Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
5
Helpful
3
Replies

Routing Protocol Authentication catch 22?

thegreattriscuit
Level 1
Level 1

‎10-25-2012 11:24 AM - edited ‎03-07-2019 09:41 AM

So, I can't help but assume I'm missing something here, and maybe you guys can help me out.

So we implemented RIPv2 instead of static routes.  Cool.

We're told that if we're going to use any form of routing protocol, we must use authentication.  Makes sense, and I agree.

Setup Key Chains with rotating keys as per http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp1.html#wp1017389

(so that the key will rotate every x number of days).  No problem.

However, consider the following topology

Internet --- R1 --- R2 --- R3 --- Rn

We currently have R1 synchronizing NTP with an outside source, and all other devices synchronizing with R1.  Makes sense as far as I can tell.

The problem is this:  If R3 looses power, it forgets what time it is.  If it doesn't know what time it is, it can't exchange routes with R2 (because it's trying to use the wrong key to authenticate).  If it can't get the routes, it doesn't know how to get to R1 and it can't synchronize NTP.  If it can't Sync NTP, it can't learn what time it is, etc...

I'm positive i'm not the first person that's wanted to do this... so what am I missing?  I suppose I could point every device to it's upstream neighbor for NTP, but that seems messy.  Also, I'd have to use the nearest neighbor interface for each of those associations (violating the rule of "use loopbacks for all control plane traffic).  I could also just use static routes... or any number of other work arounds I can think of, but none of them seem like they're the "right" thing to do. 

So what am I missing?  How are you SUPPOSED to do it?

Labels:
0 Helpful
3 Replies 3

John Blakley
VIP Alumni
VIP Alumni

‎10-25-2012 11:46 AM

I'd have to lab this up, so what I'm saying is strictly a thought

You could put statics on all routers (R2 and R3) that lead to R1. Make them floating with a higher AD than 120 (RIPs AD). When the router reboots and loses its time, it can use the static route from R3 --> R2. R2, can then in turn use R2 ---> R1. Once you get your NTP association on R3, then it can update the time, RIP can converged, and you should be good to go...

This would be a good lab...

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎10-25-2012 01:02 PM

Hi,

maybe it should help:  http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1123497

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

John Blakley
VIP Alumni
VIP Alumni
In response to cadet alain

‎10-25-2012 01:17 PM

Alain,

Good solution....

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card