Saturday, August 3, 2013

Routing Protocol Authentication with RIPv2

To enable authentication for RIPv2 in Cisco IOS, you must first configure a key chain that defines
the key for use. The key is applied on a per-interface basis in which the mode of authentication
(clear text vs. MD5 authentication) is defined.

R1 Clear Text Authentication Configuration

key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip address 136.1.13.1 255.255.255.0
ip rip authentication key-chain RIPkey
duplex auto
speed auto


R3 Clear Text Authentication Configuration


key chain RIPkey
key 1
key-string cisco123
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 136.1.13.3 255.255.255.0
ip rip authentication key-chain RIPkey
!

Verification

To verify, use the debug ip rip command to see the updates being received with authentication
applied. Use the show ip route command to verify that expected routes are appearing in the
routing table.

R1 Cleartext Authentication

Jan 8 18:09:44.984: RIP: received packet with text authentication cisco123
Jan 8 18:09:44.984: RIP: received v2 update from 136.1.13.3 on GigabitEthernet0/0
Jan 8 18:09:44.984: 10.0.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984: 10.1.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984: 136.1.23.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:09:44.984: 150.1.2.0/24 via 0.0.0.0 in 2 hops

R2 MD5 Authentication Configuration

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#key chain RIPkey
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string cisco123
R2(config-keychain-key)#int g0/0
R2(config-if)#ip rip authentication mode md5
R2(config-if)#ip rip authentication key-chain RIPkey
R2(config-if)#end

R3 MD5 Authentication Configuration

Recall that the key chain was already configured for the clear-text authentication. It is
recommended that you use a different key chain when configuring both authentication methods. In
this case, we use the same key for the sake of simplicity.

Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int f0/0.23
R3(config-subif)#ip rip authentication mode md5
R3(config-subif)#ip rip authentication key-chain RIPkey
R3(config-subif)#end

R2 MD5 Authentication Verification

RIP protocol debugging is on
R2#
Jan 8 18:54:31.388: RIP: received packet with MD5 authentication
Jan 8 18:54:31.388: RIP: received v2 update from 136.1.23.3 on GigabitEthernet0/0

Jan 8 18:54:31.388:        RIP: received packet with MD5 authentication
Jan 8 18:54:31.388:        RIP: received v2 update from 136.1.23.3 on GigabitEthernet0/0
Jan 8 18:54:31.388:        10.0.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:        10.1.0.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:        136.1.13.0/24 via 0.0.0.0 in 1 hops
Jan 8 18:54:31.388:        150.1.1.0/24 via 0.0.0.0 in 2 hops


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
            D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
          ia - IS-IS inter area, * - candidate default, U - per-user static route
          o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 2 subnets

R           10.0.0.0 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0
R           10.1.0.0 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0
             136.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R           136.1.13.0/24 [120/1] via 136.1.23.3, 00:00:09, GigabitEthernet0/0
C           136.1.23.0/24 is directly connected, GigabitEthernet0/0
L           136.1.23.2/32 is directly connected, GigabitEthernet0/0
             150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R          150.1.1.0/24 [120/2] via 136.1.23.3, 00:00:10, GigabitEthernet0/0
C          150.1.2.0/24 is directly connected, Loopback0
L          150.1.2.2/32 is directly connected, Loopback0

No comments:

Post a Comment