From: Scott Morris (swm@emanon.com)
Date: Sat Jan 06 2007 - 11:27:41 ART
With key chains, the answer is no. It will always send the first
available/valid key only, and never move to the next. With OSPF MD5
authentication, you can have multiple simultaneous keys.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPexpert VP - Curriculum Development
IPexpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ylara@sunsetlearning.com
Sent: Saturday, January 06, 2007 1:35 AM
To: ccielab@groupstudy.com
Subject: Routing protocol authentication
Is it possible to have one key chain with two keys and use it to
authenticate two different neighbors on the same interface, but using two
different keys?
R1#show run
!
key chain 1
key 1
key-string yasmin
key 2
key-string yasmin1
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain 1
!
R2#show run
!
key chain 1
key 1
key-string yasmin1
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain 1
!
S1-CAT3560#show run
!
key chain 1
key 1
key-string yasmin
!
interface Vlan100
ip address 192.168.1.10 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain 1
!
router rip
version 2
network 192.168.1.0
no auto-summary
Only R1 and S1-3560 can exchange updates. It seems like R1 is only using
key 1 to send and receive even though key 2 shows as valid.
R1#show key chain
Key-chain 1:
key 1 -- text "yasmin"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
key 2 -- text "yasmin1"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:55 ART