Cisco RIPv2 认证和触发更新

小时？

　　1.实验目的
　　通过本实验可以掌握：
　　（1）RIPv2明文认证的配置和匹配原则
　　（2）RIPv2 MD5 认证的配置和匹配原则
　　（3）RIPv2触发更新
　　2.拓扑结构

http://foryes.net/yesky/attachment/image/200812/rip2.jpg

　　实验拓扑如图 4-1 所示。
　　3.实验步骤
　　（1）步骤 1：配置路由器 R1
　　R1(config)#key chain test //配置钥匙链

　　R1(config-keychain)#key 1 //配置KEY>
　　R1(config-keychain-key)#key-string cisco //配置 KEY>　　R1(config)#interface s0/0/0
　　R1(config-if)#ip rip authentication mode text
　　//启用认证，认证模式为明文，默认认证模式就是明文，所以也可以不用指定
　　R1(config-if)#ip rip authentication key-chain test //在接口上调用钥匙链
　　R1(config-if)#ip rip triggered //在接口上启用触发更新
　　（2）步骤 2：配置路由器 R2
　　R2(config)#key chain test
　　R2(config-keychain)#key 1
　　R2(config-keychain-key)#key-string cisco
　　R2(config)#interface s0/0/0
　　R2(config-if)#ip rip triggered
　　R2(config-if)#ip rip authentication key-chain test
　　R2(config-if)#interface s0/0/1
　　R2(config-if)#ip rip authentication key-chain test
　　R2(config-if)#ip rip triggered
　　（3）步骤 3：配置路由器 R3
　　R3(config)#key chain test
　　R3(config-keychain)#key 1
　　R3(config-keychain-key)#key-string cisco
　　R3(config)#interface s0/0/0
　　R3(config-if)#ip rip authentication key-chain test
　　R3(config-if)#ip rip triggered
　　R3(config-if)#interface s0/0/1
　　R3(config-if)#ip rip authentication key-chain test
　　R3(config-if)#ip rip triggered
　　（4）步骤 4：配置路由器 R4
　　R4(config)#key chain test
　　R4(config-keychain)#key 1
　　R4(config-keychain-key)#key-string cisco
　　R4(config)#interface s0/0/0
　　R4(config-if)#ip rip authentication key-chain test
　　R4(config-if)#ip rip triggered 4.实验调试
　　（1）show ip protocols
　　R2#show ip protocols
　　Routing Protocol is "rip"
　　Outgoing update filter list for all interfaces is not set
　　Incoming update filter list for all interfaces is not set
　　Sending updates every 30 seconds, next due in 4 seconds
　　Invalid after 180 seconds, hold down 0, flushed after 240
　　// 由于触发更新，hold down计时器自动为0
　　Redistributing: rip
　　Default version control: send version 2, receive version 2
　　Interface Send Recv Triggered RIP Key-chain
　　Serial0/0/0 2 2 Yes test
　　Serial0/0/1 2 2 Yes test
　　//以上两行表明s0/0/0和s0/0/1接口启用了认证和触发更新
　　Automatic network summarization is not in effect
　　Maximum path: 4
　　Routing for Networks:
　　192.168.12.0
　　192.168.23.0
　　Routing Information Sources:
　　Gateway Distance Last Update
　　192.168.12.1 120 00:26:10
　　192.168.23.3 120 00:26:01
　　Distance: (default is 120)
　　（2）debug ip rip
　　R2#debug ip rip
　　RIP protocol debugging is on
　　R2#clear ip route *
　　*Feb 11 13:51:31.827: RIP: sending triggered request on Serial0/0/0 to  224.0.0.9
　　*Feb 11 13:51:31.831: RIP: sending triggered request on Serial0/0/1 to  224.0.0.9
　　*Feb 11 13:51:31.843: RIP: sending triggered request on Serial0/0/0 to  224.0.0.9
　　*Feb 11 13:51:31.847: RIP: sending triggered request on Serial0/0/1 to  224.0.0.9
　　*Feb 11 13:51:31.847: RIP: send v2 triggered flush update to  192.168.12.1 on Serial0/0/0 with
　　no route
　　*Feb 11 13:51:31.851: RIP: start retransmit timer of 192.168.12.1
