Sunday, February 5, 2012

EIGRP Authentication




ဒီ Topology ေလးမွာ EIGRP ကို MD5(message digest 5) နဲ႔ Authentication လုပ္ပံုကို Configure ခ်မွာပါ။။ဒါေပ မယ့္ဒီမွာကြ်န္ေတာ္ VLSM သေဘာတရားေလးနည္းနည္းထည့္ထားပါတယ္။ပံုမွာ 200.0.0.0/24 Network ကိ္ု VLSM နဲ႔ ခြဲျပီး 200.0.0.0/30 တစ္ခု၊200.0.0.4/30 တစ္ခု၊200.0.0.8/30 နဲ႔ 200.0.0.128/25 ဆိုျပီးခြဲထားပါတယ္။ဒီေနရာ မွာ /30(255.255.255.252) Network မ်ားက ေတာ့ loopback Address ေတြအတြက္ျဖစ္ျပီး /25 ကေတာ့ Routing အတြက္သံုးမွာပါ။ေနာင္လာမယ့္ IP Next Generation(IPv6) မွာေတာ့ Subnet Mask ေတြကို IPv4 မွာလို Numeral ေတြနဲ႔သံုးမွာမဟုတ္ေတာ့ပဲ slap(/) Notation နဲ႔ပဲသာလွ်င္အသံုးျပဳမွာပါ။ဒါေႀကာင့္ IPv6 ကိုမေလ့လာမီ IPv4 ရဲ့ VLSM နဲ႔ CIDR သေဘာကိုေသခ်ာသိေနရမွာပဲျဖစ္ပါတယ္။ေအာက္မွာကြ်န္ေတာ္ VLSM ကိုအေသးစိတ္ တြက္ပါမယ္။

    Network        Subnet Mask                   Binary Form                                        CIDR
 200.0.0.0      255.255.255.0        11111111.11111111.11111111.00000000              /24

အေပၚက Network ကိုေအာက္ပါအတုိင္းျပင္လုိက္ပါတယ္။ဒါဆိုရင္ Network နွစ္ခုျဖစ္သြားပါျပီ။တစ္ေနရာပဲေရြ႕ လိုက္တာပါ။သို႔ေသာ္လက္ေတြ႕မွာ Infrastructure ရဲ့လိုအပ္ခ်က္ေပၚမူတည္ျပီးႀကိဳက္သလိုေရြ႕နိုင္ပါတယ္။ဒီမွာ Topology ထဲကအတိုင္းခြဲလိုက္တာျဖစ္ပါတယ္။ရလာတဲ့ Network Range နွစ္ခုထဲက 200.0.0.128(/25) ကို Routing အတြက္သံုးမွာျဖစ္ျပီး၊ 200.0.0.0/25(255.255.255.128) ကို LoopBakck ေတြအတြက္ ထပ္ျပီးခြဲမွာပါ။ အေရာင္ေလးနဲ႔ Highlight လုပ္ထားတဲ့ (1)  ေတြကေတာ့ ေရြ႕ထားတဲ့ေကာင္ေတြပဲျဖစ္ပါတယ္။


  Network        Subnet Mask                      Binary Form                                          CIDR
 200.0.0.0       255.255.255.128        11111111.11111111.11111111.10000000            /25
 200.0.0.128    255.255.255.128        11111111.11111111.11111111.10000000            /25


အခုတစ္ခါ 200.0.0.0/25 ကိုယူျပီး (/30) ျဖစ္ေအာင္ခြဲပါမယ္။/30 ျဖစ္ဖို႔ဆိုရင္ /25 ကို 5-digit ေရြ႕ရမွာပါ။5-digit ကို hightlight လုပ္ထားပါတယ္။ဒါဆုိရင္ Network အေရတြက္က (2^5=32) ခုထြက္လာမွာျဖစ္ျပီး။ သုညအေရ တြက္ကေတာ့ Network တစ္ခုစီမွာရွိမယ့္ host ပမာဏပဲျဖစ္ပါတယ္။loopback အတြက္ရလာတဲ့ Network 32 ခု ထဲက ေအာက္မွာ (*) အမွတ္ျပထားတဲ့သံုးခုကိုပဲအသံုးျပဳမွာျဖစ္ျပီး က်န္တာေတြကိုေတာ့ Reserve အေနနဲ႔ခ်န္ ထားခဲ့ပါမယ္။CIDR ကိုအေသးစိတ္ေလ့လာခ်င္ေသးတယ္ဆိုရင္ေတာ့ ဒီမွာ ေလ့လာနိုင္ပါတယ္။


    Network         Subnet Mask                      Binary Form                                       CIDR
   200.0.0.0       255.255.255.128        11111111.11111111.11111111.10000000           /25

    Network         Subnet Mask                      Binary Form                                       CIDR
 * 200.0.0.0       255.255.255.252       11111111.11111111.11111111.11111100           /30
 * 200.0.0.4       255.255.255.252       11111111.11111111.11111111.11111100           /30
 * 200.0.0.8       255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.12     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.16     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.20     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.24     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.28     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.32     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.36     255.255.255.252       11111111.11111111.11111111.11111100           /30
    200.0.0.40     255.255.255.252       11111111.11111111.11111111.11111100           /30
    |||||||||||||||||||||||||      |||||||||||||||||||||||||||||||||||||         |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||              ||||||||
    200.0.0.124     255.255.255.252      11111111.11111111.11111111.11111100           /30

အခု Topology မွာ EIGRP Authentication လုပ္ပံုကိုအဓိကေျပာခ်င္တာျဖစ္လို႔ Interface ေတြကို IP Set-up လုပ္တာေတြ၊Routing လုပ္တာေတြ စသည္တို႔ကိုထားခဲ့ပါမယ္။


