Getting started
ARIP module is a realization of a standard routing protocol RIP.
ARIP routing module support two RIP versions - RIP-1 and RIP-2.
Module configuration is performed by "arip" command.
Command language. Basic principles
ARIP has its own command shell (CS). To start the ARIP module and enter the shell, execute the following commands:
#1> arip start #1> arip RIP>
Commands entered in CS are not case-sensitive and can be shortened until ambiguity appears. To get a quick hint you can press “?” at any time:
RIP>? configure Configuration from vty interface end End current mode and change to root mode (CTRL+C). exit Back to WANFleX command shell (CTRL+D). help Print command list show Show running system information RIP>
CS can work in different modes. Current mode is displayed along with command prefix as “RIP(mode)#”. For example, if configure command is entered, CS switches to config mode:
RIP> configure RIP(config)#
The following figure shows the transition scheme between different modes of CS.
One can set the necessary mode or execute commands without specially entering into arip module. For example, if we consistently execute the following commands:
#1> arip configure #1> arip router #1> arip RIP(config-router)#
While entering arip we will enter directly into necessary mode config-router (as it is shown in the example).
Every mode has its own set of commands. The following commands are available in any mode:
- "Help" – prints the list of commands for the current mode
- "End" – goes back from the current mode to the base mode
- "Exit" – exit to WANFleX CLI from RIP CS.
At the start, CS is in the base mode which has a set of commands to view current router state. In order to switch to the configuration mode you should have superuser rights. After entering a configuration mode, the configuration is being blocked and entering in this mode from other terminal (e.g. other telnet session) is prohibited. In order to avoid a “dead” block of the session, CS automatically quits the configuration mode after five minutes of no activity.
Context help is always available using “?”. For example,
RIP> config RIP(config)#? access-list Add an access list entry clear Reset functions end End current mode and change to root mode (CTRL+C). exit Back to WANFleX command shell (CTRL+D). help Print command list interface Select an interface to configure key Authentication key management no Negate a command or set its defaults prefix-list Build a prefix list route-map Create route-map or enter route-map command mode router Enable a routing process show Show running system information stop stop RIP(config)# interface? IFNAME Interface's name RIP(config)# interface eth0 RIP(config-if)#? authentication Authentication control description Interface specific description end End current mode and change to root mode (CTRL+C). exit Back to WANFleX command shell (CTRL+D). help Print command list no Negate a command or set its defaults receive Advertisement reception send Advertisement transmission show Show running system information split-horizon Perform split horizon RIP(config-if)#
After quitting CS using “exit” command (or Ctrl+D), CS stays in the last active mode.
Commands may have different parameters. Commands parameters are specified in several formats. Parameter’s format is described in the context help or in the list of commands ("help" command) in the following way:
- "A.B.C.D" – a parameter is set in IP-address format. Example: 192.168.0.15
- "WORD" – a set of characters with no spaces
- "<1-N>" - a parameter is set as a decimal number in a range from 1 to N
- "A.B.C.D/M" – a parameter is set in a format IP-address/subnet mask length. Example: 192.168.0.0/24
- "IFNAME" – name of a physical network interface. Example: eth0
If a parameter can be written in different formats, it will be displayed in round brackets, the options are separated by “|” character. Example: (A.B.C.D|<0-4294967295>).
If a parameter is optional, it is put into square brackets: “[]”.
Any command may contain “no” prefix. Having this prefix in the command means deleting a corresponding parameter from the configuration.
Start / stop of RIP
Start of the RIP router is executed by the following command:
arip start
In order to stop RIP, execute the following command in config mode:
stop (daemon|clear)
Example,
> arip RIP> configure RIP(config)# stop daemon
If “stop” command is executed with clear parameter, the router will clear its part of the system configuration prior to quitting CS.
Filters
In many participating in the configuration parameters of the router filters are used. Filters are represented by two classes of objects:
- Access lists (access-list)
- Prefixes lists (prefix-list)
Access lists consist of a set of operators. Each operator consists of a range of IP-addresses and deny or permit command. The range of addresses is set as <value> <mask for insignificant bits>. The object to be filtrated has its basic parameter in the same format (IP-address, subnet etc). To make a decision whether the object corresponds with a list, each operator from the list is consequently applied to the basic parameter of the object until this parameter satisfies the condition. When a right condition is met, the decision is made according to the record in the command of the operator (deny or permit).
In RIP router there are three types of access lists:
- Standard. Is identified by numbers 1-99 or 1300-1999 and is used to analyze one parameter of filtration object.
- Extended. Is identified by numbers 100-199 or 2000-2699 and is used to analyze two parameters of filtration object (for example, source address and destination address).
- Nominate. Identical to Standard but is identified by a name (not number). Moreover, operators are configured in the format of <value>/<mask length>
In order to create or edit an access list in RIP router the following commands are used (in config mode):
- Standard access lists
access-list | (<1-99>|<1300-1999>) | (deny|permit) | A.B.C.D | A.B.C.D |
---|---|---|---|---|
List identifier | Command | value | Mask of bits | |
Range of values for the parameter |
This command creates an operator in a standard access list. Value and mask define a range (criteria) for the operator. The mask defines those bits of the value which form the range. For example, in order to specify the range of IP-address from 192.168.12.0 to 192.168.12.255, one should specify the value of 192.168.12.0 and a mask of 0.0.0.255. For the value and mask of 0.0.0.0 255.255.255.255 there is a key word any. For example, the command:
RIP(config)# access-list 1 permit 0.0.0.0 255.255.255.255
is equal to the command:
RIP(config)# access-list 1 permit any
Correspondingly, for the range which consists of only one address, the key word host is used.
For example, the command:
RIP(config)# access-list 1 permit 192.168.12.150 0.0.0.0
is equal to the following command:
RIP(config)# access-list 1 permit host 192.168.12.150
- Extended access lists
access-list | (<100-199>|<2000-2699>) | (deny|permit) | ip | A.B.C.D A.B.C.D | A.B.C.D A.B.C.D |
---|---|---|---|---|---|
List identifier | command | The range of source addresses | The range of destination addresses |
- Nominate access lists
access-list | WORD | (deny|permit) | A.B.C.D/M | [exact-match] |
---|---|---|---|---|
List identifier | command | Range | The requirement for the exact match of a parameter to the range |
In this case the list identifier is a character expression. The range is specified in a format of <value>/<mask length>. For example, if we need to specify the range of IP-addresses from 192.168.12.0 to 192.168.12.255, 192.168.12.0/24 is specified. For 0.0.0.0/0 range the key word any can be used. For example:
RIP(config)# access-list TestList1 deny 192.168.1.0/24 RIP(config)# access-list TestList1 permit any
While configuring, the operators are appended to the end of the list.
Lists of prefixes are different from access lists so that each operator has a number aside from a range (condition). Moreover, when a check for the parameter to fit into an operator’s range is performed, one can set up additional condition for the parameter’s mask length.
prefix-list | WORD | [seq <1-4294967295>] | (deny|permit) | A.B.C.D/M | [ge <0-32>] [le <0-32>] |
---|---|---|---|---|---|
List identifier | Operator’s position number | Command | Range | The range of the permitted mask length |
If a sequential number is not specified the router sets it up automatically by adding 5 to the number of the last operator in a list. Thus, the operator will have the biggest number and will be placed in the end of the list.
RIP configuration
The router can be enabled on the interface in several ways:
- By network specification. RIP will be enabled on the interface with network address matching with the specified network. This can be performed by the following command in the "config-router" mode:
network A.B.C.D/M
Network is specified by its IP-prefix and mask.
- By interface name. RIP will be enabled on the specified interface. This can be performed by the following command in the "config-router" mode:
network WORD
where WORD is interface name.
Example,
RIP>configure RIP(config)# router RIP(config-router)# network 4.7.8.0/24 RIP(config-router)# network rf5.0 RIP(config-router)#
To cancel RIP on the interfacer use command:
no network A.B.C.D/M no network WORD
In some cases not all routers understand multiсast requests. To solve this problem, you can establish a direct link between routers. To implement this, use the command in "config-router" mode:
neighbor a.b.c.d
"a.b.c.d" – router’s neighbor address. To cancel link between routers:
no neighbor a.b.c.d
To announce information from other routing protocols use the following command in "config-router" mode:
redistribute (kernel|connected|static|ospf) [metric <0-16777214>] [route-map WORD]
To define criteria according to which a router will announce information from some routing protocol, use the command in config-router mode:
distribute-list WORD direct ifname
- "WORD" – list name
- "direct" – direction (values “in” or “out”. When direct is “in” access list is adjusted to input packages, when “out” – to output packages). This command connects access list with the interface.
In the following example, the "eth0" allows only those packets that are routed to 10.0.0.0/8:
RIP(config-router)# distribute-list private in eth0 RIP(config-router)# access-list private permit 10 10.0.0.0/8 RIP(config-router)# access-list private deny any
Default metric is specified using the following command in the "config-router" mode:
default-metric <0-16>
If default metric is not defined, it equals 1.
In redistribute kernel mode the router will not make an advertisement into RIP system about having a default route (destination = 0.0.0.0/0 network), even if it is clearly written in the routing table by the administrator. In order for the router to advertise its default route it is necessary to clearly force him to do that using a command in "config-router" mode:
default-information originate
To cancel advertising of the default route us the command:
no default-information originate
The following command enables “split horizon" algorithm at the device’s ip interface in the config-if mode:
split-horizon [poisoned-reverse]
When the "split horizon" algorithm is enabled device doesn’t announce routes through an interface from which they were obtained, thus reducing the likelihood of a local routing cycles.
If "poisoned-reverse" option is set device when removing the route still some time left it in the routing table and include it in the standard distribution announcement with special reference so that neighboring routers realize that the route is no longer used. Metrics of a route with the value 16 is used as a metrics for this.
"Split horizon" algorithm without "poisoned-reverse" option is enabled by default.
