IP SLA Authentication

Using IP SLA Authentication feature, we can configure security in IP SLA communication by making the IP SLA Source and Responder authenticate before communication.

Define a key

R1(config)#key chain 1 R1(config-keychain)#key 1

R1(config-keychain-key)#key-string cisco

Configure and IP SLA

R1(config)# ip sla 1

R1(config-ip-sla)#udp-jitter 10.10.12.2 5000 source-ip 10.10.12.1
R1(config-ip-sla-jitter)# frequency 15

R1(config)#ip sla schedule 1 life forever start-time now

Bind the SLA with the defined key

R1(config)#ip sla key-chain 1

Bind an IP SLA with a Track

R1(config)#track 10 ip sla 1 reachability

Configuration on R2 (Responder)

Define a Key (Key should be the same as configured on Source)

R2(config)#key chain 1 R2(config-keychain)#key 1

R2(config-keychain-key)#key-string cisco

Bind the responder with the configured key

R2(config)#ip sla responder

R2(config)#ip sla key-chain 1

IP SLA Authentication – Commands for testing

When no key or wrong key is configured on Responder R2, you will see authentication failure:

R1#show track 10 Track 10   IP SLA 1 reachability

  Reachability is Down  

    1 change, last change 00:01:33

  Latest operation return code: Authentication failure

R1#show ip sla statistics 1 | i RTT|failures Round Trip Time (RTT) for       Index 2         Latest RTT: 0 ms                          >>>>>> RTT value will show 0 RTT Values         Number Of RTT: 0         RTT Min/Avg/Max: 0/0/0 ms       >>>>>  This counter will also show no values. Number of failures: 12                        >>>>>  You will see the number of failures counter increasing.

The moment you configure the correct key on the responder, the Track/IP SLA will come up.

R1#show track 10 Track 10   IP SLA 1 reachability

  Reachability is Up

    2 changes, last change 00:00:02   Latest operation return code: OK

  Latest RTT (millisecs) 20

R1#sh ip sla statistics 1 | i RTT|failures Round Trip Time (RTT) for       Index 2

        Latest RTT: 20 ms

RTT Values         Number Of RTT: 10

        RTT Min/Avg/Max: 3/20/38 ms

Number of failures: 15 

IMP Note: Authentication can only be used for operations like UDP echo and UDP jitter where a Responder is required.  For ICMP echo, the target device’s IP stack will respond to the echo request.

ICMP echo operation does not require a Responder.

So in case, you configure an IP SLA with “icmp-echo” option on a Source Node, and even if you configure different authentication parameters on both Source and Responder, you will find the status of IP SLA/Track as UP on the source node. 

You can test that by configuring a no key-chain or a key-chain with a different key-string on the responder. Your IP SLA/Track will show up on the source node.

If you understood the concept and like this article, kindly share the same with your friends.