Supported Platforms
Example: Configuring Route Authentication for RIP
This example shows how to configure authentication for a RIP network.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
You can configure the router to authenticate RIP route queries. By default, authentication is disabled. You can use one of the following authentication methods:
- Simple authentication—Uses a text password that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet.
- MD5 authentication—Creates an encoded checksum that is included in the transmitted packet. The receiving router uses an authentication key (password) to verify the packet’s MD5 checksum.
This example shows MD5 authentication.
Figure 1 shows the topology used in this example.
Figure 1: RIP Authentication Network Topology
CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device R1.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device R1
Device R2
Device R3
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure RIP authentication:
- Configure the network interfaces.
This example shows multiple loopback interface addresses to simulate attached networks.
[edit interfaces]user@R1# set fe-1/2/0 unit 1 family inet address 10.0.0.1/30
user@R1# set lo0 unit 1 family inet address 172.16.0.1/32user@R1# set lo0 unit 1 family inet address 192.168.1.1/32 - Create the RIP group and add the interface.
To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.
[edit protocols rip group rip-group]user@R1# set neighbor fe-1/2/0.1 - Create the routing policy to advertise both direct and
RIP-learned routes.[edit policy-options policy-statement advertise-routes-through-rip term 1]user@R1# set from protocol directuser@R1# set from protocol ripuser@R1# set then accept
- Apply the routing policy.
In Junos OS, you can only apply RIP export policies at the group level.
[edit protocols rip group rip-group]user@R1# set export advertise-routes-through-rip - Require MD5 authentication for RIP route queries received
on an interface.
The passwords must match on neighboring RIP routers. If the password does not match, the packet is rejected. The password can be from 1 through 16 contiguous characters long and can include any ASCII strings.
Do not enter the password as shown here. The password shown here is the encrypted password that is displayed in the configuration after the actual password is already configured.
[edit protocols rip]user@R1# set authentication-type md5user@R1# set authentication-key "$9$ONLRBhreK87dsM8i.5FAtM8XxNb" - Configure tracing operations to track authentication.[edit protocols rip traceoptions]user@R1# set file rip-authentication-messagesuser@R1# set flag authuser@R1# set flag packets
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show policy-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Checking for Authentication Failures
- Verifying That MD5 Authentication Is Enabled in RIP Update Packets
Checking for Authentication Failures
Purpose
Verify that there are no authentication failures.
Action
From operational mode, enter the show rip statistics command.
user@R1> show rip statisticsRIPv2 info: port 520; holddown 120s.
rts learned rts held down rqsts dropped resps dropped
5 0 0 0
fe-1/2/0.1: 5 routes learned; 2 routes advertised; timeout 180s; update interval 30s
Counter Total Last 5 min Last minute
------- ----------- ----------- -----------
Updates Sent 2669 10 2
Triggered Updates Sent 2 0 0
Responses Sent 0 0 0
Bad Messages 0 0 0
RIPv1 Updates Received 0 0 0
RIPv1 Bad Route Entries 0 0 0
RIPv1 Updates Ignored 0 0 0
RIPv2 Updates Received 2675 11 2
RIPv2 Bad Route Entries 0 0 0
RIPv2 Updates Ignored 0 0 0
Authentication Failures 0 0 0
RIP Requests Received 0 0 0
RIP Requests Ignored 0 0 0
none 0 0 0Meaning
The output shows that there are no authentication failures.
Verifying That MD5 Authentication Is Enabled in RIP Update Packets
Purpose
Use tracing operations to verify that MD5 authentication is enabled in RIP updates.
Action
From operational mode, enter the show log command.
user@R1> show log rip-authentication-messages | match md5Feb 15 15:45:13.969462 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:45:43.229867 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:46:13.174410 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:46:42.716566 sending msg 0xb9a8c04, 3 rtes (needs MD5) Feb 15 15:47:11.425076 sending msg 0xb9a8c04, 3 rtes (needs MD5) ...
Meaning
The (needs MD5) output shows that all route updates require MD5 authentication.
