RIPv2 认证和触发更新
1.实验目的
通过本实验可以掌握:
(1)RIPv2明文认证的配置和匹配原则
(2)RIPv2 MD5 认证的配置和匹配原则
(3)RIPv2触发更新
2.拓扑结构

3.实验步骤
(1)步骤 1:配置路由器 R1
R1(config)#key chain cisco  //配置钥匙链
R1(config-keychain)#key 1  //配置KEY ID
R1(config-keychain-key)#key-string jia   //配置 KEY ID 的密匙
R1(config)#interface s1/1    路由协议发布接口
R1(config-if)#ip rip authentication mode text    
//启用认证,认证模式为明文,默认认证模式就是明文,所以也可以不用指定  
R1(config-if)#ip rip authentication key-chain test  //在接口上调用钥匙链
R1(config-if)#ip rip triggered                      //在接口上启用触发更新
(2)步骤 2:配置路由器 R2
R1(config)#key chain cisco
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string jia
R2(config-keychain-key)#int s1/0
R2(config-if)#ip rip triggered
R2(config-if)#ip rip authentication key-chain cisco

到这一步了,我们可以看到R1和R2启用了认证,这时候我们可以看看路由表,这时候R2上s1/1启用了认证,但是R3无认证,所以R3和R4的路由表是过不来的
R1#sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, Serial1/1
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback1
R    192.168.23.0/24 [120/1] via 192.168.12.2, 00:00:05, Serial1/1

