02-27-2004 04:19 AM - edited 03-02-2019 01:53 PM
Hello,
I plan to implement EIGRP authentication.Does some one know how the change the key without breaking the the eigrp neighbourship relations?
10x
Cezar
Solved! Go to Solution.
02-28-2004 08:03 AM
Hello.
The "10x" at the end of your message confuses me a bit but I beleive MD5 is only supported in 11.3 and up ? So I am assuming you are running something above 10.x. If this is wrong ignore me , it was fun setting it up anyways :-)
I was able to get this working by adding a second key to the Key Chain with both accept and send lifetimes set to infinite.
Example:
====================
key chain eigrpChain
key 1
key-string cisco
key 2 <----- new key.
key-string password
=======================
Once both routers are set up this way I set the send lifetime on the original key, key 1 in this case, to start sending the key some time in the past and stop sending the key a few minutes after the command was entered.
Example:
=======================
6r3#show clock
10:27:08.097 UTC Thu Feb 26 2004
6r3(config)#key chain eigrpChain
6r3(config-keychain)#key 1
6r3(config-keychain-key)#send-lifetime10:10:00 Feb 26 2004 10:29:00 26 feb 2004
6r3#show key chain
Key-chain eigrpChain:
key 1 -- text "cisco"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (10:10:00 Feb 26 2004) - (10:29:00 Feb 26 2004)
key 2 -- text "password"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
==========================
Once the old key is not being sent anymore I delete it.
==========================
6r3#show key chain
Key-chain eigrpChain:
key 2 -- text "password"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
===========================
All done without affecting the neigborship.
================
6r3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 192.168.1.1 Se0 14 00:30:28 1303 5000 0 19
==================
The clock being correct is obviously a requirement here.
-Rob
02-27-2004 05:30 AM
I just tried this in the lab, and there's no way that I can find to do it. I just filed CSCed82526 to create a new configuration command that would allow you to change the MD5 key without resetting the neighbor relationship. The neighbor relationship would still reset after missing three hellos, but this would give you dead time to get both sides of a neighbor relationship configured (which would still be difficult on a broadcast segment with a lot of routers, but it would be better than today).
:-)
Russ.W
02-28-2004 08:03 AM
Hello.
The "10x" at the end of your message confuses me a bit but I beleive MD5 is only supported in 11.3 and up ? So I am assuming you are running something above 10.x. If this is wrong ignore me , it was fun setting it up anyways :-)
I was able to get this working by adding a second key to the Key Chain with both accept and send lifetimes set to infinite.
Example:
====================
key chain eigrpChain
key 1
key-string cisco
key 2 <----- new key.
key-string password
=======================
Once both routers are set up this way I set the send lifetime on the original key, key 1 in this case, to start sending the key some time in the past and stop sending the key a few minutes after the command was entered.
Example:
=======================
6r3#show clock
10:27:08.097 UTC Thu Feb 26 2004
6r3(config)#key chain eigrpChain
6r3(config-keychain)#key 1
6r3(config-keychain-key)#send-lifetime10:10:00 Feb 26 2004 10:29:00 26 feb 2004
6r3#show key chain
Key-chain eigrpChain:
key 1 -- text "cisco"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (10:10:00 Feb 26 2004) - (10:29:00 Feb 26 2004)
key 2 -- text "password"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
==========================
Once the old key is not being sent anymore I delete it.
==========================
6r3#show key chain
Key-chain eigrpChain:
key 2 -- text "password"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
===========================
All done without affecting the neigborship.
================
6r3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 192.168.1.1 Se0 14 00:30:28 1303 5000 0 19
==================
The clock being correct is obviously a requirement here.
-Rob
03-01-2004 03:23 AM
Rob,
Thank you for the solution. Nice way to do it. By the way 10x it is the short version for "Thanks". Old habit from IRC.
Thanks
Cezar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: