Solved: Re: EIGRP authentication

spatariu_cezar · ‎02-27-2004

Hello,

I plan to implement EIGRP authentication.Does some one know how the change the key without breaking the the eigrp neighbourship relations?

10x

Cezar

dwyerr · ‎02-28-2004

Hello.

The "10x" at the end of your message confuses me a bit but I beleive MD5 is only supported in 11.3 and up ? So I am assuming you are running something above 10.x. If this is wrong ignore me , it was fun setting it up anyways :-)

I was able to get this working by adding a second key to the Key Chain with both accept and send lifetimes set to infinite.

Example:

====================

key chain eigrpChain

key 1

key-string cisco

key 2 <----- new key.

key-string password

=======================

Once both routers are set up this way I set the send lifetime on the original key, key 1 in this case, to start sending the key some time in the past and stop sending the key a few minutes after the command was entered.

Example:

=======================

6r3#show clock

10:27:08.097 UTC Thu Feb 26 2004

6r3(config)#key chain eigrpChain

6r3(config-keychain)#key 1

6r3(config-keychain-key)#send-lifetime10:10:00 Feb 26 2004 10:29:00 26 feb 2004

6r3#show key chain

Key-chain eigrpChain:

key 1 -- text "cisco"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (10:10:00 Feb 26 2004) - (10:29:00 Feb 26 2004)

key 2 -- text "password"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

==========================

Once the old key is not being sent anymore I delete it.

==========================

6r3#show key chain

Key-chain eigrpChain:

key 2 -- text "password"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

===========================

All done without affecting the neigborship.

================

6r3#show ip eigrp neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 192.168.1.1 Se0 14 00:30:28 1303 5000 0 19

==================

The clock being correct is obviously a requirement here.

-Rob

View solution in original post

ruwhite · ‎02-27-2004

I just tried this in the lab, and there's no way that I can find to do it. I just filed CSCed82526 to create a new configuration command that would allow you to change the MD5 key without resetting the neighbor relationship. The neighbor relationship would still reset after missing three hellos, but this would give you dead time to get both sides of a neighbor relationship configured (which would still be difficult on a broadcast segment with a lot of routers, but it would be better than today).

:-)

Russ.W

dwyerr · ‎02-28-2004

Hello.

The "10x" at the end of your message confuses me a bit but I beleive MD5 is only supported in 11.3 and up ? So I am assuming you are running something above 10.x. If this is wrong ignore me , it was fun setting it up anyways :-)

I was able to get this working by adding a second key to the Key Chain with both accept and send lifetimes set to infinite.

Example:

====================

key chain eigrpChain

key 1

key-string cisco

key 2 <----- new key.

key-string password

=======================

Once both routers are set up this way I set the send lifetime on the original key, key 1 in this case, to start sending the key some time in the past and stop sending the key a few minutes after the command was entered.

Example:

=======================

6r3#show clock

10:27:08.097 UTC Thu Feb 26 2004

6r3(config)#key chain eigrpChain

6r3(config-keychain)#key 1

6r3(config-keychain-key)#send-lifetime10:10:00 Feb 26 2004 10:29:00 26 feb 2004

6r3#show key chain

Key-chain eigrpChain:

key 1 -- text "cisco"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (10:10:00 Feb 26 2004) - (10:29:00 Feb 26 2004)

key 2 -- text "password"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

==========================

Once the old key is not being sent anymore I delete it.

==========================

6r3#show key chain

Key-chain eigrpChain:

key 2 -- text "password"

accept lifetime (always valid) - (always valid) [valid now]

send lifetime (always valid) - (always valid) [valid now]

===========================

All done without affecting the neigborship.

================

6r3#show ip eigrp neighbors

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 192.168.1.1 Se0 14 00:30:28 1303 5000 0 19

==================

The clock being correct is obviously a requirement here.

-Rob

spatariu_cezar · ‎03-01-2004

Rob,

Thank you for the solution. Nice way to do it. By the way 10x it is the short version for "Thanks". Old habit from IRC.

Thanks

Cezar