Re: key chain over frame hub and spoke running rip!!
From: Andy Hogard (andyhogard@gmail.com)
Date: Fri Aug 01 2008 - 09:48:17 ART
Since,
I have been getting unicasts, thought would post my configs for all. :)
Greets,
Andy.
PS: There is a lot of other configs on the routers, as I was trying to
complete my RIP studies. Point being just ignore what is not related, only
frame and key chain specific along with rip is important.
On 7/31/08, GAURAV MADAN <gauravmadan1177@gmail.com> wrote:
>
> Hi Andy
>
> Can you please send me the working configs for the same
>
> Thnx in advance
> Gaurav Madan.
>
> On Thu, Jul 31, 2008 at 3:00 AM, Andy Hogard <andyhogard@gmail.com> wrote:
> > Hurray!! Alright I have got this running, but only at the expense of
> major
> > overhauling in the frame relay network. If any one needs, I can post my
> > configs as well. :)
> >
> > Thanks, to all who replied insanely fast and to Thor Kopp.
> >
> > Greets,
> > Andy.
> >
> >
> >
> >
> > On 7/30/08, Thor Kopp <thorkopp@googlemail.com> wrote:
> >>
> >> How about if you configure virtual-templates, this gives you different
> >> interfaces to configure your rip authentication statements on?
> >>
> >> On Wed, Jul 30, 2008 at 7:12 PM, Andy Hogard <andyhogard@gmail.com
> >wrote:
> >>
> >>> Hey all,
> >>>
> >>> I have been a subscriber for this list for some time now, although this
> is
> >>> my very first post (so a bit excited about it).
> >>>
> >>> Alright here is the scenario w/o wasting any further time, I have three
> >>> routers, Hub R2(multipoint sub-intf) connected to spokes R5 and R6 and
> 'm
> >>> running rip as my routing protocol. Here is what the scenario wants
> from
> >>> me,
> >>> under rip authentication tasks, updates between R2 to R5 will use md5
> >>> algorithm "ipexpert_R2toR5" ..and updates between R2 to R6 will use md5
> >>> algorithm "ipexpert_R2toR6".
> >>>
> >>>
> >>> Ok, and this is what I have configured ..on R2,
> >>>
> >>> interface Serial1/1.256 multipoint
> >>> ip rip authe mode md5
> >>> ip rip authentication key RIP_KEY_FR1
> >>> ip address 150.50.100.2 255.255.255.0
> >>> frame-relay map ip 150.50.100.5 205 broadcast
> >>> frame-relay map ip 150.50.100.6 206 broadcast
> >>> exit
> >>>
> >>> key chain RIP_KEY_FR1
> >>> key 1
> >>> key-string ipexpert_R2toR5
> >>> key 2
> >>> key-string ipexpert_R2toR6
> >>>
> >>> end
> >>> wr
> >>>
> >>> and on R6, I have the following configured:
> >>>
> >>> int s 1/1
> >>> ip address 150.50.100.6 255.255.255.0
> >>> encapsulation frame-relay
> >>> no dce-terminal-timing-enable
> >>> no arp frame-relay
> >>> frame-relay map ip 150.50.100.2 602 broadcast
> >>> frame-relay map ip 150.50.100.5 602
> >>> no frame-relay inverse-arp
> >>> ip rip authe mode md5
> >>> ip rip authentication key RIP_KEY_FR1
> >>> exit
> >>>
> >>> key chain RIP_KEY_FR1
> >>> key 2
> >>> key-string ipexpert_R2toR6
> >>>
> >>> end
> >>>
> >>> wr
> >>>
> >>> on R5, i have the following:
> >>>
> >>> int s 1/1
> >>> ip address 150.50.100.5 255.255.255.0
> >>> encapsulation frame-relay
> >>> no dce-terminal-timing-enable
> >>> no arp frame-relay
> >>> frame-relay map ip 150.50.100.2 502 broadcast
> >>> frame-relay map ip 150.50.100.6 502
> >>> no frame-relay inverse-arp
> >>> ip rip authe mode md5
> >>> ip rip authentication key RIP_KEY_FR1
> >>> exit
> >>>
> >>> key chain RIP_KEY_FR1
> >>> key 1
> >>> key-string ipexpert_R2toR5
> >>>
> >>>
> >>> Ok, after having this in place I have figured that the link between R2
> and
> >>> R6 will always get me a authentication error, as R2 will always send
> key 1
> >>> to both R5 and R6. Hence I may have to use a common key for the entire
> hub
> >>> and spoke network and have some send/accept lifetime for key 1 then
> when
> >>> its
> >>> expires use key 2 perhaps. Or is there a way that above config is
> do-able
> >>> with some tweaking, where in R2 will use updates using both the keys 1
> and
> >>> 2
> >>> ..eh..!?
