03-26-2007 05:10 AM - edited 03-03-2019 04:18 PM
Hi Sir,
I have this scenario: Routers R2, R5, and R6 belong to the same subnet in a multipoint frame-relay connectivity. R2 (150.50.100.2) is the hub, with a PVC to R5 (150.50.100.5) and a PVC to R6 (150.50.100.6). RIPv2 is enabled on all routers.
I require:
- Updates between R2 and R5 will have text password "R2toR5".
- Updates between R2 and R6 will have text password "R2toR6".
Following is config of R2 and R6.
R2 Config
---------
!
key chain R2R5R6
key 1
key-string R2toR5
key 2
key-string R2toR6
!
interface Serial0/0.256 multipoint
description *** Connection to R5 & R6 ***
ip address 150.50.100.2 255.255.255.224
ip rip authentication key-chain R2R5R6
frame-relay map ip 150.50.100.5 105 broadcast
frame-relay map ip 150.50.100.6 106 broadcast
!
R6 Config
---------
!
key chain R2R5R6
key 2
key-string R2toR6
!
interface Serial2/0
description *** Connection to Frame Relay ***
ip address 150.50.100.6 255.255.255.224
ip rip authentication key-chain R2R5R6
encapsulation frame-relay
frame-relay map ip 150.50.100.2 601 broadcast
no frame-relay inverse-arp
!
R2 logs the following message, indicating a valid authentication from R6:
5d19h: RIP: received packet with text authentication R2toR6
5d19h: RIP: received v2 update from 150.50.100.6 on Serial0/0.256
However, R6 logs the following message, indicating an invalid authentication from R2 because R2 uses the string "R2toR5" instead of "R2toR6":
5d20h: RIP: received packet with text authentication R2toR5
5d20h: RIP: ignored v2 packet from 150.50.100.2 (invalid authentication)
Cisco technote says:
"You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters."
That is why R2 uses the text password "R2toR5" in its updates to R6. Is there any workaround to make R2 use the string "R2toR6" when sending RIP updates to R6?
Please help.
Thank you.
B.Rgds,
Lim TS
Solved! Go to Solution.
03-27-2007 11:22 PM
No problem Lim.
I wish you success on your lab!
Please rate my reply if you can.
Thanks again,
OW
03-27-2007 09:24 PM
Lim,
Your observation is correct, however only one key can be used at a time on one interface regardless of the number of keys
you configured. The closest workaround you can get to be able to use different keys
from the same hub to the spokes is if you
use subinterfaces or running GRE tunnels.
The main purpose of having multiple keys
is an ability to rotate them automatically
to make more secure connection or to use
it for migration from one key to another
by presenting the second set of keys on each router and then take off the first one.
HTH,
OW
03-27-2007 10:27 PM
Hi OW,
Thanks for your clear explanation.
I'm a CCIE candidate preparing for my lab exam. This is a scenario from a lab workbook that I'm working on. The config I posted is recommended in their proctor guide.
Personnally, I too think that it can't be done using that straightforward method. I enjoy the process of preparing for the lab exam; it makes me practise, think, research, and practise again. It requires a lot of commitment. I respect you being a CCIE :-)
Thank you.
B.Rgds,
Lim TS
03-27-2007 11:22 PM
No problem Lim.
I wish you success on your lab!
Please rate my reply if you can.
Thanks again,
OW
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide