Passive Interfaces

The passive interface feature works differently in RIP than in other routing protocols:

Router(config-router)# passive-interface {interface-id | default}

• In RIP, a passive interface stops sending routing updates but continues processing incoming updates

• Unlike EIGRP and OSPF (which form neighbor relationships first), RIP will still:

  • Learn routes received on passive interfaces

  • Add these routes to the routing table

  • Process incoming RIP updates normally

• This behavior differs from other routing protocols where passive interfaces prevent neighbor relationships from forming entirely

• Using passive-interface default makes all interfaces passive, requiring you to selectively enable interfaces where you want updates sent

Maximum Paths

RIP supports equal-cost multi-path routing for load balancing:

Router(config-router)# maximum-paths <1-32>

• By default, most routers install up to 4 equal-cost paths (varies by IOS version and platform)

• You can increase this value up to 32 (platform-dependent) to utilize more equal-cost paths

• Setting this value to 1 effectively disables load balancing, using only the first learned path

• Equal-cost paths must have identical hop counts to be considered for load balancing

• This command affects only how routes are installed in the routing table, not how they're propagated

Administrative Distance

You can modify the administrative distance of RIP routes:

Router(config-router)# distance <1-255>
Router(config-router)# distance <1-255> <source-ip> <wildcard-mask>
Router(config-router)# distance <1-255> <source-ip> <wildcard-mask> <acl-number>

• The default administrative distance for RIP is 120

• Changes to administrative distance are locally significant (affect only the current router)

• Routes must age out and be relearned for distance changes to take effect

• You can specify different distances for routes learned from specific neighbors

• Using an ACL with the distance command allows you to selectively modify the AD for specific routes

• Only standard ACLs are supported with this command

Default Route Advertisement

RIP can propagate default routes throughout the network:

Router(config-router)# default-information originate

• Enables the router to advertise a default route (0.0.0.0/0) to its neighbors

• Unlike OSPF, RIP can advertise a default route even if one doesn't exist in the local routing table

• Useful in hub-and-spoke topologies where only one router connects to an external network

• Provides a simple way to propagate default routing information in small networks

• When enabled, other routers in the RIP domain will install a default route pointing to the advertising router

RIP Authentication

RIP version 1 does not support authentication, but RIPv2 and RIPv3 provide authentication capabilities to enhance security. Here's how to configure RIP authentication:

Authentication Configuration

! Step 1: Create a key chain
Router(config)# key chain <name>
Router(config-keychain)# key <number>
Router(config-keychain-key)# key-string <password>

! Step 2: Configure authentication on the interface
Router(config-if)# ip rip authentication mode {text | md5}
Router(config-if)# ip rip authentication key-chain <name>

Authentication Types
RIPv2 supports two authentication methods:

1. Plain Text Authentication

   • Passwords are sent in clear text format in each RIPv2 packet

   • Provides minimal security (easily captured with packet analyzers)

   • Simple to configure but not recommended for production environments

2. MD5 Authentication

   • Passwords are encrypted using MD5 hashing algorithm

   • Much more secure than plain text authentication

   • Recommended for production environments

   • Both routers must use matching key numbers and key strings

Key Chain Features

• Key chains are configured globally on the router

• Multiple keys can be defined within a single key chain

• Each key requires a unique key number

• Key numbers must match between neighboring routers

• You can configure time-based passwords with accept-lifetime and send-lifetime options

• This allows for scheduled password rotation without disrupting routing

Router(config-keychain-key)# accept-lifetime start-time {infinite | end-time | duration seconds}
Router(config-keychain-key)# send-lifetime start-time {infinite | end-time | duration seconds}

Troubleshooting Authentication

If authentication fails, routers will not establish RIP adjacencies. Use the following command to diagnose authentication issues:

Router# debug ip rip

This will display authentication failures and other RIP-related messages.

Authentication Best Practices

• Always use MD5 authentication instead of plain text

• Implement a key rotation schedule in production environments

• Use different passwords for different network segments

• Document key numbers and their corresponding valid time periods

• Remove expired keys from the configuration after their lifetime ends

• Consider using authentication with passive interfaces for greater security

Authentication adds an important security layer to your RIP deployment, helping prevent unauthorized routers from injecting malicious routes into your network.

RIP Offset Lists

Offset lists allow you to manipulate RIP metrics to influence traffic paths. In distance vector protocols like RIP and EIGRP, this is a powerful tool for traffic engineering.

Router(config-router)# offset-list {access-list-number | name} {in | out} offset [interface-type interface-number]

Understanding Offset Lists

• Offset lists artificially increase the hop count of routes to manipulate path selection

• Since RIP uses only hop count as its metric, offset lists are particularly valuable for traffic engineering

• An offset value of 1 adds one hop to the route's metric, making it appear one router further away

• You can apply different offsets to incoming updates (in) or outgoing updates (out)

Configuration Options

• Use access list number 0 to match all routes

• Use a standard ACL to selectively match specific routes

• Specify an interface to apply the offset only on that interface

• When no interface is specified, the offset applies to all interfaces

Example Configurations

! Add 1 to the metric of all incoming routes on FastEthernet 0/0
Router(config-router)# offset-list 0 in 1 fastEthernet 0/0

! Add 2 to the metric of routes matching ACL 10 on all interfaces
Router(config-router)# offset-list 10 in 2

! Add 3 to the metric of specific routes in outgoing updates
Router(config-router)# ip access-list standard OFFSET-ROUTES
Router(config-std-nacl)# permit 192.168.10.0 0.0.0.255
Router(config-router)# offset-list OFFSET-ROUTES out 3

Important Notes

• Only standard ACLs are allowed with RIP offset lists

• Offset values can range from 0 to 16 (with 16 being infinity/unreachable)

• Offset lists affect how routes are advertised but don't change the actual hop count in the network

• Changes take effect immediately for new updates but may require route invalidation and relearning for existing routes

Practical Applications

• Shift traffic away from certain paths without changing physical topology

• Create primary and backup paths through the network

• Balance traffic across redundant links with unequal costs

• Work around limitations in networks where you can't modify infrastructure

Offset lists provide a simple yet effective way to influence routing decisions in RIP networks, allowing for basic traffic engineering even with RIP's limited metric system.

These additional configuration options allow for more granular control of RIP behavior in your network, enhancing security, optimizing path selection, and simplifying routing in specific scenarios.

Leave a comment