　　*Feb 11 13:51:31.855: RIP: send v2 triggered flush update to  192.168.23.3 on Serial0/0/1 with
　　no route
　　*Feb 11 13:51:31.855: RIP: start retransmit timer of 192.168.23.3
　　*Feb 11 13:51:32.019: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.019: RIP: received v2 triggered update from  192.168.12.1 on Serial0/0/0
　　*Feb 11 13:51:32.023: RIP: sending v2 ack to 192.168.12.1 via  Serial0/0/0 (192.168.12.2),
　　flush, seq# 1
　　*Feb 11 13:51:32.027: 1.1.1.0/24 via 0.0.0.0 in 1 hops *Feb 11   13:51:32.031: RIP: received packet with text authentication cisco
　　*Feb 11 13:51:32.035: RIP: received v2 triggered update from  192.168.23.3 on Serial0/0/1
　　*Feb 11 13:51:32.035: RIP: sending v2 ack to 192.168.23.3 via  Serial0/0/1(192.168.23.2),
　　flush, seq# 2
　　*Feb 11 13:51:32.039: 192.168.34.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 13:51:32.043: 4.4.4.0/24 via 0.0.0.0 in 2 hops
　　*Feb 11 13:51:32.071: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.071: RIP: received v2 triggered update from  192.168.23.3 on Serial0/0/1
　　*Feb 11 13:51:32.071: RIP: sending v2 ack to 192.168.23.3 via  Serial0/0/1(192.168.23.2),
　　flush, seq# 3
　　*Feb 11 13:51:32.075: 192.168.34.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 13:51:32.079: 4.4.4.0/24 via 0.0.0.0 in 2 hops
　　*Feb 11 13:51:32.083: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.083: RIP: received v2 triggered ack from 192.168.23.3  on Serial0/0/1
　　flush seq# 2
　　*Feb 11 13:51:32.087: RIP: send v2 triggered update to 192.168.23.3 on  Serial0/0/1
　　*Feb 11 13:51:32.087: RIP: build update entries
　　*Feb 11 13:51:32.091: route 176: 192.168.12.0/24 metric 1, tag 0
　　*Feb 11 13:51:32.091: route 181: 1.1.1.0/24 metric 2, tag 0
　　*Feb 11 13:51:32.095: RIP: Update contains 2 routes, start 176, end 188
　　*Feb 11 13:51:32.095: RIP: start retransmit timer of 192.168.23.3
　　*Feb 11 13:51:32.099: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.099: RIP: received v2 triggered update from  192.168.12.1 on Serial0/0/0
　　*Feb 11 13:51:32.103: RIP: sending v2 ack to 192.168.12.1 via  Serial0/0/0 (192.168.12.2),
　　flush, seq# 2
　　*Feb 11 13:51:32.107: 1.1.1.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 13:51:32.107: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.111: RIP: received v2 triggered ack from 192.168.12.1  on Serial0/0/0
　　flush seq# 3
　　*Feb 11 13:51:32.111: RIP: send v2 triggered update to 192.168.12.1 on  Serial0/0/0
　　*Feb 11 13:51:32.115: RIP: build update entries
　　*Feb 11 13:51:32.115: route 178: 192.168.23.0/24 metric 1, tag 0
　　*Feb 11 13:51:32.119: route 184: 192.168.34.0/24 metric 2, tag 0
　　*Feb 11 13:51:32.123: route 187: 4.4.4.0/24 metric 3, tag 0
　　*Feb 11 13:51:32.123: RIP: Update contains 3 routes, start 178, end 188
　　*Feb 11 13:51:32.123: RIP: start retransmit timer of 192.168.12.1
　　*Feb 11 13:51:32.263: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.263: RIP: received v2 triggered ack from 192.168.23.3  on Serial0/0/1
