RE: rip key chains

From: Scott Morris (swm@emanon.com)
Date: Wed Jun 21 2006 - 02:36:15 ART

• Next message: Daniel O'Sheedy: "Re: GRE Tunnels counters"
• Previous message: Jian Gu: "Re: Q: EtherChannel"
• Maybe in reply to: Tim Chan: "rip key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

With RIP, while you can configure multiple keys, it only sends one (although
it will accept both).

The intended use is for you to use this with the send-lifetime and
accept-lifetime commands on the keychain, in order to provide key migration.
Still, at any one point in time, a router will only SEND with one key. The
first valid one it comes across.

It can receive multiple valid keys (the nice changeover) but will only send
one.

HTH,

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tim
Chan
Sent: Wednesday, June 21, 2006 12:40 AM
To: ccielab@groupstudy.com
Subject: re: rip key chains

As a followup, when I debug the routers, it appears that R1 is sending wrong
key. It's sending key1 to R2 instead of key2. How do I correct this?

thanks!
-tim

Tim Chan <timanji@yahoo.com> wrote:I'm trying to setup RIP authentication
with 3 routers, R1, R2, and R3.
R1 being the hub and R2/R3 are the spokes via f/r. If I setup both spokes
with the same key # and password, it all works. But when I make one of the
spokes with a different key, it fails. I reverse R2 and R3, and the problem
follows the router trying to authenticate with the second key #. I have
tried both clear text and MD5 with the same results. What am I doing wrong?

On R1 I have:
key chain test
 key 1
  key-string cisco
 key 2
  key-string cisco2

interface Serial0/0.2 multipoint
 ip address 150.50.100.1 255.255.255.0
 ip rip authentication key-chain test
 frame-relay map ip 150.50.100.2 102 broadcast frame-relay map ip
150.50.100.3 103 broadcast

R2:
key chain test
 key 2
  key-string cisco2

interface Serial1/3
 ip address 150.50.100.2 255.255.255.0
 ip rip authentication key-chain test
 encapsulation frame-relay
 frame-relay map ip 150.50.100.1 201 broadcast

R3:
key chain test
 key 1
  key-string cisco

interface Serial1/0
 ip address 150.50.100.3 255.255.255.0
 ip rip authentication key-chain test
 encapsulation frame-relay
 frame-relay map ip 150.50.100.1 301 broadcast

                 
---------------------------------
Yahoo! Groups gets better. Check out the new email design. Plus theres much
more to come.

• Next message: Daniel O'Sheedy: "Re: GRE Tunnels counters"
• Previous message: Jian Gu: "Re: Q: EtherChannel"
• Maybe in reply to: Tim Chan: "rip key chains"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART