I would certainly do it during a maintenance window. Just wondering if it is possible to do on a live network with out any downtime. 

For instance, apply the passstring but don't let it become valid until a certain time.

Although NTP better be working...

Thanks

You can probably use the accept-lifetime and send-lifetime to set a time frame, but if there is any time issue and things don't happen the way they supposed to, you will have people and management screaming at you.

HTH

Oh Well

I'm hoping for an elegant solution though

     -Thanks

Hello

You can certainly create the key chain , However depending on if you apply an authentication mode will determine how much outage to the adjacency will be incurred.

I have found applying just the authentication key chain drops to the first interface drops the adjacency for no more than 3 seconds, then applying it to the other side of the peer has no effect.

however when also applying the authentication node the adjacency will drop until the other side of the peering is also configured with the same authentication mode.

See results:

R1 / R2
Key-chain TST:
    key 1 -- text "TEST"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

R2(config)#int fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 TST
R2(config-if)#
*Mar  1 00:05:00.031: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast               Ethernet0/0) is down: keychain changed
R2(config-if)#
*Mar  1 00:05:03.139: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (Fast               Ethernet0/0) is up: new adjacency

R2(config-if)#ip authentication mode eigrp 1 md5

*Mar  1 00:15:22.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is down: authentication mode changed

R1
*Mar  1 00:15:23.851: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEther                net0/0) is down: Auth failure............

res

Paul

Thanks Paul -

How about if I were to configure a send time that was sooner than the accept time. That way, both routers would be sending when the accept time arrived...assuming NTP was working

or,

does the configuration of EIGRP authentication on a router interface require a the other router to send a pass string regardless of the accept time?

Thanks

Hello

It doesn't seem to matter, as soon as you apply authentication to the first interface in the peering, the adjacency is interrupted.

res

Paul

This is kind of what I'm referring to. Set the routers with an accept and send-time but, have not end time.

key chain <name_of_keychain>

key <#>
key-string <string_used_for_PSK>
!Optional - set lifetime
accept-lifetime <start_date> <end_date>
send-lifetime <start_date> <end_date>
 

Copied this from

http://gregandthenetwork.blogspot.com/2011/05/eigrp-authentication.html