　　seq# 3
　　*Feb 11 13:51:32.267: RIP: received packet with text authentication  cisco
　　*Feb 11 13:51:32.271: RIP: received v2 triggered ack from 192.168.12.1  on Serial0/0/0
　　seq# 4
　　从上面的输出可以看出，在路由器 R2 上，虽然我们打开了 debug ip rip，但是由于采
　　用触发更新，所以并没有看到每 30  秒更新一次的信息，而是清除了路由表这件事件触发了路由更新。而且所有的更新中都有“triggered”的字样，同时在接收的更新中带有“text
　　authentication”的字样，证明接口 s0/0/0 和s0/0/1 启用了触发更新和明文认证。
　　（3）show ip rip database
　　该命令可以查看 RIP 数据库。
　　R2#show ip rip database
　　1.0.0.0/8 auto-summary
　　1.1.1.0/24
　　[1] via 192.168.12.1, 00:12:22 (permanent), Serial0/0/0
　　* Triggered Routes:
　　- [1] via 192.168.12.1, Serial0/0/0
　　4.0.0.0/8 auto-summary
　　4.4.4.0/24
　　[2] via 192.168.23.3, 00:12:22 (permanent), Serial0/0/1
　　* Triggered Routes:
　　- [2] via 192.168.23.3, Serial0/0/1
　　192.168.12.0/24 auto-summary
　　192.168.12.0/24 directly connected, Serial0/0/0
　　192.168.23.0/24 auto-summary
　　192.168.23.0/24 directly connected, Serial0/0/1
　　192.168.34.0/24 auto-summary
　　192.168.34.0/24
　　[1] via 192.168.23.3, 00:12:22 (permanent), Serial0/0/1
　　* Triggered Routes:
　　- [1] via 192.168.23.3, Serial0/0/1
　　以上输出进一步说明了在 s0/0/0 和s0/0/1 启用了触发更新。
　　（4）show run
　　R2#show run | begin router rip
　　router rip
　　version 2
　　timers basic 30 180 0 240
　　//由于触发更新，在配置中自动加入上面一行，且hold down计时器被设置为0
　　network 192.168.12.0
　　network 192.168.23.0
　　no auto-summary
　　关于 MD5 认证，只需要在接口下声明认证模式为 MD5 即可，例如在 R1上的配置如下：
　　R1(config)#key chain test //定义钥匙链
　　R1(config-keychain)#key 1
　　R1(config-keychain-key)#key-string cisco
　　R1(config)#interface s0/0/0
　　R1(config-if)#ip rip authentication mode md5 //认证模式为 MD5
　　R1(config-if)#ip rip authentication key-chain test
　　其他的配置和明文认证相同，这里不再赘述。当在 R2 上执行“debug ip rip”时显示类似如下的信息：
　　*Feb 11 14:04:36.851: RIP: sending triggered request on Serial0/0/0 to  224.0.0.9
　　*Feb 11 14:04:36.855: RIP: sending triggered request on Serial0/0/1 to  224.0.0.9
　　*Feb 11 14:04:36.867: RIP: sending triggered request on Serial0/0/0 to  224.0.0.9
　　*Feb 11 14:04:36.871: RIP: sending triggered request on Serial0/0/1 to  224.0.0.9
　　*Feb 11 14:04:36.871: RIP: send v2 triggered flush update to  192.168.12.1 on Serial0/0/0 with
　　no route
　　*Feb 11 14:04:36.875: RIP: start retransmit timer of 192.168.12.1
　　*Feb 11 14:04:36.875: RIP: send v2 triggered flush update to  192.168.23.3 on Serial0/0/1 with
　　no route
　　*Feb 11 14:04:36.879: RIP: start retransmit timer of 192.168.23.3
　　*Feb 11 14:04:36.927: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:36.931: RIP: received v2 triggered update from  192.168.23.3 on Serial0/0/1
　　*Feb 11 14:04:36.931: RIP: sending v2 ack to 192.168.23.3 via  Serial0/0/1 (192.168.23.2),
　　flush, seq# 4
　　*Feb 11 14:04:36.935: 192.168.34.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 14:04:36.943: 4.4.4.0/24 via 0.0.0.0 in 2 hops
　　*Feb 11 14:04:36.947: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:36.947: RIP: received v2 triggered update from  192.168.12.1 on Serial0/0/0
