RIP
This chapter contains basic Router Information Protocol (RIP) configuration examples.
Enable RIP
This example shows the minimum configuration required to enable RIP on an interface. R1 and R2 are two routers connecting to network 10.10.11.0/24. R1 and R2 are also connected to networks 10.10.10.0/24 and 10.10.12.0/24, respectively. To enable RIP, first define the RIP routing process, then associate a network with the routing process.
Topology
Enable RIP Topology
R1
#configure terminal | Enter configure mode. |
---|
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 (config-router)#network 10.10.11.0/24 | Associate networks with the RIP process. |
(config-router)#exit | Exit router mode and return to configure mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
---|
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.11.0/24 (config-router)#network 10.10.12.0/24 | Associate networks with the RIP process. |
(config-router)#exit | Exit router mode and return to configure mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show ip rip, show running-config, show ip protocols rip, show ip rip interface, show ip route
R1
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
Rc 10.10.11.0/24 1 eth2
#show running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
ip address 10.10.10.10/24
!
interface eth2
ip address 10.10.11.10/24
!
router rip
network 10.10.10.0/24
network 10.10.11.0/24
!
line con 0
login
line vty 0 39
login
!
end
#show ip protocols rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 14 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2
eth2 2 2
Routing for Networks:
10.10.10.0/24
10.10.11.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 2
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.11.10/24
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth1
C 10.10.11.0/24 is directly connected, eth2
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.2/32 is directly connected, lo
R2
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.11.0/24 1 eth1
Rc 10.10.12.0/24 1 eth2
2#show running-config
!
no service password-encryption
!
hostname rtr2
!
logging monitor 7
!
ip vrf management
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.3/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.183/24
!
interface eth1
ip address 10.10.11.50/24
!
interface eth2
ip address 10.10.12.10/24
!
router rip
network 10.10.11.0/24
network 10.10.12.0/24
!
line con 0
login
line vty 0 39
login
!
end
#show ip protocols rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 5 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2
eth2 2 2
Routing for Networks:
10.10.11.0/24
10.10.12.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 2
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.12.10/24
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.11.50/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.11.0/24 is directly connected, eth1
C 10.10.12.0/24 is directly connected, eth2
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.3/32 is directly connected, lo
Specify RIP Version
Configure a router to receive and send specific versions of packets on an interface. In this example, router R2 is configured to receive and send RIP version 1 and version 2 information on both eth1 and eth2 interfaces.
Topology
RIP Version Topology
R2
#configure terminal | Enter configure mode |
(config)#router rip | Enable the RIP routing process |
(config-router)#exit | Exit router mode |
(config)#interface eth1 | Enter interface mode |
(config-if)#ip rip send version 1 2 | Send RIP version 1 and version 2 packets out this interface |
(config-if)#ip rip receive version 1 2 | Receive RIP version 1 and version 2 packets from this interface |
(config-if)#exit | Exit interface mode |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#interface eth2 | Enter interface mode |
(config-if)#ip rip send version 1 2 | Send RIP version 1 and version 2 packets out this interface |
(config-if)#ip rip receive version 1 2 | Receive RIP version 1 and version 2 packets from this interface |
(config-if)#exit | Exit router mode and return to configure mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
R2
#sh ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.11.0/24 1 eth1
Rc 10.10.12.0/24 1 eth2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
ip address 10.10.11.50/24
ip rip send version 1 2
ip rip receive version 1 2
!
interface eth2
ip address 10.10.12.10/24
ip rip send version 1 2
ip rip receive version 1 2
!
router rip
network 10.10.11.0/24
network 10.10.12.0/24
!
line con 0
login
line vty 0 39
login
!
end
#show ip protocols rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 29 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 1 2 1 2
eth2 1 2 1 2
Routing for Networks:
10.10.11.0/24
10.10.12.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
10.10.11.10 120 00:00:31 0 0
10.10.12.50 120 00:00:08 0 0
Number of routes (including connected): 2
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv1 and RIPv2 packets
Send RIPv1 and RIPv2 packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.12.10/24
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIPv1 and RIPv2 packets
Send RIPv1 and RIPv2 packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.11.50/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.11.0/24 is directly connected, eth1
C 10.10.12.0/24 is directly connected, eth2
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.2/32 is directly connected, lo
Authentication with a Single Key
OcNOS RIP provides a choice of configuring authentication with a single key or with multiple keys. This example shows authenticating routing information exchange using a single key.