3)步骤 3:配置路由器 R3
R3(config)#key chain cisco
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string jia
R3(config-keychain-key)#int s1/0
R3(config-if)#ip rip authentication key-chain cisco
R3(config-if)#ip rip triggered
R3(config-if)#int s1/2
R3(config-if)#ip rip authentication key-chain cisco
R3(config-if)#ip rip triggered
(4)步骤 4:配置路由器 R4
R4(config)#key chain cisco
R4(config-keychain)#key 1
R4(config-keychain-key)#key-st jia
R4(config-keychain-key)#int s1/2
R4(config-if)#ip rip au key cisco
R4(config-if)#ip rip tr
4.实验调试
(1)show ip protocols
R2#show ip protocols  
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 4 seconds
  Invalid after 180 seconds, hold down 0, flushed after 240
// 由于触发更新,hold down计时器自动为0
  Redistributing: rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    Serial1/0           2     2          Yes       test            
    Serial1/1           2     2          Yes       test    
//以上两行表明s1/0和s1/1接口启用了认证和触发更新          
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    192.168.12.0
    192.168.23.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    192.168.12.1         120      00:26:10
    192.168.23.3         120      00:26:01
  Distance: (default is 120)
(2)debug ip rip
R2#debug ip rip  
RIP protocol debugging is on
Dec 31 16:03:57.067: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:03:57.071: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:03:57.079: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:03:57.083: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:03:57.107: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:03:57.111: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:03:57.115: RIP: send v2 triggered flush update to 192.168.12.1 on Seri
al1/0 with no route
Dec 31 16:03:57.119: RIP: start retransmit timer of 192.168.12.1
R2#
Dec 31 16:03:57.119: RIP: send v2 triggered flush update to 192.168.23.2 on Seri
al1/1 with no route
Dec 31 16:03:57.123: RIP: start retransmit timer of 192.168.23.2
Dec 31 16:03:57.191: RIP: received packet with text authentication jia
Dec 31 16:03:57.195: RIP: received v2 triggered update from 192.168.12.1 on Seri
al1/0
Dec 31 16:03:57.195: RIP: sending v2 ack to 192.168.12.1 via Serial1/0 (192.168.
12.2),
     flush, seq# 2
Dec 31 16:03:57.203:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.211: RIP: received packet with text authentication jia
Dec 31 16:03:57.215: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:03:57.215: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 5
Dec 31 16:03:57.223:      192.168.34.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.227:      192.168.96.0/22 via 0.0.0.0 in 2 hops
Dec 31 16:03:57.231: RIP: received packet with text authentication jia
Dec 31 16:03:57.235: RIP: received
R2# v2 triggered update from 192.168.12.1 on Serial1/0
Dec 31 16:03:57.235: RIP: sending v2 ack to 192.168.12.1 via Serial1/0 (192.168.
12.2),
     flush, seq# 3
Dec 31 16:03:57.243:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.243: RIP: received packet with text authentication jia
Dec 31 16:03:57.247: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:03:57.247: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 6
Dec 31 16:03:57.255:      192.168.34.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.255:      192.168.96.0/22 via 0.0.0.0 in 2 hops
Dec 31 16:03:57.259: RIP: received packet with text authentication jia
Dec 31 16:03:57.263: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:03:57.263: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 7
Dec 31 16:03:57.271:      192.168.34.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.271:      192.168.96.0/22 via 0.0
R2#.0.0 in 2 hops
Dec 31 16:03:57.359: RIP: received packet with text authentication jia
Dec 31 16:03:57.363: RIP: received v2 triggered update from 192.168.12.1 on Seri
al1/0
Dec 31 16:03:57.363: RIP: sending v2 ack to 192.168.12.1 via Serial1/0 (192.168.
12.2),
     flush, seq# 4
Dec 31 16:03:57.367:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:03:57.371: RIP: received packet with text authentication jia
Dec 31 16:03:57.375: RIP: received v2 triggered ack from 192.168.23.2 on Serial1
/1
     flush seq# 4
Dec 31 16:03:57.379: RIP: send v2 triggered update to 192.168.23.2 on Serial1/1
Dec 31 16:03:57.379: RIP: build update entries
Dec 31 16:03:57.383:    route 84: 192.168.12.0/24 metric 1, tag 0
Dec 31 16:03:57.383:    route 89: 1.1.1.0/24 metric 2, tag 0
Dec 31 16:03:57.387: RIP: Update contains 2 routes, start 84, end 95
Dec 31 16:03:57.391: RIP: start retransmit timer of 192.168.23.2
Dec 31 16:03:57.391: RIP: received packet with text authentication jia
Dec 31 16:03:57.395
R2#: RIP: received v2 triggered ack from 192.168.12.1 on Serial1/0
     flush seq# 1
Dec 31 16:03:57.399: RIP: send v2 triggered update to 192.168.12.1 on Serial1/0
Dec 31 16:03:57.399: RIP: build update entries
Dec 31 16:03:57.403:    route 86: 192.168.23.0/24 metric 1, tag 0
Dec 31 16:03:57.403:    route 92: 192.168.34.0/24 metric 2, tag 0
Dec 31 16:03:57.407:    route 95: 192.168.96.0/22 metric 3, tag 0
Dec 31 16:03:57.411: RIP: Update contains 3 routes, start 86, end 95
Dec 31 16:03:57.411: RIP: start retransmit timer of 192.168.12.1
Dec 31 16:03:57.623: RIP: received packet with text authentication jia
Dec 31 16:03:57.623: RIP: received v2 triggered ack from 192.168.23.2 on Serial1
/1
     seq# 5
Dec 31 16:03:57.635: RIP: received packet with text authentication jia
Dec 31 16:03:57.639: RIP: received v2 triggered ack from 192.168.12.1 on Serial1
/0
     seq#
     从上面的输出可以看出,在路由器 R2 上,虽然我们打开了 debug ip rip,但是由于采
用触发更新,所以并没有看到每 30 秒更新一次的信息,而是清除了路由表这件事件触发了路由更新。而且所有的更新中都有“triggered”的字样,同时在接收的更新中带有“text authentication”的字样,证明接口 s1/0 和s1/1 启用了触发更新和明文认证。
(3)show ip rip database
该命令可以查看 RIP 数据库。
#show ip rip database
R2#sh ip rip da
1.0.0.0/8    auto-summary
1.1.1.0/24
    [1] via 192.168.12.1, 00:01:04 (permanent), Serial1/0
   * Triggered Routes:
     - [1] via 192.168.12.1, Serial1/0
192.168.12.0/24    auto-summary
192.168.12.0/24    directly connected, Serial1/0
192.168.23.0/24    auto-summary
192.168.23.0/24    directly connected, Serial1/1
192.168.34.0/24    auto-summary
192.168.34.0/24
    [1] via 192.168.23.2, 00:01:04 (permanent), Serial1/1
   * Triggered Routes:
     - [1] via 192.168.23.2, Serial1/1
192.168.96.0/22
    [2] via 192.168.23.2, 00:01:04 (permanent), Serial1/1
   * Triggered Routes:
     - [2] via 192.168.23.2, Serial1/1

