Text Authentication with Multiple Keys
This example illustrates text authentication of the routing information exchange process for RIP using multiple keys. Routers R1 and R2 are running RIP, and exchanging routing updates. To configure authentication on R1, define a key chain, specify keys in the key chain, then define the authentication string or passwords to use by the keys. Set the time period during which it is valid to receive or send the authentication key by specifying the accept and send lifetimes. After defining the key string, specify the key chain (or set of keys) that will be used for authentication on each interface, and the authentication mode to use.
R1 receives all packets that contain any key string that matches one of the key strings included in the specified key chain (within the accept lifetime) on that interface. The key ID is not considered for matching. For additional security, the accept lifetime and send lifetime are configured such that every fifth day, the key ID and key string changes. To maintain continuity, the accept lifetimes should be configured to overlap. This will accommodate different time setup on machines. However, the send lifetime is not required to overlap, and IP Infusion Inc. recommends configuring no overlapping for the send lifetime.
Topology
Figure 24-138: Multiple-key Topology
R1
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain SUN | Enter Keychain management mode to add keys to the key chain SUN. |
(config-keychain)#key-id 10 | Add authentication key ID (10) to the key chain SUN. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 02 to 2 pm March 07, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 02 to noon of March 07, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key-id 20 | Add another authentication key (20) to the key chain SUN. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 07 to 2 pm March 12, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 07 to noon of March 12, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#exit | Exit Keychain-Key mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth1 | Specify interface eth1 as the interface you want to configure. |
(config-if)#ip rip authentication key-chain SUN | Enable RIPv2 authentication on eth1 interface and specify the key-chain SUN to use for authentication. |
(config-if)#ip rip authentication mode text | Specify text authentication mode to use for RIP packets. This step is optional, because text is the default mode. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain MOON | Enter Keychain management mode to add keys to the key chain MOON. |
(config-keychain)#key-id 30 | Add authentication key ID (30) to the key chain MOON. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 02 to 2 pm March 07, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 02 to noon of March 07, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key-id 40 | Add another authentication key (40) to the key chain MOON. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 07 to 2 pm March 12, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 07 to noon of March 12, 2003, for single-digit day input, must input the leading 0. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#exit | Exit Keychain-Key mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth2 | Specify interface eth2 as the interface you want to configure. |
(config-if)#ip rip authentication key-chain MOON | Enable RIPv2 authentication on the eth1 interface, and specify the key-chain MOON to use for authentication. |
(config-if)#ip rip authentication mode text | Specify the authentication mode to use for RIP packets. This step is optional, because text is the default mode. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show running-config, show ip rip, show ip protocol rip, show ip rip interface, show ip route
R1
#sh running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
key chain SUN
key 10
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 20
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
data-center-bridging enable
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.1/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.92/24
!
interface eth1
ip address 10.10.10.10/24
ip rip authentication mode text
ip rip authentication key-chain chain SUN
!
interface eth2
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
C 10.12.4.0/24 1 eth0
C 192.168.0.1/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 16 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2 chain SUN
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is down, line protocol is down
RIP is not enabled on this interface
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth1
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.1/32 is directly connected, lo
R2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
key chain MOON
key 30
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 40
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
data-center-bridging enable
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
!
interface eth2
ip address 10.10.10.50/24
ip rip authentication mode text
ip rip authentication key-chain chain MOON
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth2
C 10.12.4.0/24 1 eth0
C 192.168.0.2/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 5 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth2 2 2 chain MOON
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.50/24
eth1 is down, line protocol is down
RIP is not enabled on this interface
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth2
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.2/32 is directly connected, lo
Last modified date: 10/16/2023