Topology
Routers R1 and R2 are running RIP and exchanging routing updates. To configure single-key authentication on R1, specify an interface, then define a key or password for that interface. Next, specify an authentication mode. Any receiving RIP packet on this specified interface should have the same string as the password. For an exchange of updates between R1 and R2, define the same password and authentication mode on R2.
Single-key Topology
R1
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#interface eth1 | Specify the interface (eth1) for authentication. |
(config-if)#ip rip authentication string ABC | Specify the authentication string (ABC) for this interface. |
(config-if)#ip rip authentication mode md5 | Specify the authentication mode to be MD5. |
(config-if)#exit | Exit router mode and return to configure mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#interface eth2 | Specify the interface (eth2) for authentication. |
(config-if)#ip rip authentication string ABC | Specify the authentication string (ABC) on this interface. |
(config-if)#ip rip authentication mode md5 | Specify the authentication mode to be MD5. |
(config-if)#exit | Exit router mode and return to configure mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show running-config, show ip rip, show ip protocol rip, show ip rip interface, show ip route
R1
#show running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.1/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.92/24
!
interface eth1
ip address 10.10.10.10/24
ip rip authentication mode md5
ip rip authentication string 0x5c5b790e25d29287
!
interface eth2
ip address 10.10.11.10/24
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
C 10.10.11.0/24 1 eth2
R 10.10.12.0/24 10.10.10.50 2 10.10.10.50 eth1 02:33
C 10.12.4.0/24 1 eth0
C 192.168.0.1/32 1 lo
R 192.168.0.2/32 10.10.10.50 2 10.10.10.50 eth1 02:33
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 26 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
10.10.10.50 120 00:00:31 0 0
Number of routes (including connected): 6
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
RIP is not enabled on this interface
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth1
C 10.10.11.0/24 is directly connected, eth2
R 10.10.12.0/24 [120/2] via 10.10.10.50, eth1, 00:04:05
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.1/32 is directly connected, lo
R 192.168.0.2/32 [120/2] via 10.10.10.50, eth1, 00:04:05
R2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
ip address 10.10.12.50/24
!
interface eth2
ip address 10.10.10.50/24
ip rip authentication mode md5
ip rip authentication string 0x5c5b790e25d29287
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth2
R 10.10.11.0/24 10.10.10.10 2 10.10.10.10 eth2 02:58
C 10.10.12.0/24 1 eth1
C 10.12.4.0/24 1 eth0
R 192.168.0.1/32 10.10.10.10 2 10.10.10.10 eth2 02:58
C 192.168.0.2/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 5 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth2 2 2
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
10.10.10.10 120 00:00:01 0 0
Number of routes (including connected): 6
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.50/24
eth1 is up, line protocol is up
RIP is not enabled on this interface
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth2
R 10.10.11.0/24 [120/2] via 10.10.10.10, eth2, 00:07:36
C 10.10.12.0/24 is directly connected, eth1
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
R 192.168.0.1/32 [120/2] via 10.10.10.10, eth2, 00:07:36
C 192.168.0.2/32 is directly connected, lo
Text Authentication with Multiple Keys
This example illustrates text authentication of the routing information exchange process for RIP using multiple keys. Routers R1 and R2 are running RIP, and exchanging routing updates. To configure authentication on R1, define a key chain, specify keys in the key chain, then define the authentication string or passwords to use by the keys. Set the time period during which it is valid to receive or send the authentication key by specifying the accept and send lifetimes. After defining the key string, specify the key chain (or set of keys) that will be used for authentication on each interface, and the authentication mode to use.
R1 receives all packets that contain any key string that matches one of the key strings included in the specified key chain (within the accept lifetime) on that interface. The key ID is not considered for matching. For additional security, the accept lifetime and send lifetime are configured such that every fifth day, the key ID and key string changes. To maintain continuity, the accept lifetimes should be configured to overlap. This will accommodate different time setup on machines. However, the send lifetime is not required to overlap, and IP Infusion Inc. recommends configuring no overlapping for the send lifetime.
