Managing Cisco IOS IP Routing Authentication Keys

Key management is a way of controlling authentication keys used by routing protocols. You can think of these as “passwords” for your routers. Not all routing protocols can use key management. Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.

You must configure a key chain with keys to enable authentication. Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key-chain configuration mode. A key chain must have at least one key and can have up to 2,147,483,647 keys.

Before you manage authentication keys, authentication must be enabled. To manage authentication keys, define a key chain, identify the keys that belong to the key chain, and specify how long each key is valid.

Each key has its own key identifier (specified with the key key-chain configuration command), which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use.

You can configure multiple keys with lifetimes. Only one authentication packet is sent, regardless of how many valid keys exist. The lifetimes allow for overlap during key changes but please note that the router must know the time.

To configure a key, use the global configuration key chain (name of chain) command then the key-string command inside key configuration mode.

For more information on managing Cisco IOS authentication keys, please see Cisco’s IOS IP Routing Command Reference for the key chain (and other key related) commands.