> >>>
> >>> This scenario has been taken from the ipexpert rns wb, its good that
> its
> >>> there ..sought of an eye-opener for me. But I don't think proctor guide
> >>> highlights this issue, instead I think they give the same config ..and
> all
> >>> should work smooth as per them, which is what makes me ponder and think
> >>> ..ya?!
> >>>
> >>>
> >>> Let your two cents flow. :D
> >>>
> >>>
> >>> Greets,
> >>> Andy.
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Thanks,
> >> Thor
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7j3a$wHagZQILSXFtMMHOMnvQh.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
key chain RIP_KEY_R2_R4
key 1
key-string ipexpert_R2toR4
key chain RIP_KEY_FR2_R2R5
key 1
key-string ipexpert_R2toR5
key chain RIP_KEY_FR2_R2R6
key 2
key-string ipexpert_R2toR6
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 200.0.0.2 255.255.255.255
!
interface Ethernet0/0
description connection to R1 on e 0/0
ip address 150.50.17.2 255.255.255.0
ip rip v2-broadcast
full-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/1.24 point-to-point
ip address 150.50.24.2 255.255.255.0
ip rip triggered
ip rip authentication key-chain RIP_KEY_R2_R4
frame-relay interface-dlci 204
!
interface Serial1/1.256 multipoint
frame-relay interface-dlci 205 ppp Virtual-Template25
frame-relay interface-dlci 206 ppp Virtual-Template26
!
interface Serial1/2
ip address 150.50.9.2 255.255.255.192
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template25
ip address 150.50.100.2 255.255.255.0
ip rip authentication key-chain RIP_KEY_FR2_R2R5
!
interface Virtual-Template26
ip address 150.50.100.2 255.255.255.0
ip rip authentication key-chain RIP_KEY_FR2_R2R6
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
router rip
version 2
no validate-update-source
timers basic 30 180 0 240
passive-interface Loopback0
network 150.50.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd �Unauthorised access will be prohibited�
alias router sir do show ip route
alias router siib do sh ip int br
alias configure sir do show ip route
alias configure siib do show ip int brief
alias exec sir show ip route
alias exec siib show ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$NVVM$z6q894qbnHt4hwrZG5mMv0
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
key chain RIP_KEY_R5_R6_R7
key 1
key-string ipexpert_R567
key chain RIP_KEY_FR2_R2R5
key 1
key-string ipexpert_R2toR5
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 200.0.0.5 255.255.255.255
!
interface Ethernet0/0
ip address 150.50.7.5 255.255.255.0
ip rip authentication key-chain RIP_KEY_R5_R6_R7
full-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
frame-relay interface-dlci 502 ppp Virtual-Template52
!
interface Serial1/2
ip address 150.50.9.5 255.255.255.192
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Virtual-Template52
ip address 150.50.100.5 255.255.255.0
ip rip authentication key-chain RIP_KEY_FR2_R2R5
!
router rip
version 2
timers basic 30 180 0 240
passive-interface Loopback0
network 150.50.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd �Unauthorised access will be prohibited�
alias router sir do show ip route
alias router siib do sh ip int br
alias configure sir do show ip route
alias configure siib do show ip int brief
alias exec sir show ip route
alias exec siib show ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$.I3j$jighRhSW2k2oXHSQ/fWFm1
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
key chain RIP_KEY_R5_R6_R7
key 1
key-string ipexpert_R567
key chain RIP_KEY_FR2_R2R6
key 2
key-string ipexpert_R2toR6
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 200.0.0.6 255.255.255.255
!
interface Ethernet0/0
ip address 150.50.7.6 255.255.255.128
ip rip authentication key-chain RIP_KEY_R5_R6_R7
full-duplex
!
interface Ethernet0/1
description connection to SW4 on fa 1/6
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/1
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no arp frame-relay
frame-relay interface-dlci 602 ppp Virtual-Template62
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
ip address 150.50.6.6 255.255.255.128
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Virtual-Template62
ip address 150.50.100.6 255.255.255.0
ip rip authentication key-chain RIP_KEY_FR2_R2R6
!
router rip
version 2
timers basic 30 180 0 240
passive-interface Loopback0
network 150.50.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd �Unauthorised access will be prohibited�
alias router sir do show ip route
alias router siib do sh ip int br
alias configure sir do show ip route
alias configure siib do show ip int brief
alias exec sir show ip route
alias exec siib show ip int brief
!
line con 0
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4
: Mon Sep 01 2008 - 08:15:29 ART