Cisco IOS and IOS XR Configuration Examples: Time-Based Eigrp Authentication

Time-Based Eigrp Authentication:

For example, if we add accept-lifetime command in the key chain configuration like this on 23:01:19.203 UTC Wed Dec 3 2011:

key chain AUTH

key 1

key-string 123456

accept-lifetime 16:00:00 Oct 14 2011 14:00:00 Dec 2 2011

send-lifetime 15:00:00 Oct 15 2011 infinite

After Dec 2 2011, Eigrp neighborship is closed with an error message of:

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (FastEthernet0/0) is down: Auth failure

Because accept-lifetime of key 1 is expired.

Lets do another time based Eigrp Authentication configuration example.

We set the clock manually on both routers at same time:

clock set 22:58:00 Nov 30 2011

Then we configure these key chain configurations on both routers:

key chain AUTH

key 1

key-string 123456

accept-lifetime 16:00:00 Oct 14 2011 14:00:00 Dec 2 2011

send-lifetime 15:00:00 Oct 15 2011 23:00:00 Nov 30 2011

key 2

key-string 123456

accept-lifetime 22:00:00 Nov 30 2011 infinite

send-lifetime 22:00:00 Nov 30 2011 infinite

Note: lowest key-id number is always prefered if it is in valid time range.

Then we wait for key-id change after 23:00:00.

Here is the debug eigrp packet outputs:

Nov 30 22:59:55.459: EIGRP: received packet with MD5 authentication, key id = 1

Nov 30 22:59:55.463: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2

Nov 30 22:59:55.467: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 22:59:57.291: EIGRP: Sending HELLO on FastEthernet0/1

Nov 30 22:59:57.295: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 22:59:57.615: EIGRP: Sending HELLO on Loopback0

Nov 30 22:59:57.619: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 22:59:57.631: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1

Nov 30 22:59:57.635: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0

Nov 30 22:59:57.635: EIGRP: Packet from ourselves ignored

Nov 30 22:59:57.963: EIGRP: Sending HELLO on FastEthernet0/0

Nov 30 22:59:57.967: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 22:59:58.063: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3

Nov 30 22:59:58.067: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 23:00:00.199: EIGRP: received packet with MD5 authentication, key id = 1

Nov 30 23:00:00.203: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2

Nov 30 23:00:00.207: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 23:00:01.763: EIGRP: Sending HELLO on FastEthernet0/1

Nov 30 23:00:01.767: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:02.231: EIGRP: Sending HELLO on Loopback0

Nov 30 23:00:02.235: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:02.243: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1

Nov 30 23:00:02.247: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0

Nov 30 23:00:02.247: EIGRP: Packet from ourselves ignored

Nov 30 23:00:02.443: EIGRP: Sending HELLO on FastEthernet0/0

Nov 30 23:00:02.447: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:02.779: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3

Nov 30 23:00:02.783: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 23:00:05.131: EIGRP: received packet with MD5 authentication, key id = 2

Nov 30 23:00:05.135: EIGRP: Received HELLO on FastEthernet0/0 nbr 192.168.12.2

Nov 30 23:00:05.139: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 23:00:06.307: EIGRP: Sending HELLO on FastEthernet0/1

Nov 30 23:00:06.311: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:06.491: EIGRP: Sending HELLO on Loopback0

Nov 30 23:00:06.495: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:06.495: EIGRP: Received HELLO on Loopback0 nbr 192.168.0.1

Nov 30 23:00:06.495: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0

Nov 30 23:00:06.495: EIGRP: Packet from ourselves ignored

Nov 30 23:00:07.063: EIGRP: Sending HELLO on FastEthernet0/0

Nov 30 23:00:07.067: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0

Nov 30 23:00:07.723: EIGRP: Received HELLO on FastEthernet0/1 nbr 192.168.13.3

Nov 30 23:00:07.723: AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

Nov 30 23:00:10.091: EIGRP: received packet with MD5 authentication, key id = 2

Key-id changed without clearing the eigrp neighborship.

R2#show key chain

Key-chain AUTH:

key 1 -- text "123456"

accept lifetime (16:00:00 UTC Oct 14 2011) - (14:00:00 UTC Dec 2 2011) [valid now]

send lifetime (15:00:00 UTC Oct 15 2011) - (23:00:00 UTC Nov 30 2011)

key 2 -- text "123456"

accept lifetime (22:00:00 UTC Nov 30 2011) - (infinite) [valid now]

send lifetime (22:00:00 UTC Nov 30 2011) - (infinite) [valid now]

Cisco IOS and IOS XR Configuration Examples

Pages

Thursday, December 29, 2011

Time-Based Eigrp Authentication

No comments:

Post a Comment