Thursday 5 July 2012

EIGRP: Authentication using Key-Chain Rotation:

EIGRP: Authentication using Key-Chain Rotation:

·         EIGRP only supports MD5 and you must specify the mode as MD5.
o    # ip authentication key-chain eigrp <as> <key-chain>
o    # ip authentication mode eigrp <as> md5
·         Configuration is done under the interface

Let me take a small topology to configure Authentication in EIGRP:

R1------------------R2

R1#show clock
*15:33:09.227 UTC Thu Jul 5 2012
R1#
R2#show clock
*15:33:20.691 UTC Thu Jul 5 2012
R2#

·         Currently local time on the routers is 3:33pm
·         So, let me configure key-chain, which has 2 keys, key1 and key2.
·         Key1 is valid till 4pm
·         Key2 is valid after 4pm
·         Key1:
o    Accept time is till 4:10pm
o    Send time is till 4:05pm
·         Key2:
o    Accept time is from 4pm
o    Send time is after 4pm
·         I have 5 minutes overlapping time between the keys

R1(config-if)#do show run
key chain KEYS
 key 1
   key-string cisco1
   accept-lifetime 11:00:00 Jul 5 2012 16:10:00 Jul 5 2012
   send-lifetime 00:00:00 Jul 5 2012 16:05:00 Jul 5 2012
 key 2
   key-string cisco2
   accept-lifetime 16:00:00 Jul 5 2012 infinite
   send-lifetime 16:00:00 Jul 5 2012 infinite
!
R1(config-if)#do show run int ser1/0
Building configuration...

Current configuration : 170 bytes
!
interface Serial1/0
 ip address 100.1.12.1 255.255.255.0
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 KEYS
 serial restart-delay 0
end

R1(config-if)#
*Jul  5 15:41:55.591: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 100.1.12.2 (Serial1/0) is up: new adjacency

R2#show run
key chain KEYS
 key 1
   key-string cisco1
   accept-lifetime 11:00:00 Jul 5 2012 16:10:00 Jul 5 2012
   send-lifetime 00:00:00 Jul 5 2012 16:05:00 Jul 5 2012
 key 2
   key-string cisco2
   accept-lifetime 16:00:00 Jul 5 2012 infinite
   send-lifetime 16:00:00 Jul 5 2012 infinite
!
R2#show run int ser1/0
Building configuration...

Current configuration : 170 bytes
!
interface Serial1/0
 ip address 100.1.12.2 255.255.255.0
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 KEYS
 serial restart-delay 0
end

R2#

R1#show clock
*15:44:15.615 UTC Thu Jul 5 2012
R1#

R1#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite)
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite)
R1#

R2#show clock
*15:44:28.719 UTC Thu Jul 5 2012
R2#

R2#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite)
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite)
R2#

R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   100.1.12.2              Se1/0             10 00:04:45   86   516  0  43
R1#

R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   100.1.12.1              Se1/0             12 00:05:01   65   390  0  27
R2#

R1#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R1#
*Jul  5 15:52:13.911: EIGRP: Sending HELLO on Serial1/0
*Jul  5 15:52:13.911:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R1#
*Jul  5 15:52:15.447: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 15:52:15.451: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2
*Jul  5 15:52:15.451:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Jul  5 15:52:15.671: EIGRP: Sending HELLO on Loopback0
*Jul  5 15:52:15.671:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jul  5 15:52:15.675: EIGRP: Received HELLO on Loopback0 nbr 1.1.1.1
*Jul  5 15:52:15.679:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
R1#

R2#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R2#
*Jul  5 15:52:15.411: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 15:52:15.415: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1
*Jul  5 15:52:15.415:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Jul  5 15:52:16.919: EIGRP: Sending HELLO on Serial1/0
*Jul  5 15:52:16.919:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
*Jul  5 15:52:20.323: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 15:52:20.327: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1
*Jul  5 15:52:20.327:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Jul  5 15:52:21.347: EIGRP: Sending HELLO on Serial1/0
*Jul  5 15:52:21.347:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#u all

Observations:

·         Only Key1 is valid
·         Authentication is successful

R1#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
R1#

R2#
*Jul  5 16:01:43.275: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 16:01:43.275: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2


*Jul  5 16:01:54.339: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 16:01:54.339: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1
*Jul  5 16:01:54.339:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
*Jul  5 16:01:54.411: EIGRP: Sending HELLO on Serial1/0
*Jul  5 16:01:54.411:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#u all
All possible debugging has been turned off
R2#
R2#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
R2#

Observations:

·         Clock shows 4:01pm, so both the keys are valid
·         Key1 is exchanged as it has end-time till 4:05pm

R1# debug eigrp packets hello
*Jul  5 16:04:54.603: EIGRP: received packet with MD5 authentication, key id = 1
*Jul  5 16:04:54.603: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2
*Jul  5 16:04:54.607:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R1#
*Jul  5 16:04:56.559: EIGRP: Sending HELLO on Serial1/0
*Jul  5 16:04:56.559:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jul  5 16:04:57.103: EIGRP: Sending HELLO on Loopback0
*Jul  5 16:04:57.103:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
*Jul  5 16:04:57.107: EIGRP: Received HELLO on Loopback0 nbr 1.1.1.1
*Jul  5 16:04:57.107:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0
R1#
*Jul  5 16:04:59.075: EIGRP: received packet with MD5 authentication, key id = 2
*Jul  5 16:04:59.079: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2



R2# debug eigrp packets hello
*Jul  5 16:05:02.687: EIGRP: received packet with MD5 authentication, key id = 2
*Jul  5 16:05:02.687: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1
*Jul  5 16:05:02.687:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R2#
*Jul  5 16:05:05.307: EIGRP: Sending HELLO on Serial1/0
*Jul  5 16:05:05.307:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0
R2#
*Jul  5 16:05:06.999: EIGRP: received packet with MD5 authentication, key id = 2
*Jul  5 16:05:07.003: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

R1#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012)
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012)
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
R1#

R2#show key chain KEYS
Key-chain KEYS:
    key 1 -- text "cisco1"
        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012)
        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012)
    key 2 -- text "cisco2"
        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]
R2#

Observation:

·         After 4:05pm, both the routers started exchanging key2
·         Only Key2 is valid after 4:05pm

No comments:

Post a Comment