . Step 3 Enable the authentication of EIGRP packets with a key specified in a key chain by using the ip authentication key-chain eigrp command, as shown in Figure . Step 4 Enter the configuration mode for the key chain using the key chain command, as shown Figure . Step 5 Identify a key ID to use, and enter configuration mode for that key using the key command, as shown in Figure . Step 6 Identify the key string (password) for this key using the key-string command, as shown in Figure . Step 7