Topology
Multiple-key Topology
R1
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain SUN | Enter Keychain management mode to add keys to the key chain SUN. |
(config-keychain)#key 10 | Add authentication key ID (10) to the key chain SUN. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 20 | Add another authentication key (20) to the key chain SUN. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth1 | Specify interface eth1 as the interface you want to configure. |
(config-if)#ip rip authentication key chain SUN | Enable RIPv2 authentication on eth1 interface and specify the key chain SUN to use for authentication. |
(config-if)#ip rip authentication mode text | Specify text authentication mode to use for RIP packets. This step is optional, because text is the default mode. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain MOON | Enter Keychain management mode to add keys to the key chain MOON. |
(config-keychain)#key 30 | Add authentication key ID (30) to the key chain MOON. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 40 | Add another authentication key (40) to the key chain MOON. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth2 | Specify interface eth2 as the interface you want to configure. |
(config-if)#ip rip authentication key chain MOON | Enable RIPv2 authentication on the eth1 interface, and specify the key chain MOON to use for authentication. |
(config-if)#ip rip authentication mode text | Specify the authentication mode to use for RIP packets. This step is optional, because text is the default mode. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show running-config, show ip rip, show ip protocol rip, show ip rip interface, show ip route
R1
#sh running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
key chain SUN
key 10
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 20
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.1/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.92/24
!
interface eth1
ip address 10.10.10.10/24
ip rip authentication mode text
ip rip authentication key-chain chain SUN
!
interface eth2
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
C 10.12.4.0/24 1 eth0
C 192.168.0.1/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 16 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2 chain SUN
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is down, line protocol is down
RIP is not enabled on this interface
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth1
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.1/32 is directly connected, lo
R2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
key chain MOON
key 30
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 40
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
!
interface eth2
ip address 10.10.10.50/24
ip rip authentication mode text
ip rip authentication key-chain chain MOON
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#sh ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth2
C 10.12.4.0/24 1 eth0
C 192.168.0.2/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 5 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth2 2 2 chain MOON
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.50/24
eth1 is down, line protocol is down
RIP is not enabled on this interface
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
IP Route Table for VRF "default"
Gateway of last resort is 10.12.4.1 to network 0.0.0.0
K* 0.0.0.0/0 [0/0] via 10.12.4.1, eth0
C 10.10.10.0/24 is directly connected, eth2
C 10.12.4.0/24 is directly connected, eth0
C 127.0.0.0/8 is directly connected, lo
C 192.168.0.2/32 is directly connected, lo
MD5 Authentication with Multiple Keys
This example illustrates the MD5 authentication of the routing information exchange process for RIP using multiple keys. Routers R1 and R2 are running RIP, and exchanging routing updates. To configure authentication on R1, define a key chain, specify keys in the key chain, then define the authentication string or passwords to use by the keys. Then, set the time period during which it is valid to receive or send the authentication key by specifying the accept and send lifetimes. After defining the key string, specify the key chain (or the set of keys) that will be used for authentication on the interface, and the authentication mode to use. Configure R2 and R3 to have the same key ID and key string as R1 for the time that updates are to be exchanged.
In MD5 authentication, both the key ID and key string are matched for authentication. R1 will receive only packets that match both the key ID and the key string in the specified key chain (within the accept lifetime) on that interface. In the following example, R2 has the same key ID and key string as R1. For additional security, the accept lifetime and send lifetime are configured such that every fifth day, the key ID and key string changes. To maintain continuity, the accept lifetimes should be configured to overlap; however, the send lifetime should not overlap.
Topology
MD5 Multiple-key Topology
R1
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain SUN | Enter Keychain management mode to add keys to the key chain SUN. |
(config-keychain)#key 1 | Add authentication key ID (1) to the key chain SUN. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 2 | Add another authentication key (2) to the key chain SUN. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which authentication key string Earth can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth1 | Specify interface eth1 as the interface you want to configure. |
(config-if)#ip rip authentication key chain SUN | Enable RIPv2 authentication on the eth1 interface, and specify the key chain SUN to use for authentication. |
(config-if)#ip rip authentication mode md5 | Specify MD5 authentication mode to use for RIP packets. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
