-
Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4T
-
Part 1: BGP
-
BGP Features Roadmap
-
Cisco BGP Overview
-
Configuring a Basic BGP Network
-
Connecting to a Service Provider Using External BGP
-
Configuring BGP Neighbor Session Options
-
Configuring Internal BGP Features
-
Configuring Advanced BGP Features
-
Configuring Multiprotocol BGP (MP-BGP) Support for CLNS
-
BGP Link Bandwidth
-
iBGP Multipath Load Sharing
-
BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN
-
Loadsharing IP Packets Over More Than Six Parallel Paths
-
BGP Policy Accounting
-
BGP Policy Accounting Output Interface Accounting
-
BGP Cost Community
-
Regex Engine Performance Enhancement
-
BGP Support for IP Prefix Import from Global Table into a VRF Table
-
BGP per Neighbor SoO Configuration
-
Per-VRF Assignment of BGP Router ID
-
- Part 2: Bidirectional Forwarding Detection
- Part 3: EIGRP
-
Part 4: Integrated IS-IS
-
Integrated IS-IS Features Roadmap
-
Integrated IS-IS Routing Protocol Overview
-
Configuring a Basic IS-IS Network
-
Customizing IS-IS for Your Network Design
-
Configuring IS-IS for Fast Convergence
-
Overview of IS-IS Fast Convergence
-
Setting Best Practice Parameters for IS-IS Fast Convergence
-
Reducing Failure Detection Times in IS-IS Networks
-
Reducing Link Failure and Topology Change Notification Times in IS-IS Networks
-
Reducing Alternate-Path Calculation Times in IS-IS Networks
-
Enhancing Security in an IS-IS Network
-
-
- Part 5: ODR
-
Part 6: OSPF
-
Configuring OSPF
-
OSPF ABR Type 3 LSA Filtering
-
OSPF Stub Router Advertisement
-
OSPF Update Packet-Pacing Configurable Timers
-
OSPF Sham-Link Support for MPLS VPN
-
OSPF Retransmissions Limit
-
OSPF Support for Multi-VRF on CE Routers
-
OSPF Forwarding Address Suppression in Translated Type-5 LSAs
-
OSPF Inbound Filtering Using Route Maps with a Distribute List
-
OSPF Shortest Path First Throttling
-
OSPF Support for Fast Hello Packets
-
OSPF Incremental SPF
-
OSPF Limit on Number of Redistributed Routes
-
OSPF Link-State Advertisement (LSA) Throttling
-
OSPF Support for Unlimited Software VRFs per Provider Edge (PE) Router
-
OSPF Area Transit Capability
-
OSPF Per-Interface Link-Local Signaling
-
OSPF Link-State Database Overload Protection
-
OSPF Enhanced Traffic Statistics for OSPFv2 and OSPFv3
-
OSPF MIB Support of RFC 1850 and Latest Extensions
-
OSPF: SNMP ifIndex Value for Interface ID in OSPFv2 and OSPFv3 Data Fields
-
OSPF RFC 3623 Graceful Restart Helper Mode
-
OSPF Mechanism to Exclude Connected IP Prefixes from LSA Advertisements
-
OSPFv2 Local RIB
-
- Part 7: Protocol-Independent Routing
- Part 8: RIP
-
Part 1: BGP
Table Of Contents
Prerequisites for IP-RIP Delay Start
Restrictions for IP-RIP Delay Start
Information About Neighbor Router Authentication and About IP-RIP Delay Start
Neighbor Router Authentication
How to Configure IP-RIP Delay Start for Routers Connected by a Frame Relay Network
Configuring Frame Relay on a Serial Subinterface
Configuration Examples for IP-RIP Delay Start
Configuring IP-RIP Delay Start on a Frame Relay Interface: Example
Feature Information for IP-RIP Delay Start
IP-RIP Delay Start
First Published: November 17th, 2006Last Updated: November 17th, 2006Some non-Cisco routers will not allow an MD5-authenticated RIPv2 neighbor session to start when the sequence number of the first MD5 packet received from the Cisco router is greater than 0. The IP-RIP Delay Start feature is used on Cisco routers to delay the initiation of RIPv2 neighbor sessions until the network connectivity between the neighbor routers is fully operational, thereby ensuring that the sequence number of the first MD5 packet that the router sends to the non-Cisco neighbor router is 0.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for IP-RIP Delay Start" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for IP-RIP Delay Start
•
•
•
•
•
Prerequisites for IP-RIP Delay Start
Your router must be running Cisco IOS Release 12.4(12) or a later release.
Restrictions for IP-RIP Delay Start
The IP-RIP Delay Start feature is required only when your Cisco router is configured to establish a RIPv2 neighbor relationship with a non-Cisco device and you want to use MD5 neighbor authentication.
Information About Neighbor Router Authentication and About IP-RIP Delay Start
For more information about neighbor router authentication and the IP-RIP Delay Start feature, see the following sections:
•
Neighbor Router Authentication
You can prevent your router from receiving fraudulent route updates by configuring neighbor router authentication. When configured, neighbor authentication occurs whenever routing updates are exchanged between neighbor routers. This authentication ensures that a router receives reliable routing information from a trusted source.
Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes your network traffic. For example, an unauthorized router could send a fictitious routing update to convince your router to send traffic to an incorrect destination. This diverted traffic could be analyzed to learn confidential information about your organization or merely used to disrupt your organization's ability to effectively communicate using the network. Neighbor authentication prevents any such fraudulent route updates from being received by your router.
When neighbor authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router.
There are two types of neighbor authentication used: plain text authentication and Message Digest Algorithm Version 5 (MD5) authentication. Both forms work in the same way, with the exception that MD5 sends a "message digest" instead of the authenticating key itself. The message digest is created using the key and a message, but the key itself is not sent, preventing it from being read while it is being transmitted. Plain text authentication sends the authenticating key itself over the wire.
Note
In plain text authentication, each participating neighbor router must share an authenticating key. This key is specified at each router during configuration. Multiple keys can be specified with some protocols; each key must then be identified by a key number.
In general, when a routing update is sent, the following authentication sequence occurs:
Step 1
Step 2
Step 3
MD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission.
Another form of neighbor router authentication is to configure key management using key chains. When you configure a key chain, you specify a series of keys with lifetimes, and the Cisco IOS software rotates through each of these keys. This decreases the likelihood that keys will be compromised. To find complete configuration information for key chains, refer to the "Managing Authentication Keys" section in the "Configuring IP Routing Protocol-Independent Features" module of the Cisco IOS IP Configuration Guide.
IP-RIP Delay Start
The IP-RIP Delay Start feature is used on Cisco routers to delay the initiation of RIPv2 neighbor sessions until the network connectivity between the neighbor routers is fully operational, thereby ensuring that the sequence number of the first MD5 packet that the router sends to the non-Cisco neighbor router is 0. The default behavior for a router configured to establish RIPv2 neighbor sessions with a neighbor router using MD5 authentication is to start sending MD5 packets when the physical interface is up.
Frame Relay
The IP-RIP Delay Start feature is often used when a Cisco router is configured to establish a RIPv2 neighbor relationship using MD5 authentication with a non-Cisco device over a Frame Relay network. When RIPv2 neighbors are connected over Frame Relay, it is possible for the serial interface connected to the Frame Relay network to be up while the underlying Frame Relay circuits are not yet ready to transmit and receive data. When a serial interface is up and the Frame Relay circuits are not yet operational, any MD5 packets that the router attempts to transmit over the serial interface are dropped. When MD5 packets are dropped because the Frame Relay circuits over which the packets need to be transmitted are not yet operational, the sequence number of first MD5 packet received by the neighbor router after the Frame Relay circuits become active will be greater than 0. Some non-Cisco routers will not allow an MD5-authenticated RIPv2 neighbor session to start when the sequence number of the first MD5 packet received from the other router is greater than 0.
The differences in vendor implementations of MD5 authentication for RIPv2 are probably a result of the ambiguity of the relevant RFC (RFC #2082) with regards to packet loss. RFC #2082 suggests that routers should be ready to accept either a sequence number of 0 or a sequence number higher than the last sequence number received. For more information about MD5 message reception for RIPv2, see section 3.2.2 of RFC #2082 at the following url: http://www.ietf.org/rfc/rfc2082.txt.
Timesaver
Note
How to Configure IP-RIP Delay Start for Routers Connected by a Frame Relay Network
The tasks in this section explain how to configure a router to use the IP-RIP Delay Start feature on a Frame Relay interface.
•
•
Configuring RIPv2
This required task configures RIPv2 on the router.
This task provides instructions for only one of the many possible permutations for configuring RIPv2 on your router. For more information about and instructions for configuring RIPv2, see the "Configuring Routing Information Protocol" chapter of the Cisco IOS IP Routing Protocols Configuration Guide.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuring Frame Relay on a Serial Subinterface
This required task configures a serial subinterface for Frame Relay.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring IP, MD5 Authentication for RIPv2 and the IP-RIP Delay Start Feature on a Frame Relay Subinterface
This required task configures IP, MD5 authentication for RIPv2 and the IP-RIP Delay Start feature on a Frame Relay subinterface.
Authentication Key Management
Key management is a method of controlling authentication keys used by routing protocols. The steps for configuring an authentication key are included in this task. For more information about managing authentication keys see the "Managing Authentication Keys" section of the "Configuring IP Routing Protocol-Independent Features."
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Configuration Examples for IP-RIP Delay Start
The following example shows you how to configure the IP-RIP Delay Start feature on a Frame Relay interface.
•
Configuring IP-RIP Delay Start on a Frame Relay Interface: Example
This excerpt from a router configuration file contains the minimum commands required to configure the IP-RIP Delay Start feature on your router.
!key chain rip-md5key 123456key-string abcde!router ripversion 2network 172.16.0.0no auto-summary!interface Serial3/0no ip addressencapsulation frame-relay ietfframe-relay lmi-type ansi!interface Serial3/0.1 point-to-pointip address 172.16.10.1 255.255.255.0ip rip initial-delay 45ip rip authentication mode md5ip rip authentication key-chain rip-md5frame-relay interface-dlci 100!
Additional References
The following sections provide references related to the IP-RIP Delay Start feature.
Related Documents
Configuring RIP
Configuring protocol-independent routing features
Configuring Frame Relay
Standards
MIBs
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS IP Routing Protocols Command Reference at http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
Feature Information for IP-RIP Delay Start
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006-2008 Cisco Systems, Inc. All rights reserved.