以上输出进一步说明了在 s1/0 和s1/1 启用了触发更新。
(4)show run
R2#show run | begin router rip
router rip
version 2
timers basic 30 180 0 240
//由于触发更新,在配置中自动加入上面一行,且hold down计时器被设置为0
network 192.168.12.0
network 192.168.23.0
no auto-summary

关于 MD5 认证,只需要在接口下声明认证模式为 MD5 即可,例如在 R1上的配置如下:
R1(config)#key chain cisco  //定义钥匙链
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string jia
R1(config)#interface s1/1
R1(config-if)#ip rip authentication mode md5 //认证模式为 MD5
R1(config-if)#ip rip authentication key-chain cisco  

其他的配置和明文认证相同,这里不再赘述。当在 R2 上执行“debug ip rip”时显示类似如下的信息:
Dec 31 16:19:29.835: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:19:29.839: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:19:29.847: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:19:29.851: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:19:29.875: RIP: sending triggered request on Serial1/0 to 224.0.0.9
Dec 31 16:19:29.879: RIP: sending triggered request on Serial1/1 to 224.0.0.9
Dec 31 16:19:29.883: RIP: send v2 triggered flush update to 192.168.12.1 on Seri
al1/0 with no route
Dec 31 16:19:29.887: RIP: start retransmit timer of 192.168.12.1
Dec 31 16:19:29.891: RIP: send v2 triggered flush update to 192.168.23.2 on Seri
al1/1 with no route
Dec 31 16:19:29.895: RIP: start retransmit timer of 192.168.23.2
Dec 31 16:19:29.935: RIP: received packet with MD5 authentication
Dec 31 16:19:29.939: RIP: received v2 triggered update from 192.168.12.1 on Seri
al1/0
Dec 31 16:19:29.939: RIP: sending v
R2#2 ack to 192.168.12.1 via Serial1/0 (192.168.12.2),
     flush, seq# 7
Dec 31 16:19:29.947:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:19:29.967: RIP: received packet with MD5 authentication
Dec 31 16:19:29.967: RIP: received v2 triggered update from 192.168.12.1 on Seri
al1/0
Dec 31 16:19:29.971: RIP: sending v2 ack to 192.168.12.1 via Serial1/0 (192.168.
12.2),
     flush, seq# 8
Dec 31 16:19:29.975:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:19:30.067: RIP: received packet with MD5 authentication
Dec 31 16:19:30.071: RIP: received v2 triggered update from 192.168.12.1 on Seri
al1/0
Dec 31 16:19:30.071: RIP: sending v2 ack to 192.168.12.1 via Serial1/0 (192.168.
12.2),
     flush, seq# 9
Dec 31 16:19:30.075:      1.1.1.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:19:30.083: RIP: received packet with MD5 authentication
Dec 31 16:19:30.083: RIP: received v2 triggered ack from 192.168.12.1 on Serial1
/0
     flush seq# 6
Dec 31 16:19:30.087: RIP: send v2 triggered update t
R2#o 192.168.12.1 on Serial1/0
Dec 31 16:19:30.091: RIP: build update entries
Dec 31 16:19:30.091:    route 98: 192.168.23.0/24 metric 1, tag 0
Dec 31 16:19:30.095: RIP: Update contains 1 routes, start 98, end 102
Dec 31 16:19:30.099: RIP: start retransmit timer of 192.168.12.1
Dec 31 16:19:30.099: RIP: received packet with text authentication jia
Dec 31 16:19:30.103: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:19:30.103: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 8
Dec 31 16:19:30.111:      192.168.34.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:19:30.115:      192.168.96.0/22 via 0.0.0.0 in 2 hops
Dec 31 16:19:30.123: RIP: received packet with text authentication jia
Dec 31 16:19:30.123: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:19:30.127: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 9
Dec 31 16:19:30.131:      192.168.34.0/24 via 0.0.0.0 in
R2# 1 hops
Dec 31 16:19:30.135:      192.168.96.0/22 via 0.0.0.0 in 2 hops
Dec 31 16:19:30.155: RIP: received packet with text authentication jia
Dec 31 16:19:30.155: RIP: received v2 triggered update from 192.168.23.2 on Seri
al1/1
Dec 31 16:19:30.159: RIP: sending v2 ack to 192.168.23.2 via Serial1/1 (192.168.
23.1),
     flush, seq# 10
Dec 31 16:19:30.163:      192.168.34.0/24 via 0.0.0.0 in 1 hops
Dec 31 16:19:30.167:      192.168.96.0/22 via 0.0.0.0 in 2 hops
Dec 31 16:19:30.171: RIP: received packet with text authentication jia
Dec 31 16:19:30.175: RIP: received v2 triggered ack from 192.168.23.2 on Serial1
/1
     flush seq# 6
Dec 31 16:19:30.175: RIP: send v2 triggered update to 192.168.23.2 on Serial1/1
Dec 31 16:19:30.179: RIP: build update entries
Dec 31 16:19:30.183:    route 96: 192.168.12.0/24 metric 1, tag 0
Dec 31 16:19:30.183:    route 101: 1.1.1.0/24 metric 2, tag 0
Dec 31 16:19:30.187: RIP: Update contains 2 routes, start 96, end 107
Dec 31 16:19:30.187: RIP:
R2#start retransmit timer of 192.168.23.2
Dec 31 16:19:30.203: RIP: received packet with MD5 authentication
Dec 31 16:19:30.207: RIP: received v2 triggered ack from 192.168.12.1 on Serial1
/0
     seq# 7
Dec 31 16:19:30.211: RIP: send v2 triggered update to 192.168.12.1 on Serial1/0
Dec 31 16:19:30.211: RIP: build update entries
Dec 31 16:19:30.215:    route 104: 192.168.34.0/24 metric 2, tag 0
Dec 31 16:19:30.215:    route 107: 192.168.96.0/22 metric 3, tag 0
Dec 31 16:19:30.219: RIP: Update contains 2 routes, start 104, end 107
Dec 31 16:19:30.223: RIP: start retransmit timer of 192.168.12.1
Dec 31 16:19:30.515: RIP: received packet with text authentication jia
Dec 31 16:19:30.519: RIP: received v2 triggered ack from 192.168.23.2 on Serial1
/1
     seq# 7
Dec 31 16:19:30.523: RIP: received packet with MD5 authentication
Dec 31 16:19:30.523: RIP: received v2 triggered ack from 192.168.12.1 on Serial1
/0
     seq# 8
以上输出信息表明采用了 MD5 认证和触发更新。

