Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
5
Helpful
2
Replies

EIGRP Key Rotation - Expired keys

Go to solution
douglas.mckee
Level 1
Level 1

‎08-06-2022 02:23 PM

Good afternoon,

What's the best way to replace/update expired EIGRP keys without losing neighbor relationships?  We currently have "EIGRP DMVPN" and EIGRP LAN key authentication as listed below.

key chain EIGRP_KEYCHAIN
key 9997
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-lifetime 23:55:00 Jun 30 2021 00:05:00 Jan 1 2022
send-lifetime 23:55:00 Jun 30 2021 00:05:00 Jan 1 2022
cryptographic-algorithm hmac-sha-256
key 9998
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-lifetime 23:55:00 Dec 31 2021 00:05:00 Jul 1 2022
send-lifetime 23:55:00 Dec 31 2021 00:05:00 Jul 1 2022
cryptographic-algorithm hmac-sha-256
key 9999
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-lifetime 23:55:00 Jun 30 2021 infinite
send-lifetime 23:55:00 Jun 30 2021 infinite
cryptographic-algorithm hmac-sha-256
key chain OSPF_KEYCHAIN
key 9997
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-lifetime 23:55:00 Jun 30 2021 00:05:00 Jan 1 2022
send-lifetime 23:55:00 Jun 30 2021 00:05:00 Jan 1 2022
cryptographic-algorithm hmac-sha-256
key 9998
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
accept-lifetime 23:55:00 Dec 31 2021 00:05:00 Jul 1 2022
send-lifetime 23:55:00 Dec 31 2021 00:05:00 Jul 1 2022
cryptographic-algorithm hmac-sha-256
key 9999
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
accept-lifetime 23:55:00 Jun 30 2021 infinite
send-lifetime 23:55:00 Jun 30 2021 infinite
cryptographic-algorithm hmac-sha-256
key chain TEST
key 1
key-string 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
accept-lifetime 00:00:00 Jan 1 2020 00:05:00 Jul 1 2020
password encryption aes
!

-------------------------------------------------------------------------------
router eigrp DMVPN
!
address-family ipv4 unicast autonomous-system 10
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Tunnel100
authentication mode hmac-sha-256 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentication key-chain EIGRP_KEYCHAIN
no passive-interface
no split-horizon
exit-af-interface
!
topology base
redistribute eigrp 5
exit-af-topology
network XX.X.XX.X.0.0.0
network XX.X.XX.X 0.0.0.0
network XX.X.XX.X 0.0.0.0
exit-address-family
!
!
router eigrp LAN
!
address-family ipv4 unicast autonomous-system 5
!
af-interface default
passive-interface
exit-af-interface
!
af-interface GigabitEthernet1/0/0
authentication mode hmac-sha-256 7 XXXXXXXXXXXXXXXXXXXXX
no passive-interface
exit-af-interface
!
af-interface GigabitEthernet1/0/1
authentication mode hmac-sha-256 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no passive-interface
exit-af-interface
!
af-interface Tunnel300
authentication mode hmac-sha-256 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no passive-interface
exit-af-interface
!
topology base
redistribute eigrp 10
redistribute static
exit-af-topology

Thank you,

Doug

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎08-06-2022 04:04 PM

Hello,

 

A couple things to note as I don't know your level or familiarity.

1. When using MD5 you can do key rotation. When using HMAC-SHA-256 under the af-interface there is no key rotation. So you will only be able to apply it to the MD5 configured interfaces.

2. When sending key chains the network device will send the lowest active key configured but the remote device can match it against any active key on the other side. So if Router A sends a key with a value of 2 (lowest active key it has), the it can match against any active key Router B has (active meaning lifetime is still valid). Its good you have higher numbers configured to you can just keep moving down the list of key numbers as rotations happen.

 

That being said it looks like those keys have all expired. When you configure new keys you will lose the EIGRP neighbor ship. Even if you are able to make the changes on both devices in a quick manner it will still bring it down and re-establish. If one router is remote I would make the changes on that (with a "reload in" command as a backup plan) and then make changes on the local router to complete the configuration. I would also suggest a maintenance window to do this as like I said it will bring it down.

Not sure what your timeline is but you can have them overlap for 24 hours so you have time to troubleshoot in case anything goes wrong. You can look at the EIGRP debug packets to see what key each device is sending. If its not correct you will have tome to fix it.

 

Hope that helps

 

-David

 

View solution in original post

2 Replies 2

Go to solution
David Ruess
VIP
VIP

‎08-06-2022 04:04 PM

Hello,

 

A couple things to note as I don't know your level or familiarity.

1. When using MD5 you can do key rotation. When using HMAC-SHA-256 under the af-interface there is no key rotation. So you will only be able to apply it to the MD5 configured interfaces.

2. When sending key chains the network device will send the lowest active key configured but the remote device can match it against any active key on the other side. So if Router A sends a key with a value of 2 (lowest active key it has), the it can match against any active key Router B has (active meaning lifetime is still valid). Its good you have higher numbers configured to you can just keep moving down the list of key numbers as rotations happen.

 

That being said it looks like those keys have all expired. When you configure new keys you will lose the EIGRP neighbor ship. Even if you are able to make the changes on both devices in a quick manner it will still bring it down and re-establish. If one router is remote I would make the changes on that (with a "reload in" command as a backup plan) and then make changes on the local router to complete the configuration. I would also suggest a maintenance window to do this as like I said it will bring it down.

Not sure what your timeline is but you can have them overlap for 24 hours so you have time to troubleshoot in case anything goes wrong. You can look at the EIGRP debug packets to see what key each device is sending. If its not correct you will have tome to fix it.

 

Hope that helps

 

-David

 

Go to solution
douglas.mckee
Level 1
Level 1

‎08-07-2022 08:59 AM

David,

Appreciate the quick response. It sounds like the best way to proceed is configuring between 2 connected EIGRP routers and ensuring everything is operational prior to proceeding. I was tempted just to test on one set of routers and send out to the remaining routers through DNAC but sounds like it would be a major problem since connectivity is temporarily lost as you mentioned.

Thank you,

Doug

0 Helpful
Customers Also Viewed These Support Documents