Lessons learned:
Refresher:
EIGRP AUTH –
-Supports MD5 Auth only!
-Whitespaces counts as character
-Key number must match
-Supports automatic key rotation
Applied at the interface level.
--------------------------------------------------
Main point – the routers
MUST agree on what the current local time is… If not the key numbers could
become active or inactive at different times
First step is to verify the same local time.
By default any key change you define will have an infinite
accept and send lifetime.
R1#sh run | sec key
key chain LAB
key 10
key-string cisco1
--------------------------------------------
R1#sh key chain
Key-chain LAB:
key 10 -- text
"cisco1"
accept
lifetime (always valid) - (always valid) [valid now]
send lifetime
(always valid) - (always valid) [valid now]
This is where we can do the time based authentication.
key chain LAB
key 10
key-string cisco1
accept-lifetime
00:00:00 Mar 1 2002 23:59:59 Dec 31 2003
send-lifetime
00:00:00 Mar 1 2002 23:59:59 Dec 31 2003
R1#sh key chain
Key-chain LAB:
key 10 -- text
"cisco1"
accept
lifetime (00:00:00 UTC Mar 1 2002) - (23:59:59 UTC Dec 31 2003) [valid now]
send lifetime
(00:00:00 UTC Mar 1 2002) - (23:59:59 UTC Dec 31 2003) [valid now]
Note: the end of the string
- it says’ the key time is Valid
now – this is because it’s within the valid time of the device
Note: if you have multiple
keys – you could run into a problem where the key rotation overlaps the time.
In this case until all keys have been exchange you could
lose adjacency.
To correct this we can extend the “accept lifetime” to
overlap the new key string.
accept-lifetime 00:00:00 Mar 1 2002 23:59:59 Jan 1 2003 – I changed the accept time
for an additional day
No comments:
Post a Comment