R2
#configure terminal | Enter configure mode. |
(config)#router rip | Define a RIP routing process, and enter Router mode. |
(config-router)#network 10.10.10.0/24 | Associate network 10.10.10.0/24 with the RIP process. |
(config-router)#redistribute connected | Enable redistributing from connected routes. |
(config-router)#exit | Exit router mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#key chain MOON | Enter Keychain management mode to add keys to the key chain MOON. |
(config-keychain)#key 1 | Add authentication key ID (1) to the key chain MOON. |
(config-keychain-key)#key-string ABC | Specify a password (ABC) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 2 2003 14:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be received. In this case, key string ABC can be received from noon of March 2 to 2 pm March 7, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 2 2003 12:00:00 Mar 7 2003 | Specify the time period during which the authentication key can be sent. In this case, key string ABC can be sent from noon of March 2 to noon of March 7, 2003. |
(config-keychain-key)#exit | Exit Keychain-Key mode, and return to Keychain mode. |
(config-keychain)#commit | Commit the candidate configuration to the running configuration |
(config-keychain)#key 2 | Add another authentication key (2) to the key chain MOON. |
(config-keychain-key)#key-string Earth | Specify a password (Earth) to use by the specified key. |
(config-keychain-key)#accept-lifetime 12:00:00 Mar 7 2003 14:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be received. In this case, key string Earth can be received from noon of March 7 to 2 pm March 12, 2003. |
(config-keychain-key)#send-lifetime 12:00:00 Mar 7 2003 12:00:00 Mar 12 2003 | Specify the time period during which the authentication key can be sent. In this case, key string Earth can be sent from noon of March 7 to noon of March 12, 2003. |
(config-keychain-key)#commit | Commit the candidate configuration to the running configuration |
(config-keychain-key)#end | Enter Privileged Exec mode. |
#configure terminal | Enter configure mode. |
(config)#interface eth2 | Specify interface eth2 as the interface you want to configure. |
(config-if)#ip rip authentication key chain MOON | Enable RIPv2 authentication on the eth1 interface, and specify the key chain MOON to use for authentication. |
(config-if)#ip rip authentication mode md5 | Specify the authentication mode to use for RIP packets. |
(config-if)#exit | Exit interface mode. |
(config)#commit | Commit the candidate configuration to the running configuration |
Validation
show running-config, show ip rip, show ip protocol rip, show ip rip interface
R1
#sh running-config
!
no service password-encryption
!
hostname rtr1
!
logging monitor 7
!
ip vrf management
!
key chain SUN
key 1
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 2
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.1/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.92/24
!
interface eth1
ip address 10.10.10.10/24
ip rip authentication mode md5
ip rip authentication key-chain chain SUN
!
interface eth2
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth1
C 10.12.4.0/24 1 eth0
C 192.168.0.1/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 19 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth1 2 2 chain SUN
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 3
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is down, line protocol is down
RIP is not enabled on this interface
eth1 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.10/24
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface
R2
#sh running-config
!
no service password-encryption
!
logging monitor 7
!
ip vrf management
!
key chain MOON
key 1
key-string 0x5c5b790e25d29287
accept-lifetime 12:00:00 Mar 02 2003 14:00:00 Mar 07 2003
send-lifetime 12:00:00 Mar 02 2003 12:00:00 Mar 07 2003
key 2
key-string 0x51b2c401dd313187
accept-lifetime 12:00:00 Mar 07 2003 14:00:00 Mar 12 2003
send-lifetime 12:00:00 Mar 07 2003 12:00:00 Mar 12 2003
!
ip domain-lookup
spanning-tree mode provider-rstp
feature telnet
feature ssh
no feature tacacs+
snmp-server view all .1 included
ntp enable
sFlow disable
software-watchdog keep-alive-time 30
!
ip pim register-rp-reachability
!
interface lo
mtu 65536
ip address 127.0.0.1/8
ip address 192.168.0.2/32 secondary
ipv6 address ::1/128
!
interface eth0
ip address 10.12.4.108/24
!
interface eth1
!
interface eth2
ip address 10.10.10.50/24
ip rip authentication mode md5
ip rip authentication key-chain chain MOON
!
router rip
network 10.10.10.0/24
redistribute connected
!
line con 0
login
line vty 0 39
login
!
end
#show ip rip
Codes: R - RIP, Rc - RIP connected, Rs - RIP static, K - Kernel,
C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP,
X - Default
Network Next Hop Metric From If Time
Rc 10.10.10.0/24 1 eth2
C 10.12.4.0/24 1 eth0
R 192.168.0.1/32 10.10.10.10 16 10.10.10.10 eth2 01:29
C 192.168.0.2/32 1 lo
#show ip protocol rip
RIP Database for VRF (default)
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in 9 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface Send Recv Key-chain
eth2 2 2 chain MOON
Routing for Networks:
10.10.10.0/24
Routing Information Sources:
Gateway Distance Last Update Bad Packets Bad Routes
Number of routes (including connected): 4
Distance: (default is 120)
#show ip rip interface
svlan0.1 is down, line protocol is down
RIP is not enabled on this interface
eth2 is up, line protocol is up
Routing Protocol: RIP
Receive RIP packets
Send RIP packets
Passive interface: Disabled
Split horizon: Enabled with Poisoned Reversed
IP interface address:
10.10.10.50/24
eth1 is down, line protocol is down
RIP is not enabled on this interface
eth0 is up, line protocol is up
RIP is not enabled on this interface
lo is up, line protocol is up
RIP is not enabled on this interface