　　*Feb 11 14:04:36.951: RIP: sending v2 ack to 192.168.12.1 via  Serial0/0/0 (192.168.12.2),
　　flush, seq# 3
　　*Feb 11 14:04:36.955: 1.1.1.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 14:04:36.959: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:36.959: RIP: received v2 triggered update from  192.168.12.1 on Serial0/0/0
　　*Feb 11 14:04:36.963: RIP: sending v2 ack to 192.168.12.1 via  Serial0/0/0 (192.168.12.2),
　　flush, seq# 4
　　*Feb 11 14:04:36.967: 1.1.1.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 14:04:36.967: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:36.971: RIP: received v2 triggered ack from 192.168.12.1  on Serial0/0/0
　　flush seq# 5
　　*Feb 11 14:04:36.971: RIP: send v2 triggered update to 192.168.12.1 on  Serial0/0/0
　　*Feb 11 14:04:36.975: RIP: build update entries
　　*Feb 11 14:04:36.975: route 191: 192.168.23.0/24 metric 1, tag 0
　　*Feb 11 14:04:36.979: route 194: 192.168.34.0/24 metric 2, tag 0
　　*Feb 11 14:04:36.979: route 197: 4.4.4.0/24 metric 3, tag 0
　　*Feb 11 14:04:36.983: RIP: Update contains 3 routes, start 191, end 201
　　*Feb 11 14:04:36.983: RIP: start retransmit timer of 192.168.12.1
　　*Feb 11 14:04:36.991: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:36.991: RIP: received v2 triggered update from  192.168.23.3 on Serial0/0/1
　　*Feb 11 14:04:36.991: RIP: sending v2 ack to 192.168.23.3 via  Serial0/0/1 (192.168.23.2),
　　flush, seq# 5
　　*Feb 11 14:04:36.999: 192.168.34.0/24 via 0.0.0.0 in 1 hops
　　*Feb 11 14:04:36.999: 4.4.4.0/24 via 0.0.0.0 in 2 hops
　　*Feb 11 14:04:37.003: RIP: received packet with MD5 authentication *Feb   11 14:04:37.003: RIP: received v2 triggered ack from 192.168.23.3 on   Serial0/0/1
　　flush seq# 4
　　*Feb 11 14:04:37.007: RIP: send v2 triggered update to 192.168.23.3 on  Serial0/0/1
　　*Feb 11 14:04:37.007: RIP: build update entries
　　*Feb 11 14:04:37.011: route 189: 192.168.12.0/24 metric 1, tag 0
　　*Feb 11 14:04:37.015: route 200: 1.1.1.0/24 metric 2, tag 0
　　*Feb 11 14:04:37.015: RIP: Update contains 2 routes, start 189, end 201
　　*Feb 11 14:04:37.019: RIP: start retransmit timer of 192.168.23.3
　　*Feb 11 14:04:37.059: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:37.059: RIP: received v2 triggered ack from 192.168.12.1  on Serial0/0/0
　　seq# 6
　　*Feb 11 14:04:37.067: RIP: received packet with MD5 authentication
　　*Feb 11 14:04:37.071: RIP: received v2 triggered ack from 192.168.23.3  on Serial0/0/1
　　seq# 5
　　以上输出信息表明采用了 MD5 认证和触发更新。
　　【技术要点】
　　（1）在以太网接口下，不支持触发更新；
　　（2）触发更新需要协商，链路的两端都需要配置；

　　（3）在认证的过程中，如果定义多个 key>　　样的：
　　① 明文认证的匹配原则是：

　　A. 发送方发送最小Key>
　　B. 不携带Key>　　C. 接收方会和所有 Key Chain 中的密钥匹配，如果匹配成功，则通过认证。
　　【实例 1】

　　路由器R1 有一个Key>
　　路由器R2 有两个Key>　　根据上面的原则，R1 认证失败，R2 认证成功，所以在 RIP 中，出现单边路由并不
　　稀奇。
　　② MD5 认证的匹配原则是：

　　A. 发送方发送最小Key>
　　B. 携带Key>
　　C. 接收方首先会查找是否有相同的Key>
　　成功。如果没有该Key>　　【实例 2】

　　路由器R1 有三个Key>
　　路由器R2 有一个Key>　　根据上面的原则，R1 认证失败，R2 认证成功