Онлайн-демонстрация
Связаться с нами
7.20. Configuring Key Chain
Overview
Function Introduction
Keychain is a common method of authentication to configure shared secrets on all the entities, which exchange secrets such as keys before establishing trust with each other. Routing protocols and network applications often use this authentication to enhance security while communicating with peers.
The keychain by itself has no relevance; therefore, it must be used by an application that needs to communicate by using the keys (for authentication) with its peers. The keychain provides a secure mechanism to handle the keys and rollover based on the lifetime.
If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A keychain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both. Keychain groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime.
Principle Description
N/A
Configuration
step 1 Enter the configure mode
Switch# configure terminal
step 2 Create key chain and set key
Switch(config)# key chain test
Switch(config-keychain)# key 1
Switch(config-keychain-key)# key-string #test_keystring_1#
Switch(config-keychain-key)# accept-lifetime 0:0:1 1 jan 2023 infinite
Switch(config-keychain)# key 2
Switch(config-keychain-key)# key-string #test_keystring_2#
Switch(config-keychain-key)# send-lifetime 0:0:1 2 jan 2023 infinite
step 3 Exit the configure mode
Switch(config)# end
step 4 Validation
To display the keychain configuration, use the command show key chain in the privileged EXEC mode:
Switch# show key chain
key chain test:
key 1 -- text "key-string #test_keystring_1#"
accept-lifetime <00:00:01 Jan 01 2023> - <infinite>
send-lifetime <always valid> - <always valid> [valid now]
key 2 -- text "key-string #test_keystring_2#"
accept-lifetime <always valid> - <always valid> [valid now]
send-lifetime <00:00:01 Jan 02 2023> - <infinite>
Application cases
N/A