IP SLA Authentication
Using IP SLA Authentication feature, we can configure security in IP SLA communication by making the IP SLA Source and Responder authenticate before communication.
Configuration on Source (R1)
Define a key
R1(config)#key chain 1
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco
Configure and IP SLA
R1(config)# ip sla 1
R1(config-ip-sla)#udp-jitter 10.10.12.2 5000 source-ip 10.10.12.1
R1(config-ip-sla-jitter)# frequency 15
R1(config-ip-sla-jitter)# frequency 15
R1(config)#ip sla schedule 1 life forever start-time now
Bind the SLA with the defined key
R1(config)#ip sla key-chain 1
Bind an IP SLA with a Track
R1(config)#track 10 ip sla 1 reachability
Configuration on R2 (Responder)
Define a Key (Key should be the same as configured on Source)
R2(config)#key chain 1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string cisco
Bind the responder with the configured key
R2(config)#ip sla responder
R2(config)#ip sla key-chain 1
IP SLA Authentication - Commands for testing
When no key or wrong key is configured on Responder R2, you will see authentication failure:
R1#show track 10
Track 10
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:01:33
Latest operation return code: Authentication failure
Track 10
IP SLA 1 reachability
Reachability is Down
1 change, last change 00:01:33
Latest operation return code: Authentication failure
R1#show ip sla statistics 1 | i RTT|failures
Round Trip Time (RTT) for Index 2
Latest RTT: 0 ms >>>>>> RTT value will show 0
RTT Values
Number Of RTT: 0
RTT Min/Avg/Max: 0/0/0 ms >>>>> This counter will also show no values.
Number of failures: 12 >>>>> You will see the number of failures counter increasing.
Round Trip Time (RTT) for Index 2
Latest RTT: 0 ms >>>>>> RTT value will show 0
RTT Values
Number Of RTT: 0
RTT Min/Avg/Max: 0/0/0 ms >>>>> This counter will also show no values.
Number of failures: 12 >>>>> You will see the number of failures counter increasing.
The moment you configure the correct key on the responder, the Track/IP SLA will come up.
R1#show track 10
Track 10
IP SLA 1 reachability
Reachability is Up
2 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 20
Track 10
IP SLA 1 reachability
Reachability is Up
2 changes, last change 00:00:02
Latest operation return code: OK
Latest RTT (millisecs) 20
R1#sh ip sla statistics 1 | i RTT|failures
Round Trip Time (RTT) for Index 2
Latest RTT: 20 ms
RTT Values
Number Of RTT: 10
RTT Min/Avg/Max: 3/20/38 ms
Number of failures: 15
Round Trip Time (RTT) for Index 2
Latest RTT: 20 ms
RTT Values
Number Of RTT: 10
RTT Min/Avg/Max: 3/20/38 ms
Number of failures: 15
IMP Note: Authentication can only be used for operations like UDP echo and UDP jitter where a Responder is required. For ICMP echo, the target device's IP stack will respond to the echo request.
ICMP echo operation does not require a Responder.
So in case, you configure an IP SLA with "icmp-echo" option on a Source Node, and even if you configure different authentication parameters on both Source and Responder, you will find the status of IP SLA/Track as UP on the source node.
You can test that by configuring a no key-chain or a key-chain with a different key-string on the responder. Your IP SLA/Track will show up on the source node.
If you understood the concept and like this article, kindly share the same with your friends.
If you understood the concept and like this article, kindly share the same with your friends.