အေပၚကပံုေလးမွာ EIGRP Routing ကို AS Number 10 နဲ႔ Configure ခ်ထားတဲ့ပံုျဖစ္ျပီး၊Routing Process အ သက္၀င္ေနျပီျဖစ္ပါတယ္။သို႔ေသာ္အခုခ်ိန္ထိ Authentication မလုပ္ရေသးပါ။Authenticate လုပ္ရတဲ့အဓိက အေႀကာင္းရင္းကေတာ့ Secure ျဖစ္ေအာင္လို႔ပါ။EIGRP မွာ Authenticate လုပ္မယ္ဆိုရင္သံုးခုလိုပါတယ္။
1.Key Chain
2.Key Number
3.Key String
တို႔ျဖစ္ပါတယ္။အထက္ပါလိုအပ္ခ်က္မ်ားကို Router ရဲ့ global configuration mode မွာသတ္မွတ္ေပးျပီး၊ သက္ ဆိုင္ရာ Interface ေတြေပၚမွာ Apply လုပ္ေပးရမွာျဖစ္ပါတယ္။ေအာက္မွာအေသးစိတ္ Configuration ခ်ပံုပါ။
Yaymon နဲ႔ Kaylar ဆိုတဲ့ Router နွစ္လံုးႀကားမွာရွိတဲ့ Link ကို Authenticate လုပ္ရန္အတြက္-

Yaymon(config)#key chain ChitThuLay                                        //Assign the key chain
Yaymon(config-keychain)#key 1                                                 //Assign the key number for key-chain
Yaymon(config-keychain-key)#key-string 12!@ilu                     //Assign the key string for key chain number

Yaymon(config)#interface serial 0/0                                                      //Entering to the Serial Interface 0/0  
Yaymon(config-if)#ip authentication mode eigrp 10 md5                       //Setting up the authentication mode
Yaymon(config-if)#ip authentication key-chain eigrp 10 ChitThuLay     //Applying key-chain to the interface

အထက္ပါအတိုင္း Apply လုပ္ျပီးခ်ိန္တြင္ Routing Process ဟာခဏတာ Down သြားမွာပါ၊ဘာလို႔လဲဆိုေတာ့တ ဖက္က Neighbor Interface မွာ Apply မလုပ္ရေသးလို႔ပါ။ေအာက္ေဖာ္ျပပါပံုေလးအတုိင္းျဖစ္ပါတယ္။




Kaylar(config)#key chain ChitThuLay                                        //Assign the key chain
Kaylar(config-keychain)#key 1                                                 //Assign the key number for key-chain
Kaylar(config-keychain-key)#key-string 12!@ilu                     //Assign the key string for key chain number

Kaylar(config)#interface serial 1/0                                                      //Entering to the Serial Interface 1/0  
Kaylar(config-if)#ip authentication mode eigrp 10 md5                       //Setting up the authentication mode
Kaylar(config-if)#ip authentication key-chain eigrp 10 ChitThuLay     //Applying key-chain to the interface

အထက္ပါအတုိင္း Apply လုပ္ျပီးေနာက္မွာ Yaymon နဲ႔ Kaylar ႀကားမွာ Routing Process ကတစ္ဖန္ျပန္ျပီးအ သက္၀င္လာမွာပါ။သို႔ေသာ္ MD5 နဲ႔ Authenticate လုပ္ထားတဲ့ Secure Connection ျဖစ္ေနပါျပီ။ေအာက္ပါပံု ကိုႀကည့္နုိင္ပါတယ္။


အျခား Suse နဲ႔ Kaylar ႀကား Link ကိုလည္း Topology ပံုထဲကအတုိင္း အထက္မွာ Configure ခ်သလိုမ်ိဳးျပဳ လုပ္ေပးရပါမယ္။Key Chain,Key Number,Key-String ေတြပဲကြာမွာပါ။က်န္တာကေတာ့အတူတူပါပဲ။အား လံုးျပီးသြားရင္း Routing Process ကို Vertify လုပ္ရပါမယ္။EIGRP က Table သံုးမ်ိဳးနဲ႔အလုပ္လုပ္ပါတယ္။
 1.Neighbor Table
 2.Topology Table
 3.Routing Table    တို႔ျဖစ္ပါတယ္။
အဲ့အထဲမွာမွ Neighbor Table ရဲ့အလုပ္လုပ္ပံုကို Cisco Official စာအုပ္ထဲကအတိုင္းေဖာ္ျပေပးလိုက္ပါတယ္။


H       -    indicate the order in which the neighbor was discovered
Hold   -   the hold time how long this router will wait for a Hello Packet to arrive from a specific neighbor
Uptime - indicate how long the neighborship has been established
SRTT  - An indication of the time it take for a round-trip from this router to its neighbor and back and It's
             called Smooth Round-trip Timer.It is used to determine how long to wait after a multicast for a
             reply from this neighbor.If a reply isn't received in time,the router will switch to using unicasts in an
             attempt to complete the communication.
RTO -   the amount of time EIGRP waits before retransmitting a packet from the retransmission queue to a
             neighbor and It's called Retransmission Time Out.
 Q -      Indicate whether there are any outstanding message in the Queue.Large Number in Queue indicate a
             certain problem.
Seq -    the sequence number of the last update from the neighbor.That's used to maintain synchronization 
            and avoid duplicate or out-of-sequence processing of message.

ေလးစားစြာျဖင့္
Win Tun Hlaing


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)