Category: RIPv2

RIPv2: Route Filtering

Outbound and Inbound RIPv2 update messages can be filtered at any interface or for the entire RIPv2 process.  To filter routes the distribute-list command is used under router rip to reference an ACL or Prefix list.  Any subnets matched with a permit clause in the ACL make it through, any that match the deny action are filtered.  Filtering can be controlled in either direction in/out and optionally for a specific interface.  If the interface is not specified all routes are filtered.

ripdistributelist.PNG

RIPv2: Offset Lists

RIPv2 Offset Lists allow you to add to a route’s metric either before sending an update or for routes received in an update.  The offset list refers to an ACL to match the routes, the router then address the defined offset to any matching routes.

Any routes not matched are unchanged, the offset list also defines which routing updates to examine by referring to a direction (in or out) and optionally an interface.  If interface is not defined all updates for the defined direction are examined.

ripoffsetlist.PNG

RIPv2: Authentication

RIPv2 authentication requires the use and creation of keys and also requires authentication to be enabled on an interface.  Keys can be clear text or encrypted with Md5.

Multiple keys are also allowed and are grouped using a key chain.  Key chains are just sets of related keys each of which has a different number and may be restricted for use during a specific time period.

RIPv2 is enabled on a per interface basis, referring to the key chain that holds the keys with the ip rip authentication key-chain subcommand.  The router looks at the keychain, selects the key(s) valid for that particular time, if multiple keys are available, the key with the lowest sequence number will be used.  if the authentication type command does not specify clear text or MD5 it will default to clear text.

When authentication is enabled the max number of network prefixes included in a RIP update goes down to 24 from 25, the reason is that hte first route entry in each RIPv2 message would carry 20 bytes of authentication data.

ripauthentication.PNG

RIPv2: Autosummarization

RIP uses autosummarization for network advertisement by default.  the RIPv2 network command only allows for a classful network as a parameter, which enables RIPv2 on all router interfaces that are part of that classful network.

Even if a subnet is entered as the network commands parameter the router will automatically compute the corresponding classful network address and store it in the configuration.  Enabling RIPv2 on router interfaces allows that port to send RIPv2 updates, listens for RIPv2 updates on UDP 520, and advertises that interfaces connected subnet.

Since there is no way to match one interface at a time, you can instead configure some interface specific RIPv2 commands to disable the features that are turned on once the subnet is included in the RIP network table.

  • Sending RIPv2 updates – you can disable this using the passive-interface command
  • Listening for RIPv2 updates – you can filter updates either with a distribute list on the RIPv2 process or drop all RIP traffic on an inbound ACL on the interface
  • Advertising the connected subnet – you can filter outbound advertisements with distribute lists.

To limit the devices  that receive RIP updates on a multiaccess network, you can use the neighbor <ip address> RIP subcommand.  This allows RIP to send unicast messages for updates as opposed to broadcast.  you could put the interface into passive mode and use the specific neighbor RIP configurations only for the neighbors you want to receive RIPv2 update messages.

RIPv2 allows for discontiguous networks but autosummarization must be disabled for that to work.

ripv2autosummary.PNG

RIPv2: Flushed After Timer

To prevent routes from lingering in the RIP RIB after it’s been determined that something is wrong with a specific network route, when no routing update has been received to remove the route.  The Flushed after timer begins when the invalid after timer begins. This timer is reset every time an update about a network from its next hop arrives and increments each second.  If the Flushed after timer reaches its limit the route is immediately flushed from the routing table/RIP RIB, and would be advertised as unreachable as well.

Since the Flushed after timer begins with the invalid after timer, the number of seconds the Flushed after timer waits to remove the route is 240 seconds.  The invalid after timer is 180 seconds, so the route will be flushed 60 seconds after the holddown timer begins, before it expires.  So effectively the holddown timer is 60 seconds as a result.

flushedafter.PNG

 

RIPv2: Holddown Timer

The Holddown mechanism is used to delay processing updates about a network whose reachability has become questionable, as the received updates might not yet contain up to date information.  Assume that a router suddenly stops receiving updates for a network from its only next hop neighbor to that network.  It has not yet been declared unreachable, instead updates from that next hop are simply lacking the vector information for that specific network.  This can happen for various reasons including:

  • Update might have been lost in transit or dropped
  • Next hop router might be turned off or crashed without the link going down
  • Next hop router might have started considering us as its own next hop and split horizon is taking effect
  • RIPv2 process may have been removed on the next hop router
  • Address summarization, route filtering, or passive interface may have been configured
  • next hop router might be running RIPv2 that does not support Route poisoning, so when a network goes down it simply no longer sends the network information in updates.

