Key chains are sets of keys that are able to be rotated based on various criteria. Note the following:
- The key chain must be created. This holds all the keys for a process. [key chain <name>]
- Create one or more keys. [key <name>]
- For each key, specify the key (password) to be used. This is called the key-string. [key-string <key>]
- Define an accept lifetime for the keys, which indicates when the local router will accept the particular key from neighbors for authentication. [accept-lifetime <begin time> <begin date> <end time> <end date>] Note the infinite keyword can be used in place of the end attributes.
- Define a send lifetime for the keys, which indicates when the local router will transmit the particular key to its neighbors for authentication. [send-lifetime <begin time> <begin date> <end time> <end date>] Note the infinite keyword can be used in place of the end attributes.
Note the following.
- EIGRP, RIP, and OSPFv2 allow keys to be managed using key chains.
- Ensure lifetimes overlap for keys to ensure rotation does not cause a network event
- NTP is an important method of time synchronization to ensure key rotation is seamless.
- The syntax for lifetime settings can be either of the following: