RIP

This chapter describes how to configure the Firewall Threat Defense to route data, perform authentication, and redistribute routing information, using the Routing Information Protocol (RIP). For a device using virtual routing, you can configure RIP only for its global virtual router and not for its user-defined virtual router.

RIP

RIP is a distance-vector routing protocol that

  • uses hop count as the metric for path selection

  • exchanges RIP broadcasts with neighboring devices to dynamically learn and advertise routes.

  • includes four basic components: routing update process, RIP routing metrics, routing stability, and routing timers.

RIP characteristics and versions

The Routing Information Protocol (RIP) is one of the most enduring routing protocols. It sends routing updates periodically and during topology changes. The packets that RIP sends include network reachability and hop count to destinations. RIP generates more traffic and is easier to configure than OSPF. It supports both Version 1 and 2.

The Secure Firewall Threat Defense device supports both RIP Version 1 and RIP Version 2. RIP Version 1 does not send subnet masks with its updates, while Version 2 supports variable-length subnet masks and neighbor authentication to ensure trusted routing information exchanges.

RIP offers simple configuration and adapts to topology changes, unlike static routes, which require updates for each change. However, it incurs higher network and processing overhead compared to static routing.

How RIP routing updates work

Summary

Key components in the RIP routing update process include:

  • RIP routers: Send and receive routing update messages to maintain network topology information

  • Routing tables: Store the best routes to destinations with associated metric values

  • Routing update messages: Contain network topology changes and route information

  • Metric values: Determine the best path, with routers maintaining only the lowest metric route

Workflow

The process involves these stages:

  1. RIP routers send routing-update messages at regular intervals and when the network topology changes.
  2. When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop.
  3. RIP routers maintain only the best route to a destination, which is the route with the lowest metric value.
  4. After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change. These updates occur independently from regularly scheduled RIP routers updates.

RIP routing metric

A RIP routing metric is a network measurement that

  • measures the distance between the source and a destination network

  • assigns a hop count value, typically 1, to each hop in a network path from the source to the destination.

  • modifies the routing table upon receiving new routing data, using the sender's IP address as the next hop.

RIP stability features (concept)

A RIP stability feature is a routing mechanism that

  • prevents routing loops by setting a limit on the number of hops in a path from source to destination,

  • provides stability despite potentially rapid changes in network topology, and

  • include split horizon and hold-down mechanisms to prevent incorrect routing information propagation.

Additional stability mechanisms

The maximum hops allowed in a path is 15. If a routing update shows a new or changed entry, increasing the metric value to infinity (16) makes the network destination unreachable. This stability mechanism limits the maximum diameter of a RIP network to fewer than 16 hops.

RIP timers

A RIP timer is a network protocol mechanisms that

  • regulates RIP performance through timed intervals for routing updates and route management

  • controls when routes are marked invalid, placed in holddown, or flushed from the routing table, and

  • helps prevent network congestion by managing the timing of routing updates across devices.

RIP timer stages

RIP uses numerous timers to regulate its performance. These are the timer stages for RIP:

  • Update—The routing-update timer is the interval between periodic routing updates. This is how often the device sends routing updates. Generally, set to 30 seconds, a small random delay added to prevent simultaneous route updates.

  • Invalid—Each routing table entry has a route-timeout timer for the last valid update. When this timer expires, the route is marked invalid and moves to holddown once the timer expires. The default is 180 seconds (3 minutes).

  • Holddown—The period the system waits before accepting any new updates for invalid routes. The default is 180 seconds (3 minutes).

  • Flush—The route-flush timer marks the period from when the system receives the last valid update until the route is discarded and removed from the routing table. The default is 240 seconds (4 minutes).

RIP timer sequence when adjacent router interface goes down

When an adjacent router goes down, routing updates stop, and the Invalid and Flush timers start increasing. In the first 180 seconds, nothing will happen. After 180 seconds, the Invalid timer expires, marks the route invalid, and the Holddown timer begins, holding the route for 60 seconds. If there is no routing update for the adjacent router;s status (that is, it is still down), then the route enters into the Flush state where in total the system has waited for 240 seconds from the last update (180 seconds for the Invalid timer and 60 seconds for Holddown timer), and the system flushes the route. Even if the adjacent routers interface comes up immediately, the system waits for the Holddown timer to complete the 120-second period before accepting updates.

Requirements and prerequisites for RIP

This reference provides the requirements and prerequisites necessary for configuring RIP on supported firewall models.

Model support

Firewall Threat Defense

Firewall Threat Defense Virtual

Supported domains

Any

User roles

Admin

Network Admin

Guidelines for RIP

Context mode guidelines

IPv6 guidelines

RIP does not support IPv6.

RIP version 2 guidelines

Consider these guidelines for RIP Version 2 configuration:

  • If using neighbor authentication, the authentication key and key ID must be the same on all neighbor devices that provide RIP Version 2 updates to the interface.

  • With RIP Version 2, the Secure Firewall Threat Defense device transmits and receives default route updates using the multicast address 224.0.0.9. In passive mode, it receives route updates at that address.

  • When RIP Version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on that interface. When a RIP Version 2 configuration is removed from an interface, that multicast address is unregistered.

RIP limitations

These are the limitations of RIP:

  • The Secure Firewall Threat Defense device cannot pass RIP updates between interfaces.

  • RIP Version 1 does not support variable-length subnet masks.

  • RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered unreachable.

  • RIP convergence is relatively slow compared to other routing protocols.

  • You can only enable a single RIP process on the Secure Firewall Threat Defense device.

Configure RIP

RIP is a distance-vector routing protocol that uses hop count as the metric for path selection.

Procedure

Step 1

Choose Devices > Device Management, and edit the Firewall Threat Defense device.

