Configure RIPv2 on routers using clear-text and MD5 hash for authC
Simple diagram:
R1-> rip clear-text <-R3-> rip MD5 <-R2
Router1:
Router1(config)#key chain TEXT !– key chain name
Router1(config-keychain)#key 1 !– key identifier
Router1(config-keychain-key)#key-string CLEARTEXT !– key chain string
Router1(config)#router rip
Router1(config-router)#ver 2
Router1(config-router)#network 140.1.0.0 !–RIP advertized networks
Router1(config-router)#network 160.1.0.0
Router1(config-router)#no auto-summary
Router1(config)#int f0/0
Router1(config-if)#ip rip authentication mode text !–clear-text authc mode
Router1(config-if)#ip rip authentication key-chain TEXT !–key-chain name used for authc
Router2:
Router2(config)#router rip
Router2(config-router)#version 2
Router2(config-router)#network 140.1.0.0
Router2(config-router)#network 160.1.0.0
Router2(config-router)#no auto-summary
Router2(config-router)#exit
Router2(config)#key chain MD5
Router2(config-keychain)#key 1
Router2(config-keychain-key)#key-string MD5HASH
Router2(config-keychain-key)#int f0/0
Router2(config-if)#ip rip authentication mode md5
Router2(config-if)#ip rip authentication key-chain MD5
Router 3:
Router3(config)#key chain TEXT
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string CLEARTEXT
Router3(config)#key chain MD5
Router3(config-keychain)#key 1
Router3(config-keychain-key)#key-string MD5HASH
Router3(config)#route rip
Router3(config-router)#version 2
Router3(config-router)#network 140.1.0.0
Router3(config-router)#network 160.1.0.0
Router3(config-router)#no auto-summary
Router3(config)#int f0/1
Router3(config-if)#ip rip authentication mode text
Router3(config-if)#ip rip authentication key-chain TEXT
Router3(config-if)#int f0/0
Router3(config-if)#ip rip authentication mode md5
Router3(config-if)#ip rip authentication key-chain MD5
Verify:
Router3#sh ip route rip
160.1.0.0/32 is subnetted, 2 subnets
R 160.1.1.1 [120/1] via 140.1.13.1, 00:00:27, FastEthernet0/1
Router1#
Router1#sh ip route rip
140.1.0.0/16 is variably subnetted, 3 subnets, 2 masks
R 140.1.23.0/24 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
160.1.0.0/32 is subnetted, 2 subnets
R 160.1.3.3 [120/1] via 140.1.13.3, 00:00:15, FastEthernet0/0
Router1#
Router3#debug ip rip
RIP: received packet with text authentication CLEARTEXT
RIP: received v2 update from 140.1.13.1 on FastEthernet0/1
160.1.1.1/32 via 0.0.0.0 in 1 hops
RIP: sending v2 update to 224.0.0.9 via Loopback0 (160.1.3.3)
RIP: build update entries
140.1.13.0/24 via 0.0.0.0, metric 1, tag 0
140.1.23.0/24 via 0.0.0.0, metric 1, tag 0
160.1.1.1/32 via 0.0.0.0, metric 2, tag 0
RIP: ignored v2 packet from 160.1.3.3 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (140.1.
Wrong authentication shows this error outputs:
Router2#
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 150.1.2.2 (sourced from one of our addresses)
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (136.1.23.2)
RIP: build update entries
150.1.2.2/32 via 0.0.0.0, metric 1, tag 0
RIP: ignored v2 packet from 136.1.23.3 (invalid authentication)
RIP: sending v2 update to 224.0.0.9 via Loopback0 (150.1.2.2)
RIP: build update entries
136.1.23.0/24 via 0.0.0.0, metric 1, tag 0
##### Theory #####
RIP authentication is configured in three steps:
1. define a global key chain
2. enable authentication mode (clear-text or MD5) on the RIP interfaces
3. apply the key chain to the interface
Note that for MD5 based authentication, the key number in the key chain must match between the neighbors.
Verification – check if the routes from the RIP neighbor are installed in the routing table, authentication was successful.
################################################################
CCIE Security Blog 