In this post, I'm going to finish the RIP fundamentals by showing you RIPv2 in action. After reading this, you will see the major differences presented in the lesson 35 (table1) in practice. Also, I want to present the authentication of RIP packets which protects the RIP domain from being poisoned with false routes.
I'm going to use the same topology diagram as in previous lessons. Currently, the routers are running RIPv1. If you read my previous post, you saw the routing problems we ran into as RIPv1 does not advertise network masks along with IP addresses. The rules for sending and receiving updates are explained in lesson 36.
Pic. 1 - Topology Diagram.Icons designed by: Andrzej Szoblik - http://www.newo.pl
As you remember, the subnets: 172.31.3.0/28 and 172.31.3.16/28 have not been advertised by RIPv1. There are a few solutions to this problem, but none of them can be resolved using RIPv1. The simplest solution is to use RIPv2 which is classless routing protocol.
Our current RIPv1 configuration looks like this (here: R1 given as and example).
Pic. 2 - R1's RIPv1 configuration
Now, let's enable RIPv2. Below is an example of R1's configuration. The two highlighted commands are now added on all routers in the topology.
- version 2 - Enables RIPv2.
- no auto-summary - Disables automatic summarization to a class boundary.
If you display the running configuration of R1, it is going to look like the one below :
Pic. 3 - R1's RIPv2 Configuration.show ip protocols' on R3. You can compare it with RIPv1 output in the previous post (lesson 36).
Notice, the 'send and receive version'. Only RIPv2 updates will be sent and accepted now. Also, 'Automatic network summarization is not in effect' tells us that 'no auto-summary' command has been used. Also, both loopback interfaces are listed as 'Passive interface(s)'.
Pic. 4 - RIPv2 Information on R3.
R3(config)#no service timestamps
Extreme care must be taken when using any debug commands on the production equipment. After the diagnostics have been completed, the debug command(s) must be turned off immediately.
All 'debug' commands are VERY dangerous if used on the production routers. They have enormous impact on the CPU and can potentially crash the device. They are typically used as the commands of the last resort during troubleshooting of a given technology when problem cannot be resolved without data they provide. So we tend to use them only in situations when we cannot do any more damage than there has already been done :-).
Pic. 5 - RIPv2 Debug Output on R3.
- Sending and receiving update using version 2.
- Received networks/subnets via 0.0.0.0 mean that the advertising router (here: 172.31.123.2) is the best gateway to the given destination.
- Sending v2 update uses reserved multicast destination IP address 126.96.36.199 rather than broadcast.
Almost all routing protocols allow to authenticate their packets. This is an extra security mechanism used to protect your routing domain. It is easy to install a routing protocol on a computer and poison the routing domain with illegitimate prefixes. This can disrupt the operation of the whole routing domain.
RIP offers two ways of authenticating their packets:
- Simple Password (clear text) authentication.
- MD5 based (one-way algorithm) authentication.
There are three major steps to configure authentication in RIP:
- Configure a key chain - It allows to create multiple keys which can be changed automatically if the routers have the time synchronized. The name of the key chain does NOT have to be identical on all routers.
- Configure at least one key-string (password) in the key chain - Key number MUST be identical on all routers in the RIP domain. Also, the password (key-string) used for authentication must be identical on all routers.
- Apply the key chain - You must apply the key chain on the interfaces where RIP advertisements will be exchanged between the neighbors.
This configuration must be identical on all routers in the RIP domain. Here, I present the configuration on R3.
Create a key chain. The name of the key chain (here: RIP).
R3(config)#key chain RIP
R3(config)#key chain RIP
Configure at least one key-string (password) in the key chain (must be identical on all routers). I do not use additional options allowing the key-string to timeout. The password used is valid forever.
Apply the key chain on the appropriate interface(s). Here the packets must be authenticated between R1 and R2 routers so interface F1/0 will use the key chain.
R3(config-if)#ip rip authentication mode md5
R3(config-if)#ip rip authentication key-chain RIP
If you display information about RIP again, you will notice that authentication of RIP packets has been enabled.
Pic. 6 - RIPv2 Authentication.
Check it out:
Pic. 7 - Invalid Authentication.
Once I have configured identical authentication on all routers, here is the debug output showing that R1 is sending RIP packets with proper authentication.
Pic. 8 - Authenticated RIPv2 Update from R1.
In the next post, I will start exploration of, arguably, the most commonly used routing protocol OSPF.