Hi All I have configured GET using MC rekey and it is all working - only thing is I am not sure how it continues to do so based on what I see and my knowledge of GET.
The topologies is as so: R1: GET KS, connected to R1 via P2P Serial, 141.1.123.1 R2: GET GM, connected R1 and R3 via P2Multipoint Serial, 141.1.123.2 R3: GET GM, connected to R2 via P2P Serial, 141.1.123.3 I am using the following ACL for rekeys: access-list 121 permit udp host 141.1.123.1 eq 848 host 239.0.1.2 eq 848 So basically here is what I am seeing: - Both R2 and R3 register with R1 fine and receive their initial keys - Multicast rekey is working with R2 (connected to R1 and R3) as I can see it receive the rekey in the debugs and its key gets updated - R3 does not receive the rekey message from R1 that R2 receives and therefore maintains its original key - Having placed classification ACLs on the interfaces to monitor GDOI packets between routers I rarely if ever see unicast rekey messages from R3 to R1 update its key (saw once) - Pings between the GMs continue to work and be encrypted even after R2 is rekeyed several times but R3 is not Now I know a GM will use both its old and new keys for a time range after a rekey to accommodate other routers that may not yet have updated their keys but I believe this is for no more than 1 minute and yet the packets between the GMs continue to be encrypted even though I believe their keys are well out of sync. Can anyone enlighten me as to why this is still working considering to the best of my knowledge it shouldn't be as R2 is being rekeyed yet R3 is not? Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
