Master CCNA

How to Master CCNA Ebook

 

 

My book will help you Master CCNA

Master CCNP SWITCH

How to master CCNP SWITCH ebook

 

 

My book will help you Master CCNP SWITCH

Master CCNP ROUTE

How to master CCNP ROUTE Ebook

 

 

My book will help you Master CCNP ROUTE

Print

EIGRP Authentication Rotating Key

Written by Rene Molenaar on . Posted in EIGRP

Scenario:

As the senior security officer you decide all routing protocols should be configured as secure as possible. The company you work for has a single vendor policy and since you only have Cisco equipment you are running EIGRP (Enhanced Interior Gateway Routing Protocol). EIGRP has more advanced features for authentication since it uses a key-chain. The key-chain supports rotating keys which makes it more secure than having a single static key. Before implementing this for your whole organization you decide to test your enhanced security in a lab environment.

Goal:

  • All IP addresses have been preconfigured for you.
  • EIGRP has been preconfigured for you (AS12).
  • Enable EIGRP authentication between router Jack and Johnson. Use the following parameters:
    Key-chain should be called: GNS3VAULT
    Key1: password VAULT
    Key2: password SAFE
  • Key1 should be sent until 9:00AM on the 2nd of february 2020 and should be accepted 15 minutes past this time.
  • Key2 should be valid from 8:50AM on the 2nd of february 2020 and should be valid till the 1st of february 2021.
  • Make sure routing adjacencies do not drop when the keys are switched.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

EIGRP Authentication Rotating Key Network Topology

Video Solution:

You need to a flashplayer enabled browser to view this YouTube video

You need to register to download the GNS3 Topology File. (Registration is Free!)

Related Articles
Only registered users can write comments!

Comments (11)

  • avatar
    Akiii
    2011-02-05 00:03:46

    Is it possible that adjacencies do not flap when changing keys?

  • avatar
    ReneMolenaar
    2011-02-06 10:55:26

    If the keys are overlapping the adjacency should not flap. Did you check it?

  • avatar
    Akiii
    2011-02-06 13:35:59

    Thanks for the reply.

    Yeah they are overlapping but I still see flapping adjacencies when applying the ip authentication command on the serial interfaces..

  • avatar
    aaaa2209
    2011-04-15 04:06:59

    The file seems crash?

  • avatar
    ReneMolenaar
    2011-04-15 19:22:14

    What do you mean by 'crash' william?

  • avatar
    aaaa2209
    2011-04-19 03:45:36

    The winrar reports file name issue and it generate two similar folders. One is 'EIGRP Authentication Rotating Key' and another one is 'EIGRP Authentication Rotating Key_' The first one is empty and I just found that the second one has the files I want. I am not sure why. It might be my computer's problem. But I still get the topology file. Thank you!

  • avatar
    ReneMolenaar
    2011-04-21 16:56:05

    Hi william,

    Not sure what went wrong, just checked the file and it seems to be fine!

    Rene

  • avatar
    Buddha1115
    2011-07-22 06:12:16

    Hi Rene,

    I absolutely love all these videos and labs that you've created for those of us who want to educate ourselves. Quick question, though... I couldn't help but notice that this video is in a slightly different resolution than the others, and I honestly cannot read what you are entering at the CLI.

    I was wondering if there was any way that this video could be re-made in the same resolution as the others so that the text is more readable? None of my CCNA books mention EIGRP keys, let alone rotation, so I'm eager to review the video so I can learn the commands, but I just have a hard time seeing what you're doing on this one. A humongous "Thanks!" if there's anyway you could do it, and I'd like to think that others would be appreciative as well.

    Thanks again for everything you do, Rene!

  • avatar
    ReneMolenaar
    2011-07-22 16:32:12

    Hello Barry,

    Thanks for your message! I accidently rendered it with super-low quality instead of 1080p ;D

    When I get home i'll replace it with the 1080p version so you can see it. You can also try it yourself if you like, just download the final configuration and do this:

    - Enable debug EIGRP packets
    - Change the time by using the clock command.

    You will see that the neighbor adjacency doesn't drop and will switch from MD5 key1 to key2.

    Or wait a day and i'll have the video for you 8)

  • avatar
    G3000LEE
    2011-10-03 16:35:46

    Hi Rene


    Your GOLES state for key 1:
    •Key1 should be sent until 9:00AM on the 2nd of february 2020 and should be accepted 15 minutes past this time.

    Your final config files which I downloaded shows the following for key 1:

    key chain GNS3VAULT
    key 1
    key-string VAULT
    accept-lifetime 00:00:00 Jan 1 1995 09:15:00 Feb 2 2020
    send-lifetime 00:00:00 Jan 1 1995 09:00:00 Feb 2 2020


    Isn't it supposed to be:

    key chain GNS3VAULT
    key 1
    key-string VAULT
    accept-lifetime 09:15:00 feb 2 2020 infinite
    send-lifetime 09:00:00 feb 2 2020 infinite

    I put infinite, as you didn't specify when the key is to end.

    GRATE JOB YOU ARE DOING HERE.

  • avatar
    ReneMolenaar
    2011-10-03 19:38:54

    Hello Lee,

    The goal says "Key1 should be sent until 9:00AM on the 2nd of february 2020 and should be accepted 15 minutes past this time."

    It doesn't say from what moment it is valid, only until which date/time it is valid. At 9:00AM on the 2nd of february 2020 this key will expire.

    Your example will accept they key on this day until forever ;D

    Thanks for your comment!