RIPV2 with Basic Authentication

In the image above is a sample topology of three routers configured with RIPV2.  Some things to note :

Loopback Interfaces: 
    The Loopback interfaces are representing our networks behind the router itself that faces the outside world.

Key Chain 
    When making the key chain we will call it RIPV2 we can call it anything we want like NICKSKEY, spurs, or anything you can think of really.
      **** Remember after creating the key we have to enable it on the interface that is advertising RIP traffic ! not inside the router rip configuration itself!

  A good analogy of this is think of a cook in the kitchen when you're going to a restaurant. The cook has all the utensils and "networks" to get the job done and make the all the meals in his kitchen ( in our case keep the networks inside our RIP configuration) BUT who does the advertising or talking? Its the waitress or the interface talking to other networks! So the waitress or the "interface"  has to know of the authentication being advertised so the cook in the kitchen can deliver the meals ( networks) to the correct person or in this case to the correct router ! 


172.16.16.0 Network
     Each 172.X.X.X network on the interfaces of each router represent the public or "outer-facing" connections to other networks.


R3:
This router in the topology will NOT be able to authenticate with R1 or R2



The configuration :

R1: 

key chain RIPV2   ( This will start the making of the key chain "whatever name you want")
 key 1     ( The key number 0 through 2147483647 )
  key-string cisco ( The key string is the password or "string" this can be unencrypted or encrypted )

interface Loopback0
 ip address 1.1.1.1 255.255.255.0 ( Represent a network behind the router )
!
interface Loopback1
 ip address 11.11.11.1 255.255.255.0
!
interface FastEthernet0/0
 description Link to R3 ( Dont forget descriptions are always good!) 
 ip address 172.16.16.9 255.255.255.252
 ip rip authentication mode md5   ( Enabling of rip authentication using MD5 HASH/Digest)
 ip rip authentication key-chain RIPV2 ( Enabling the key chain we want to use..in this case its the key we made beforehand called RIPV2 )
 duplex auto
 speed auto
 no shutdown ( Remember to do a no shutdown to turn the interface ON )
!
interface FastEthernet0/1
 description Link to R2
 ip address 172.16.16.1 255.255.255.252

 ip rip authentication mode md5
 ip rip authentication key-chain RIPV2

 duplex auto
 speed auto
 no shutdown

RIP CONFIGURATION

router rip ( enters rip configuration ) 
version 2  ( we want version 2 not 1 )
network 172.16.0.0  ( remember rip will show the network as classful so we just keep it simple and do the classful range which will cover all the interfaces going to R2 and R3 instead of putting in two)
network 1.0.0.0
network 11.0.0.0
no auto-summary ( We can auto-summarize the networks so that they show up in the routing table as only advertising the /30's and /24's and not an entire /16 or /8 subnet !)


R2:

key chain RIPV2
 key 1
  key-string cisco

interface Loopback0
 ip address 2.2.2.1 255.255.255.0
!
interface Loopback1
 ip address 22.22.22.1 255.255.255.0
!
interface FastEthernet0/0
 description Link to R1
 ip address 172.16.16.2 255.255.255.252
 ip rip authentication mode md5
 ip rip authentication key-chain RIPV2
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Link to R3
 ip address 172.16.16.5 255.255.255.252
 ip rip authentication mode md5
 ip rip authentication key-chain RIPV2
 duplex auto
 speed auto
!
router rip
 version 2
 network 2.0.0.0
 network 22.0.0.0
 network 172.16.0.0
 no auto-summary


R3:

*****This router will not have authentication to show that the routes will not be seen by R1 or R2 

interface Loopback0
 ip address 3.3.3.1 255.255.255.0
!
interface Loopback1
 ip address 33.33.33.1 255.255.255.0
!
interface FastEthernet0/0
 description Link to R1
 ip address 172.16.16.10 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Link to R2
 ip address 172.16.16.6 255.255.255.252
 duplex auto
 speed auto
!
router rip
 version 2
 network 3.0.0.0
 network 33.0.0.0
 network 172.16.0.0
 no auto-summary


So now the network is configured we should see the following on Router 1:


R1#sh ip route
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     2.0.0.0/24 is subnetted, 1 subnets
R       2.2.2.0 [120/1] via 172.16.16.2, 00:00:21, FastEthernet0/1
     172.16.0.0/30 is subnetted, 3 subnets
C       172.16.16.8 is directly connected, FastEthernet0/0
R       172.16.16.4 [120/1] via 172.16.16.2, 00:00:21, FastEthernet0/1
C       172.16.16.0 is directly connected, FastEthernet0/1
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.16.16.2, 00:00:22, FastEthernet0/1
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, Loopback1


We see both R1 networks and R2 networks BUT we do not see R3. This is because R3 does not have authentication. So we are going to do a debug to show what R3 is seeing when it advertises out to R1 and R2:


R3# debug ip rip 


*Mar  1 01:03:45.695: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (172.16.16.10)
*Mar  1 01:03:45.695: RIP: build update entries
*Mar  1 01:03:45.695:   3.3.3.0/24 via 0.0.0.0, metric 1, tag 0
*Mar  1 01:03:45.699:   33.33.33.0/24 via 0.0.0.0, metric 1, tag 0
*Mar  1 01:03:45.699:   172.16.16.4/30 via 0.0.0.0, metric 1, tag 0
Router 3 knows of all its own networks but not R2 or R1's
R3#
*Mar  1 01:03:50.919: RIP: ignored v2 packet from 172.16.16.9 (invalid authentication) 
It ignores the multicast advertisement because of invalid authentication no key passwords are being exchanged in this case we don't have the "waitress"

R3#
*Mar  1 01:03:55.939: RIP: ignored v2 packet from 172.16.16.5 (invalid authentication)
Again the packets are ignored because the authentication is invalid we need the password to get the information 


Comments

Post a Comment

Popular posts from this blog

HULC LED PROCESS - 3750 High CPU

Image
If you're looking at a switch and you see the HULC LED Process running high. The HULC LED process does some of the following tasks: 1. Check link status on every port 2. If the switch supports POE, it checks to see if there is a power device 3. Transceiver checks 4. Fan status updates 5. Set LED ports 6. Check on temperature status Overall the HULC LED Process is a monitoring process running. During looking into this I turned off all non-used ports since it checks the link status. Then I made sure the environment was good. Two Cisco Bugs: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi78581 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn42790
Read more

%PLATFORM_UCAST-4-PREFIX: --------- TCAM 3750 Switch

Image
 %PLATFORM_UCAST-4-PREFIX:  One or more, more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded So what is TCAM ? Ternary Content Addressable Memory is used in multi-layer switching also know as Layer 3 switching. The switches forward the packets and frames at the speed of the line by using ASIC hardware. Normally switches make there forwarding decisions based on Layer 2. TCAM is used for Layer 3 components and other features such as QOS and ACES ( Access List ).  Check TCAM and usage of templates being used in the device.  show sdm prefer ? ! This will show us the templates that can be used in the device to give more resources to one feature or the other. For example the default is the equal resource distribution while the routing gives more resources to Layer 3 routing. show sdm prefer ! The command without the "?" will show us what we are currently r
Read more