Hi every body.
Let say i configured a keychain as follows
1)Will the keys be used in order they were configured or the keys will be used in ascending order i.e key,1,2,3,4 and 5 ?
Let say we have two routers which are connected by s0 as shown below:
Both routers are using eigrp and md5 authentication.
2)Can both routers succesfully use md5 considering R1 are using key 1 and R2 using key 2 though both have same string?
Let say we have keychain as shown below:
accept-lifetime 08:15:00 aug 27 2009
send-lifetime 08:16: 00 aug 27 2009
accept-lefetime 08: 17: 00 aug 27 2009
send-lifetime 08: 18:00 aug 27 2009
3)My question is when will router start using key 2? will the router start using key 2 when both lifetime for key 1 i.e send lifetime accept lifetime have expired?
4) Is it possoble router can start using key 2 even if one of the time say send lifetime expired but accept life did not for key 1?
thanks and have a good weekend
1.) The keys will be searched in the ascending order, i.e. from 1 to 5. The first valid key will be used for transmission. For receiving, the key number that was used by the sender of the received packet will be included in the packet, therefore, when an authenticated packet is received, the key number inside that packet will indicate which key should be used to verify the authentication.
Quoting from the EIGRP Configuration Guide:
You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest, and uses the first valid key it encounters.
2.) No. Both the key numbers and the key strings must match.
3.) Following from the quotation above, the router will start using the key 2 for transmitting packets only when the key 1 becomes invalid for transmitting. There is no confusion about identifying the correct key to use when receiving packets because a received packet contains the key number to use when verifying its authentication.
4.) Yes, it is - the accept-lifetime of the key 1 can be infinite. However, when its send-lifetime expires, the router will no longer consider that key usable for authenticating transmitted packet and will search in ascending order for a new usable key.