To cancel "split horizon" algorithm use command:
no split-horizon
Route map (route-map)
For more flexible configuration of metric type and its value, one can use a route-map. Route-map is a set of conditional records. Each record has its number in the map, a condition of correspondence for the importing route of the record, actions to be done with a resulting object in case of its correspondence, resulting action (deny, permit) etc. Routes are listed in the route-map according to their number in ascending order. If a route satisfies a record’s condition:
- If a resulting action is deny, the route is denied, review of map’s records is aborted and a resulting object is cancelled (link is not advertised)
- If a resulting action is permit, all actions specified in the record are performed for a resulting object. Further, records viewing is stopped or, if specified in the scenario, it is resumed depending on the option specified in the scenario:
- "on-match next" – viewing is continued from the record which follows a current record
- "on-match goto <N>" - viewing is continued from the record which number is more or equal N but is not less than current number.
In order to configure a route-map, the following command is used in config mode:
route-map WORD (deny|permit) <1-65535>
where "WORD" – route-map identifier. This identifier is followed by a resulting action and the number of the record. If a record with a specified number does not exist it will be automatically created. After executing this command, CS switched to the mode for editing a selected route-map. For example,
RIP> configure RIP(config)# route-map testmap permit 10 RIP(config-route-map)#
After that, a condition of match between imported route and current record is specified. The following commands are used in config-route-map mode:
match address (<1-199>|<1300-2699>|WORD) match address prefix-list WORD match interface WORD match next-hop (<1-199>|<1300-2699>|WORD) match next-hop prefix-list WORD
These commands set matching conditions for the route according to three different parameters: destination, gateway (next hop) and interface. For every record it is permitted to set a number of different conditions. If several conditions are specified they will be conjugated by logical “and”. In "match next-hop" and "match address" command a filtration object is specified (number or name): number or name of "access-list" or "prefix-list" name. In this case the condition will be satisfied if a corresponding route’s parameter belongs to the specified filtering list, according to the rule corresponding to the list type. In "match interface" command a network interface name is specified to which a route belongs.
If a route matches to all record’s rules one can set values for route metric for this router using command in "config-route-map" mode:
set metric <0-4294967295>
The next step for the record’s behavior, after all conditions are matched by the route, can be configured using one of the following commands:
on-match goto <1-65535> on-match next
Configuration example:
RIP> configure RIP(config)# access-list AnyNetwork permit any RIP(config)# access-list net200 permit 192.168.200.0/24 RIP(config)# route-map mapForConnected permit 10 RIP(config-route-map)# match address net200 RIP(config-route-map)# set metric 7 RIP(config-route-map)# route-map mapForConnected deny 11 RIP(config-route-map)# match address AnyNetwork RIP(config-route-map)# router RIP(config-router)# redistribute connected route-map mapForConnected RIP(config-route-map)#
In this configuration the router will announce a route formed from the connected routes of the system routing table. With this, if a destination for this route is 192.168.200.0/24 network the formed route will have metric 7, any other destination will not lead to route announcing it.
CAUTION
For the interface to use the route-map which we have created before one have to use command route-map in the "config-router" mode:
route-map WORD (in|out) IFNAME
where "WORD" – name of the road-map which we have created before.
Authentication. Identity check
In order to prevent an unauthorized connection of the routers to RIP system, the system has an identity check for protocol’s packets. Currently the router has two different options for identity check (authentication):
- Password authentication. Simple password authentication is vulnerable for passive attacks (sniffing) because broadcasting is used and the packet has a password in an explicit form.
- Key-based authentication. Key is used while generation and check of message-digest signatures. Digital signature is built based on MD5 algorithm. As a secret key is never send over the network in a clear form, this gives a protection from passive attacks.
By default, the router does not have any authentication (null-authentication).
Authentication can be configured individually for each interface using the following commands in "config-if" mode:
- Password authentication:
authentication mode text authentication string LINE
where "LINE" – password, less than 16 symbols.
- Key-based authentication:
authentication mode md5 authentication key-chain LINE
where "LINE" – name of the secret MD5 key.
To configure the key which name is specified in "LINE" parameter use command in "config" mode:
RIP(config)# key chain WORD RIP(config-keychain)# key <0-2147483647> RIP(config-keychain-key)# key-string LINE
- "WORD" – key chain name
- "<0-2147483647>" - key ID
- "LINE" – secret md5 key.
Timers configuration
RIP protocol has several timers. User can configure those timers’ values by timer’s basic command. The default settings for the timers are as follows:
- The update timer is 30 seconds. Every update timer seconds, the RIP process is awakened to send an unsolicited Response message containing the complete routing table to all neighboring RIP router
- The timeout timer is 180 seconds. Upon expiration of the timeout, the route is no longer valid; however, it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped
- The garbage collect timer is 120 seconds. Upon expiration of the garbagecollection timer, the route is finally removed from the routing table.
The following command in "config-router" mode allows the the default values of the timers listed above to be changed:
timers basic update timeout garbage
The no timers basic command will reset the timers to the default settings listed above:
no timers basic
Router configuration view
To review RIP configuration there are several commands in the basic mode of CS:
show access-list
This command shows information about access lists.
show memory
This command shows information about memory usage.
show rip
This command shows current RIP configuration. Viewing Information about timers, filters, version, interfaces, on which RIP is enabled.
show route
This command lists route table.