Monday 27 October 2014

Find EIGRP Neighbour AS Number

Today we will see how we can find the EIGRP Neighbour AS number without looking at the config of the remote router.

In the topology, I have R1 which is directly connected to R2.

Let's assume that R1 is the third party router which is configured for EIGRP. R2 is in our control and we need to establish EIGRP neighbourship between them.

Both the routers have been configured with basic IP addresses as below



Now we will configure R1 with EIGRP AS 101 as below but will pretend that we don't know the actual AS number.


First let's verify the basic reachability between R2 and R1.


It's ok. Now we will create an ACL which will match the EIGRP traffic coming from R1. EIGRP packets will have the destination as 224.0.0.10. 


We are going to enable EIGRP on R2 with any random AS number. I have chosen 10 for now.


Now let's debug the traffic with "dump" keyword which is hidden in IOS. This will provide the hex dump of the packet.


Once the debug is on, we can see the following output


We will analyse the first part of the output which shows that the ip source is 2.2.2.2 and the destination is 224.0.0.10 which means that it is a locally generated packet in R2.


*Mar  1 00:40:13.287: IP: s=2.2.2.2 (local), d=224.0.0.10 (Loopback0), len 60, sending broad/multicast, proto=88
47A01610:                   45C0003C 00000000          E@.<....
47A01620: 0258D39C 02020202 E000000A 0205EEC2  .XS.....`.....nB
47A01630: 00000000 00000000 00000000 0000000A  ................
47A01640: 0001000C 01000100 0000000F 00040008  ................

In this Hex dump we need to find out a specific string "E000000A" which I have highlighted in blue. From there we need to count five blocks of hex strings which will take us to "0000000A". If we convert "0000000A" to decimal, it will give us the value "10" which is the AS number configured locally.

Now let's analyse the second part of the output with similar method.

*Mar  1 00:40:14.735: IP: s=10.1.12.1 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2, proto=88
47A01100:                       0100 5E00000A            ..^...
47A01110: C4015760 00000800 45C0003C 00000000  D.W`....E@.<....
47A01120: 0158C29E 0A010C01 E000000A 0205EE67  .XB.....`.....ng
47A01130: 00000000 00000000 00000000 00000065  ...............e
47A01140: 0001000C 01000100 0000000F 00040008  ................
47A01150: 0C040102                             ....

The source is 10.1.12.1 which means that it's originated from R1. We need to find the string "E000000A" and then count five block of hex strings from there which takes us to "00000065". If we convert the hex value "00000065" to decimal, we get the value "101" which is R1's EIGRP AS number.

So now we know that the EIGRP AS number configured on R1 is 101. Let's change the config on R2 to match that.


We can see that the neighbourship came up.


Posted by at
Labels: ,

2 comments:

  1. Taral Parekh30 October 2014 at 17:35

    thanks Jigarbhai, will E000000A string stay same everywhere, so that we can count 5 blocks and identify 5th one?

    ReplyDelete
  2. Anonymous30 October 2014 at 19:49

    Yes, It will.

    ReplyDelete

Subscribe to: Post Comments (Atom)