Assigning a time-independent key to a chain
A time-independent key has no Accept or Send time constraints. It is valid from boot-up until you change it. If you use a time-independent key, then it is the only key needed for a key chain entry.
Syntax
[no] key-chain
chain_name
keykey_id
Generates or deletes a key in the key chain entry <
chain_name
> . Using the optionalno
form of the command deletes the key. The <key_id> is any number from 0-255.
[
key-string
key_str
]This option lets you specify the key value for the protocol using the key. The <
key_str
> can be any string of up to 14 characters in length.
[
accept-lifetime infinite
] [send-lifetime infinite
]
accept-lifetime infinite:
Allows packets with this key to be accepted at any time from boot-up until the key is removed.
send-lifetime infinite:
Allows the switch to send this key as authorization, from boot-up until the key is removed.
show key-chain
chain_name
Displays the detail information about the keys used in the key chain named
chain_name
.
Example
To generate a new time-independent key for the switch key chain entry:
Assigning time-dependent keys to a chain
A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
Syntax
[no] key-chain
chain_name
keykey_id
Generates or deletes a key in the key chain entry
chain_name
. Using the optionalno
form of the command deletes the key. Thekey_id
is any number from 0-255.[
key-string
key_str
]This option specifies the key value referenced by the protocol using the key. The <
key_str
> can be any string up to 14 characters in length.
accept-lifetime <
mm/dd/yy [ yy ] hh:mm:ss
|now >
Specifies the start date and time of the valid period in which the switch can use this key to authenticate inbound packets.
duration <
mm/dd/yy [ yy ] hh:mm:ss
|seconds
>Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the accept-lifetime setting).
send-lifetime <
mm/dd/yy [ yy ] hh:mm:ss
|now>
Specifies the start date and time of the valid period in which the switch can transmit this key as authentication for outbound packets.
duration <
mm/dd/yy [ yy ] hh:mm:ss
|seconds
>Specifies the time period during which the switch can use this key to authenticate outbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the accept-lifetime setting).
show key-chain
chain_name
Displays the detail information about the keys used in the key chain named <
chain_name
>.
NOTE: Using time-dependent keys requires that all the switches have accurate, synchronized time settings. You can manually set the time or use the Time protocol feature included in the switches. See time protocols in the management and configuration guide for your switch. | |
Example
NOTE: Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches. | |
To see the result of Adding time-dependent keys to a key chain entry:
Use show key-chain
to display
the key status at the time the command is issued. Using the information
from the example configuration in Adding time-dependent keys to a key chain entry and Display of time-dependent keys in the key chain entry if
you execute show key-chain at 8:05 on 01/19/03, the display would
appear as follows:
The "HPSwitch1" key chain entry is a time-independent key and will not expire. "HPSwitch2" uses time-dependent keys, which result in this data:
Expired=1 | Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day. |
Active=2 | Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03. |
Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.