Step 2

Select Routing.

Step 3

Select RIP from the table of contents.

Step 4

Check the Enable RIP check box to configure the RIP settings.

Step 5

Choose the RIP versions for sending and receiving RIP updates from the RIP Version drop-down list.

Step 6

(Optional) Check the Generate Default Route check box to generate a default route for distribution, based on the route map that you specify.

  1. Specify a route map name to use for generating default routes, in the Route Map field.

    The default route 0.0.0.0/0 is generated for distribution over a certain interface , when the route map, specified in the Route Map field, is present.

Step 7

When Send and Receive Version 2 is the chosen RIP Version, the Enable Auto Summary option is available. When the Enable Auto Summary check box is checked, automatic route summarization is enabled. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.

Note

 

RIP Version 1 always uses automatic summarization—you cannot disable it.

Step 8

Click Networks. Define one or more networks for RIP routing. Enter IP address(es), or enter or select the desired Network/Hosts objects. There is no limit to the number of networks you can add to the security appliance configuration. Any interface that belongs to a network defined by this command, will participate in the RIP routing process. The RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP updates.

Note

 

RIP only supports IPv4 objects.

Step 9

(Optional) Click Passive Interface. Use this option to specify passive interfaces on the appliance, and by extension the active interfaces. The device listens for RIP routing broadcasts on passive interfaces, using that information to populate its routing tables, but does not broadcast routing updates on passive interfaces. Interfaces that are not designated as passive, receive and send updates.

Step 10

Click Redistribution to manage redistribution routes. These are the routes that are being redistributed from other routing processes into the RIP routing process.

  1. Click Add to specify redistribution routes.

  2. Choose the routing protocol to redistribute into the RIP routing process, in the Protocol drop-down list.

    Note

     

    For the OSPF protocol, specify a process ID. Similarly, specify an AS path for BGP. When you choose the Connected option in the Protocol drop-down list, you can redistribute, directly connected networks into the RIP routing process.

  3. (Optional) If you are redistributing OSPF routes into the RIP routing process, you can select specific types of OSPF routes to redistribute in the Match drop-down list . Ctrl-click to select multiple types:

    • Internal – Routes internal to the autonomous system (AS) are redistributed.

    • External 1 – Type 1 routes external to the AS are redistributed.

    • External 2 – Type 2 routes external to the AS are redistributed.

    • NSSA External 1 – Type 1 routes external to a not-so-stubby area (NSSA) are redistributed.

    • NSSA External 2 – Type 2 routes external to an NSSA are redistributed

    Note

     

    The default is match Internal, External 1, and External 2

  4. Select the RIP metric type to apply to the redistributed routes in the Metric drop-down list. The two choices are:

    • Transparent – Use the current route metric

    • Specified Value – Assign a specific metric value. Enter a specific value from 0-16, in the Metric Value field.

    • None – No metric is specified. Do not use any metric value, to apply to redistributed routes.

    Note

     

    None option is applicable only for Static and Connected protocols.

  5. (Optional) Enter the name of a route map that must be satisfied, in the Route Map field before the route can be redistributed into the RIP routing process. Routes are redistributed only if IP address matches an allow statement in the route map address list. To create a new route map object, click Add (add icon). See Configure Route Map Entry for the procedure to add a new route map.

  6. Click OK.

Step 11

(Optional) Click Filtering to manage filters for the RIP policy. In this section, filters are used to prevent routing updates through an interface, control the advertising of routes in routing updates, control the processing of routing updates and filtering sources of routing updates.

  1. Click Add to add RIP filters.

  2. Select the type of traffic to be filtered - Inbound or Outbound in the Traffic Direction field.

    Note

     

    If traffic direction is inbound, you can only define an Interface filter.

  3. Specify whether the filter is based on an Interface or a Route, by selecting appropriate in the Filter On field. If you click Interface, enter or choose the name of the interface on which routing updates are to be filtered. If you click Route, choose the route type:

    • Static – Only static routes are filtered.

    • Connected – Only connected routes are filtered.

    • OSPF – Only OSPFv2 routes discovered by the specified OSPF process are filtered. Enter the Process ID of the OSPF process to be filtered.

    • BGP – Only BGPv4 routes discovered by the specified BGP process are filtered. Enter the AS path of the BGP process to be filtered.

  4. In the Access List field, enter or choose the name of one or more access control lists (ACLs) that define the networks to be allowed or removed from RIP route advertisements. To add a new standard access list object, click Add (add icon) and see Configure Standard ACL Objects.

  5. Click OK.

Step 12

(Optional) Click Broadcast to add or edit interface configurations. Using Broadcast, you can override the global RIP versions to send or receive per interface. You can also define the authentication parameters per interface if you want to implement authentication to ensure valid RIP updates.

  1. Click Add to add interface configurations.

  2. Enter or choose an interface defined on this appliance in the Interface field.

  3. In the Send option, select the appropriate boxes to specify sending updates using the RIP Version 1, Version 2, or both. These options let you override, for the specified interface, the global Send versions specified .

  4. In the Receive option, select the appropriate boxes to specify accepting updates using the RIP Version 1, Version 2, or both. These options let you override, for the specified interface, the global Receive versions specified .

  5. Select the Authentication used on this interface for RIP broadcasts.

    • None – No authentication

    • MD5 – Employ MD5

    • Clear Text – Employ clear-text authentication

    If you choose MD5 or Clear Text, you must also provide the following authentication parameters.

    • Key ID – The ID of the authentication key. Valid values are from 0 to 255.

    • Key – The key used by the chosen authentication method. Can contain up to 16 characters

    • Confirm – Enter the authentication key again, to confirm

  6. Click OK.