No matter what lack of information about a network from the next hop is ok for a short amount of time, but once that time is exceeded the router knows something happened to that network.  Once its determined this the router cannot accept updates from any neighbors for this network in an effort to not cause routing loops.  instead it gives other devices a certain amount of time to learn about the outage themselves and converge on a different path.  This is what the holddown timer is used for.

Cisco RIPv2 implement the Invalid After timer to reset updates about specific networks and begins after it stops receiving updates about that network. After the Invalid after timer runs out and invalidates the route, the Holddown timer begins and forces neighbors to find an alternative route by advertising the network with an infinite metric and locks the routing entry in the table so it cannot be updated during this time.

After the holddown timer expires the router unlocks the routing entry and converges through a neighbor that offers the lowest metric route to the network like usual.

holddowntimer.PNG

RIPv2: Triggered Updates

Triggered updates in RIPv2 are sent at the same moment a router detects a change in the reachability of a network, instead of waiting for the Update timer interval to expire.

  • Connecting to a new network
  • Learning about a new network
  • Disconnecting from a network
  • Learning about a networks unreachability

These will all trigger an update immediately and send advertisements about this change to neighbors.  The triggered update will only carry the affected networks information without listing all the other networks normally seen in the standard update messaging.

Triggered updates are also referred to as flash updates.

triggeredupdates.PNG

RIPv2: Route Poisoning

Route Poisoning is a mechanism used  to immediately remove routes that have become unreachable.  To accomplish this the router detecting the failure immediately sets the metric for the down network to Infinity (16) and advertises that route to its neighbors.  Routers that receive this advertisement from the router considered the next hop to that network immediately accept the route and remove it from their tables as well.

Even though the route has been removed from the routing table, the route will remain in RIPv2’s RIB for the duration of the flushed after and invalid after seconds.

loopavoidance

RIPv2: Split Horizon and Poisoned Reverse

Split Horizon is a well known principle not specific to RIPv2 it states that a network should never be advertised back over the interface that is used to reach that network.  In Cisco’s RIPv2 implementation Split Horizon is turned on by default except for physical frame relay and ATM interfaces.

Another version of Split Horizon that’s used with RIPv2 is the addition of the Poisoned Reverse mechanism.  This principle states that a network should always be explicitly advertised as unreachable over the interface that is used to reach that network.  In addition to its normal function of advertising networks across other interfaces except the interface it learned the route from….it actually does send an advertisement to the next hop router with an infinite metric, immediately flushing itself from being considered a next hop router for that network.

poisonedreverse.PNG

 

RIPv2: Counting to Infinity

One of the basic working principles of distance vector routing states that devices must exchange lists (vectors) of known networks and their distances.  For each network advertised a router chooses the neighbor providing the least total metric as the next hop and installs that network into the routing table ignoring the other advertised routes.

The only exception to this rule is if the next hop router for a network starts advertising higher distance metrics.  The receiving router will immediately accept the route and update its total distance to the network in the routing table. It will then advertise the updated metrics to all its neighbors as well.  Only subsequent advertisements with lower metrics will cause the existing route to be removed, also the logic of this is if a next hop has become more distant from the destination than it was previously, so have all routers/networks that still traverse this next hop.

This goes into the logic of Counting to Infinity.  Assume two neighbors are pointing to each other in a tight routing loop for a network.  If router A advertises the network with a metric of 1, Router B will advertise that network with a metric of 2.  Because router b is router A’s next hop, it immediately accepts the route and updates its metric.  Then the process starts over, Router A advertises with a metric of 3, then router B updates its table and advertises a metric of 4….this process can go on an infinite amount of times, hence the term counting to infinity.

Since RIPv2 understands the concept of an infinite metric (a metric that represents an unreachable network) this process is able to be broken once that metric has been reached.  Breaking the loop.  This can be a slow process but it is a result of the way the distance vector protocol behaves and the infinite metric is a consequence of this behavior.

countingtoinfinite.PNG