Solved: RIP Authentication in Frame Relay Multipoint environment

limtohsoon · ‎03-26-2007

Hi Sir,

I have this scenario: Routers R2, R5, and R6 belong to the same subnet in a multipoint frame-relay connectivity. R2 (150.50.100.2) is the hub, with a PVC to R5 (150.50.100.5) and a PVC to R6 (150.50.100.6). RIPv2 is enabled on all routers.

I require:

- Updates between R2 and R5 will have text password "R2toR5".

- Updates between R2 and R6 will have text password "R2toR6".

Following is config of R2 and R6.

R2 Config

---------

!

key chain R2R5R6

key 1

key-string R2toR5

key 2

key-string R2toR6

!

interface Serial0/0.256 multipoint

description *** Connection to R5 & R6 ***

ip address 150.50.100.2 255.255.255.224

ip rip authentication key-chain R2R5R6

frame-relay map ip 150.50.100.5 105 broadcast

frame-relay map ip 150.50.100.6 106 broadcast

!

R6 Config

---------

!

key chain R2R5R6

key 2

key-string R2toR6

!

interface Serial2/0

description *** Connection to Frame Relay ***

ip address 150.50.100.6 255.255.255.224

ip rip authentication key-chain R2R5R6

encapsulation frame-relay

frame-relay map ip 150.50.100.2 601 broadcast

no frame-relay inverse-arp

!

R2 logs the following message, indicating a valid authentication from R6:

5d19h: RIP: received packet with text authentication R2toR6

5d19h: RIP: received v2 update from 150.50.100.6 on Serial0/0.256

However, R6 logs the following message, indicating an invalid authentication from R2 because R2 uses the string "R2toR5" instead of "R2toR6":

5d20h: RIP: received packet with text authentication R2toR5

5d20h: RIP: ignored v2 packet from 150.50.100.2 (invalid authentication)

Cisco technote says:

"You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters."

That is why R2 uses the text password "R2toR5" in its updates to R6. Is there any workaround to make R2 use the string "R2toR6" when sending RIP updates to R6?

Please help.

Thank you.

B.Rgds,

Lim TS

owaisberg · ‎03-27-2007

No problem Lim.

I wish you success on your lab!

Please rate my reply if you can.

Thanks again,

OW

View solution in original post

owaisberg · ‎03-27-2007

Lim,

Your observation is correct, however only one key can be used at a time on one interface regardless of the number of keys

you configured. The closest workaround you can get to be able to use different keys

from the same hub to the spokes is if you

use subinterfaces or running GRE tunnels.

The main purpose of having multiple keys

is an ability to rotate them automatically

to make more secure connection or to use

it for migration from one key to another

by presenting the second set of keys on each router and then take off the first one.

HTH,

OW

limtohsoon · ‎03-27-2007

Hi OW,

Thanks for your clear explanation.

I'm a CCIE candidate preparing for my lab exam. This is a scenario from a lab workbook that I'm working on. The config I posted is recommended in their proctor guide.

Personnally, I too think that it can't be done using that straightforward method. I enjoy the process of preparing for the lab exam; it makes me practise, think, research, and practise again. It requires a lot of commitment. I respect you being a CCIE :-)