EIGRP: Authentication using Key-Chain Rotation:

EIGRP: Authentication using Key-Chain Rotation:

·         EIGRP only supports MD5 and you must specify the mode as MD5.

o    # ip authentication key-chain eigrp <as> <key-chain>

o    # ip authentication mode eigrp <as> md5

·         Configuration is done under the interface

Let me take a small topology to configure Authentication in EIGRP:

R1------------------R2

R1#show clock

*15:33:09.227 UTC Thu Jul 5 2012

R1#

R2#show clock

*15:33:20.691 UTC Thu Jul 5 2012

R2#

·         Currently local time on the routers is 3:33pm

·         So, let me configure key-chain, which has 2 keys, key1 and key2.

·         Key1 is valid till 4pm

·         Key2 is valid after 4pm

·         Key1:

o    Accept time is till 4:10pm

o    Send time is till 4:05pm

·         Key2:

o    Accept time is from 4pm

o    Send time is after 4pm

·         I have 5 minutes overlapping time between the keys

R1(config-if)#do show run

key chain KEYS

 key 1

   key-string cisco1

   accept-lifetime 11:00:00 Jul 5 2012 16:10:00 Jul 5 2012

   send-lifetime 00:00:00 Jul 5 2012 16:05:00 Jul 5 2012

 key 2

   key-string cisco2

   accept-lifetime 16:00:00 Jul 5 2012 infinite

   send-lifetime 16:00:00 Jul 5 2012 infinite

!

R1(config-if)#do show run int ser1/0

Building configuration...

Current configuration : 170 bytes

!

interface Serial1/0

 ip address 100.1.12.1 255.255.255.0

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 KEYS

 serial restart-delay 0

end

R1(config-if)#

*Jul  5 15:41:55.591: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 100.1.12.2 (Serial1/0) is up: new adjacency

R2#show run

key chain KEYS

 key 1

   key-string cisco1

   accept-lifetime 11:00:00 Jul 5 2012 16:10:00 Jul 5 2012

   send-lifetime 00:00:00 Jul 5 2012 16:05:00 Jul 5 2012

 key 2

   key-string cisco2

   accept-lifetime 16:00:00 Jul 5 2012 infinite

   send-lifetime 16:00:00 Jul 5 2012 infinite

!

R2#show run int ser1/0

Building configuration...

Current configuration : 170 bytes

!

interface Serial1/0

 ip address 100.1.12.2 255.255.255.0

 ip authentication mode eigrp 100 md5

 ip authentication key-chain eigrp 100 KEYS

 serial restart-delay 0

end

R2#

R1#show clock

*15:44:15.615 UTC Thu Jul 5 2012

R1#

R1#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite)

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite)

R1#

R2#show clock

*15:44:28.719 UTC Thu Jul 5 2012

R2#

R2#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite)

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite)

R2#

R1#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

0   100.1.12.2              Se1/0             10 00:04:45   86   516  0  43

R1#

R2#show ip eigrp neighbors

IP-EIGRP neighbors for process 100

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

0   100.1.12.1              Se1/0             12 00:05:01   65   390  0  27

R2#

R1#debug eigrp packets hello

EIGRP Packets debugging is on

    (HELLO)

R1#

*Jul  5 15:52:13.911: EIGRP: Sending HELLO on Serial1/0

*Jul  5 15:52:13.911:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

R1#

*Jul  5 15:52:15.447: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 15:52:15.451: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2

*Jul  5 15:52:15.451:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

*Jul  5 15:52:15.671: EIGRP: Sending HELLO on Loopback0

*Jul  5 15:52:15.671:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Jul  5 15:52:15.675: EIGRP: Received HELLO on Loopback0 nbr 1.1.1.1

*Jul  5 15:52:15.679:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0

R1#

R2#debug eigrp packets hello

EIGRP Packets debugging is on

    (HELLO)

R2#

*Jul  5 15:52:15.411: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 15:52:15.415: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

*Jul  5 15:52:15.415:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

R2#

*Jul  5 15:52:16.919: EIGRP: Sending HELLO on Serial1/0

*Jul  5 15:52:16.919:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

R2#

*Jul  5 15:52:20.323: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 15:52:20.327: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

*Jul  5 15:52:20.327:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

R2#

*Jul  5 15:52:21.347: EIGRP: Sending HELLO on Serial1/0

*Jul  5 15:52:21.347:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

R2#u all

Observations:

·         Only Key1 is valid

·         Authentication is successful

R1#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

R1#

R2#

*Jul  5 16:01:43.275: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 16:01:43.275: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2

*Jul  5 16:01:54.339: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 16:01:54.339: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

*Jul  5 16:01:54.339:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

*Jul  5 16:01:54.411: EIGRP: Sending HELLO on Serial1/0

*Jul  5 16:01:54.411:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

R2#u all

All possible debugging has been turned off

R2#

R2#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012) [valid now]

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012) [valid now]

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

R2#

Observations:

·         Clock shows 4:01pm, so both the keys are valid

·         Key1 is exchanged as it has end-time till 4:05pm

R1# debug eigrp packets hello

*Jul  5 16:04:54.603: EIGRP: received packet with MD5 authentication, key id = 1

*Jul  5 16:04:54.603: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2

*Jul  5 16:04:54.607:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

R1#

*Jul  5 16:04:56.559: EIGRP: Sending HELLO on Serial1/0

*Jul  5 16:04:56.559:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Jul  5 16:04:57.103: EIGRP: Sending HELLO on Loopback0

*Jul  5 16:04:57.103:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

*Jul  5 16:04:57.107: EIGRP: Received HELLO on Loopback0 nbr 1.1.1.1

*Jul  5 16:04:57.107:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0

R1#

*Jul  5 16:04:59.075: EIGRP: received packet with MD5 authentication, key id = 2

*Jul  5 16:04:59.079: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.2

R2# debug eigrp packets hello

*Jul  5 16:05:02.687: EIGRP: received packet with MD5 authentication, key id = 2

*Jul  5 16:05:02.687: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

*Jul  5 16:05:02.687:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

R2#

*Jul  5 16:05:05.307: EIGRP: Sending HELLO on Serial1/0

*Jul  5 16:05:05.307:   AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

R2#

*Jul  5 16:05:06.999: EIGRP: received packet with MD5 authentication, key id = 2

*Jul  5 16:05:07.003: EIGRP: Received HELLO on Serial1/0 nbr 100.1.12.1

R1#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012)

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012)

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

R1#

R2#show key chain KEYS

Key-chain KEYS:

    key 1 -- text "cisco1"

        accept lifetime (11:00:00 UTC Jul 5 2012) - (16:10:00 UTC Jul 5 2012)

        send lifetime (00:00:00 UTC Jul 5 2012) - (16:05:00 UTC Jul 5 2012)

    key 2 -- text "cisco2"

        accept lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

        send lifetime (16:00:00 UTC Jul 5 2012) - (infinite) [valid now]

R2#

Observation:

·         After 4:05pm, both the routers started exchanging key2

·         Only Key2 is valid after 4:05pm