Authenticate RIP Route Updates

This is only authentication, being that it will only allow routers with the correct key to accept the route updates. This will prevent a person from unknowingly advertising RIP updates to your network, or an attacker from hijacking your RIP network.

Configure the key that is to be used for RIP route authentication, this will need to be the same on all routers that will need to authenticate the routes from this interface.

SC-1(config)#key chain RIPKEY
SC-1(config-keychain)#key 1
SC-1(config-keychain-key)#key
SC-1(config-keychain-key)#key-string s4q1Vr80
SC-1(config-keychain-key)#end

RIP route authentication is configured on a per-interface level. Again, I can’t stress this enough, this will also need to be configured on any other router that will authenticate the RIP routes advertised out of his interface.

SC-1(config)#interface serial 0/0
SC-1(config-if)#ip address 192.168.26.1 255.255.255.0
SC-1(config-if)#ip rip authentication mode md5
SC-1(config-if)#ip rip authentication key-chain RIPKEY
SC-1(config-if)#clockrate 64000
SC-1(config-if)#end
SC-1(config)#

Advertise RIPv2 routes updates on 192.168.26.0/24 subnet.

SC-1#(config)#router rip
SC-1(config-router)#network 192.168.26.0
SC-1(config-router)#version 2

The router at the other end of Serial 0/0 is advertising RIP router updates with authentication and is advertising the network 192.168.200.0/24. If your configuration is correct the routes should appear in your routing table shortly (RIP advertises every 30 seconds by default)

SC-1#show ip route    
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.26.0/24 is directly connected, Serial0/0
R    192.168.200.0/24 [120/1] via 192.168.26.254, 00:00:16, Serial0/0
C    172.16.0.0/12 is directly connected, FastEthernet0/0

If your RIP routes don’t show up in routing table after adding authentication to your configuration, debug ip rip will probably give you all the clues you need to find the problem. For instance, when I configure RIP authentication on just one of the routers, IOS will complain with an error message like the following.

*Mar  1 02:58:27.652: RIP: ignored v2 packet from 192.168.26.254 (invalid authentication)

Happy Routing!

No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>