EIGRP OSPF Can I put a network?

E

ELysenko2015-08-12 15:23:44

Cisco

ELysenko, 2015-08-12 15:23:44

Enterprise 1 uses EIGRP, Enterprise 2 uses OSPF. There was a question of association of a network. Until a certain point, mutual static routing was configured. We added a second physical communication channel between enterprises and accordingly decided to set up dynamic distribution of routes. There are no problems in setting up. The question is the following. For distribution, the edge router in enterprise 2 is selected. The eigrp process must be configured on it - the eigrp domain of enterprise 1 is extended. Admins of enterprise 1 do not have access to the router of enterprise 2. Is it possible, intentionally or accidentally, to add settings to the eigrp process on the border router above , which would put the network in enterprise 1? On both sides, it seems that adequate people are working, but what the hell is not joking, the more enterprise 1 is quite strategic in essence. Have you come across similar cases? In principle, as I think, the worst that can happen is not to reach announcements from the border router to other routers in the eigrp domain. Whether in such cases an intermediate process eigrp is used, which would connect two enterprises. In this case, the osfp domain and eigrp domain were running on hardware within their respective businesses.
Thanks to.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

J

JDima, 2015-08-12
@ELysenko

Is it possible, intentionally or accidentally, to add settings to the eigrp process on the border router above that would put the network in the enterprise 1

Easy.
Not... The worst thing is when Enterprise 1 has a Critically Important Network at 10.0.0.0/24, and Enterprise 2 sends an announcement on 10.0.0.0/25, and immediately gets traffic up to half of the Critically Important Network. If there is an intersection of address spaces, it is easy to organize something like this by mistake.
Solution: on the farthest piece of hardware with EIGRP available to enterprise 1, drive into the prefix-lists a complete list of networks with masks that a neighbor belonging to enterprise 2 EIGRP can send. Bind this prefix-list to distribute-list in the EIGRP process.
But it still doesn't protect everything. A powerful query flood can cause problems. So why not raise BGP between two enterprises, and have each of them fully control its own IGP, and at the same time there was an exchange through an extraneous protocol? Of course, this will also need to filter prefixes at all intersection points.

T

throughtheether, 2015-08-18
@throughtheether

Is it possible, intentionally or accidentally, to add settings to the eigrp process on the border router above that would put the network in enterprise 1?

Yes, you can.

Have you come across similar cases?

We met, flooding / spoofing LSA (in the case of OSPF) by a novice "security guard" who started experimenting in the wrong console. Well, or a banal (and not so terrible) routing loop on the border between possessions.

In principle, as I think, the worst that can happen is not to reach announcements from the border router to other routers in the eigrp domain.

Or the router will go crazy (a bug in the firmware) and start sending incorrect routing protocol messages, hence increased resource utilization and other negative consequences.
Conceptually, in the case of dividing the network into control and management domains, BGP is the best option. Or, if you have only two links between control domains, you can try managed static routing (track in cisco, analogues in juniper) and, with further network upgrades, decisively switch to BGP (including upgrading devices, etc.)