RIP and beyond

Posted: August 7, 2014 in Cisco Security - Firewalls

ASA supports RIPv1 and RIPv2 dynamic routing (a single process) only for IPv4.

Enable RIP process – activates RIP globally, router rip. Version1 or version2 can be configured using the process-level command version [1|2].

Disable auto-summary – global command no auto-summary, it disables the classful network boundary auto-summarization function of RIP, which by default is enabled.

Enable interfaces for RIP – process-level command network <classful_network>, it activates sending and receiving of RIP multicast updates on interfaces matching the command. Also, subnets matched by the command are included in the RIP updates/advertisements.

Define passive interfaces (optional) – process-level command passive-interface <nameif>, it disables sending of RIP updates, but received updates will still be allowed and processed.

Enable authentication (optional) – interface-level commands rip authentication mode [text|md5] and rip authentication key 0 <key_string> key_id <key_nr>, it enables clear-text or MD5 authentication for all RIP updates on respective interfaces. A single key can be configured per-interface. If received, RIP updates that are not authenticated correctly will be discarded.

Originate default route (optional) – process-level command default-information originate [route-map <name>], it activates sending of default route in RIP updates. Route-map is optional and can be used to set the metric value.

Filter routing updates – process-level command distribute-list <acl_name> [in|out] interface <nameif>, it filters inbound or outbound updates according to the rules from the ACL. Only standard ACL is allowed, so it can only match on prefix, not on prefix-length.

 

Configuration steps:

ASA2:
route-map RIP-MAP permit 10
set metric 10
!
access-list RIP-VLAN26 deny any
!
router rip
version 2
no auto-summary
default-information originate route-map RIP-MAP
network 136.1.0.0
network 172.16.0.0
passive-interface VLAN26
distribute-list RIP-VLAN26 in interface VLAN26
!
interface Management0/0
rip authentication mode text
rip authentication key 0 SLAB key_id 1
!
interface Ethernet0/1.29
rip authentication mode md5
rip authentication key 0 JAK key_id 1

 

~~~~~ Router 1 config:

router rip
version 2
no auto-summary
network 136.1.0.0
network 150.1.0.0
!
key chain RIP
key 1
key-string 0 JAK
!
interface gigabitEthernet0/0
ip rip authentication mode md5
ip rip authentication key-chain RIP

~~~~~ Router 2 config:

router rip
version 2
no auto-summary
network 136.1.0.0
network 150.1.0.0
!
key chain RIP
key 1
key-string 0 SLAB
!
interface gigabitEthernet0/0.19
ip rip authentication mode text
ip rip authentication key-chain RIP

RTR01#sh ip route rip | b Gateway
Gateway of last resort is 136.1.19.16 to network 0.0.0.0

R*    0.0.0.0/0 [120/10] via 136.1.19.16, 00:00:14, FastEthernet0/0.19
136.1.0.0/16 is variably subnetted, 9 subnets, 2 masks
R        136.1.29.0/24 [120/1] via 136.1.19.16, 00:00:14, FastEthernet0/0.19
R        136.1.56.0/24 [120/2] via 136.1.19.16, 00:00:14, FastEthernet0/0.19
150.1.0.0/16 is variably subnetted, 5 subnets, 2 masks
R        150.1.0.0/16 [120/2] via 136.1.19.16, 00:00:14, FastEthernet0/0.19
RTR01#sh ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is “rip”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 24 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface             Send  Recv  Triggered RIP  Key-chain
FastEthernet0/0.19    2     2                    RIP
FastEthernet0/0.27    2     2
FastEthernet0/1       2     2
Loopback0             2     2
Loopback1             2     2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
136.1.0.0
150.1.0.0
Routing Information Sources:
Gateway         Distance      Last Update
136.1.19.16          120      00:00:21
Distance: (default is 120)

RTR01#debug ip rip
*Aug  7 17:08:59.032: RIP: received packet with text authentication SLAB
*Aug  7 17:08:59.032: RIP: received v2 update from 136.1.19.16 on FastEthernet0/0.19
*Aug  7 17:08:59.032:      0.0.0.0/0 via 0.0.0.0 in 10 hops
*Aug  7 17:08:59.032:      136.1.29.0/24 via 0.0.0.0 in 1 hops
*Aug  7 17:09:01.804: RIP: sending v2 update to 224.0.0.9 via Loopback1 (150.1.11.11)
*Aug  7 17:09:01.804: RIP: build update entries
*Aug  7 17:09:01.804:   0.0.0.0/0 via 0.0.0.0, metric 11, tag 0
*Aug  7 17:09:01.804:   136.1.19.0/24 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:01.804:   136.1.27.0/24 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:01.804:   136.1.29.0/24 via 0.0.0.0, metric 2, tag 0
*Aug  7 17:09:01.804:   136.1.49.0/24 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:01.804:   150.1.1.1/32 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:01.804: RIP: ignored v2 packet from 150.1.11.11 (sourced from one of our addresses)
*Aug  7 17:09:04.972: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0.27 (136.1.27.1)
*Aug  7 17:09:04.972: RIP: build update entries
*Aug  7 17:09:04.972:   0.0.0.0/0 via 0.0.0.0, metric 11, tag 0
*Aug  7 17:09:04.972:   136.1.19.0/24 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:04.972:   136.1.29.0/24 via 0.0.0.0, metric 2, tag 0
*Aug  7 17:09:04.972:   136.1.49.0/24 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:04.972:   150.1.1.1/32 via 0.0.0.0, metric 1, tag 0
*Aug  7 17:09:04.972:   150.1.11.11/32 via 0.0.0.0, metric 1, tag 0
~~~~~~~~~~~~~~~

ASA02-5510# sh route | in R
Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
* – candidate default, U – per-user static route, o – ODR
R    136.1.56.0 255.255.255.0 [120/1] via 136.1.29.2, 0:01:08, VLAN29
R    136.1.49.0 255.255.255.0 [120/1] via 136.1.19.1, 0:00:00, VLAN19
R    150.1.11.11 255.255.255.255 [120/1] via 136.1.19.1, 0:00:00, VLAN19
R    150.1.1.1 255.255.255.255 [120/1] via 136.1.19.1, 0:00:00, VLAN19
R    150.1.0.0 255.255.0.0 [120/1] via 136.1.29.2, 0:01:08, VLAN29
ASA02-5510#

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s