【技术要点】
(1)在以太网接口下,不支持触发更新;
(2)触发更新需要协商,链路的两端都需要配置;
(3)在认证的过程中,如果定义多个 key ID,明文认证和 MD5 认证的匹配原则是不一
样的:
① 明文认证的匹配原则是:  
A. 发送方发送最小Key ID的密钥
B. 不携带Key ID号码
C. 接收方会和所有 Key Chain 中的密钥匹配,如果匹配成功,则通过认证。

【实例 1】
路由器R1 有一个Key ID,key1=cisco;
路由器R2 有两个Key ID,key1=ccie,key2=cisco
根据上面的原则,R1 认证失败,R2 认证成功,所以在 RIP 中,出现单边路由并不
稀奇。

② MD5 认证的匹配原则是:
A. 发送方发送最小Key ID的密钥
B. 携带Key ID号码
C. 接收方首先会查找是否有相同的Key ID,如果有,只匹配一次,决定认证是否
成功。如果没有该Key ID,只向下查找下一跳,匹配,认证成功;不匹配,认证失败。

【实例 2】
路由器R1 有三个Key ID,key1=cisco,key3=ccie,key5=cisco ;
路由器R2 有一个Key ID,key2=cisco
根据上面的原则,R1 认证失败,R2 认证成功。