Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Route Authentication for RIP using multiple MD5 keys


This example shows how to configure authentication for a RIP network using multiple MD5 keys and how to configure a transition of MD5 keys on a RIP interface.


This example uses the following hardware and software components:.

  • Three ACX Series routers

  • Junos OS Release 20.3 or later


MD5 authentication uses an encoded MD5 checksum that is included in the transmitted packet. For MD5 authentication to work, both the receiving and transmitting routing devices must have the same MD5 key.

You define an MD5 key for each interface. If MD5 is enabled on an interface, that interface accepts routing updates only if MD5 authentication succeeds. Otherwise, updates are rejected. The routing device only accepts RIPv2 packets sent using the same key identifier (ID) that is defined for that interface.

For increased security, you can configure multiple MD5 keys, each with a unique key ID, and set the date and time to switch to a new key. The receiver of the RIPv2 packet uses the ID to determine which key to use for authentication. RIPv2 with multiple MD5 key feature supports adding of MD5 keys with their start-time. RIPv2 packets are transmitted with MD5 authentication using the first configured key. RIPv2 authentication switches to the next key based on its configured respective key start-time. This provides automatic key switching without user intervention to change the MD5 keys as in case of having only one MD5 key.

This example shows RIPv2 mutliple MD5 keys authentication.

Figure 1 shows the topology used in this example.

Figure 1: Network Topology for RIP Authentication using multiple MD5 keys
Network Topology for RIP Authentication
using multiple MD5 keys

CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section CLI Quick Configuration describes the steps on Device R1.


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device R1

Device R2

Device R3

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure RIP authentication:

  1. Configure the network interfaces.

    This example shows multiple loopback interface addresses to simulate attached networks.

  2. Create the RIP group and add the interface.

    To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.

  3. Create the routing policy to advertise both direct and RIP-learned routes.
  4. Apply the routing policy.

    In Junos OS, you can only apply RIP export policies at the group level.

  5. You can configure multiple MD5 keys by using different Key IDs. The key-IDs must match with the key-IDs of the neighboring RIP routers. If a router receives a packet with a key-id that is not within its configured set of keys, then the packet is rejected and is considered as authentication failure.

    The key-ID can be a number from 0 to 255 which uniquely identifies an MD5 key and the key value can be an ASCII string upto 16 characters long.

    Do not enter the password as shown here. The password shown here is the encrypted password that is displayed in the configuration after the actual password is already configured.

    The authentication-selective-md5 can be repeated to configure multiple keys.

  6. If you want to migrate from an existing md5 authentication key, then you can configure another key with a start-time in future with enough leeway so as to allow configuring all the routers on the link. The transition to the new key is based on its start-time and it happens as soon as the clock reaches the start-time. You may delete keys that are no longer valid by entering the following command:.

    The start time is relevant for transmission only and not for receiving RIPv2 packets. Acceptance of received packets is based on the keys configured.

    For example, if the time now is February 1, 2020, 1:00 AM and the following key is configured:

    If you want to transition from this key to another key on March 2, at 2:00 AM, and you are able to configure all the routers on the link with the new key at the same time, then you may configure the following key:

    At 2:00 AM, once all the routers switch to the new key, you can safely delete key with id 2 by entering the following command.

  7. Deletion of active key: If you delete the lastest active key, the system checks for the current configuration and uses the key with the latest key-ID within the existing configuration for RIPv2 packet transmission.

    For example, If you have configured the following keys with the key-ids:

    The active key in this configuration is the key with key ID 4 and is used for sending the RIPv2 packet out. If you delete the active key ID 4, then the system checks for current configuration and looks for the key with the latest start-time, that is the key with ID 3 and uses it for packet transmission.

  8. Configure tracing operations to track authentication.


From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show policy-options commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.


Confirm that the configuration is working properly.

Checking for Authentication Failures


To check for authentication failures counters.


From operational mode, enter the show rip statistics command.


The Authentication Failures counter displays the authentication failures count. This output shows that the authentication failure count is 23853.

Checking for the current active MD5 key.


To check for the current active key being used.


From operational mode, enter the show rip neighbor fe-1/2/0 command.

user@R1> show rip neighbor fe-1/2/0

Verifying That MD5 Authentication Is Enabled in RIP Update Packets


Use tracing operations to verify that MD5 authentication is enabled in RIP updates.


From operational mode, enter the show log command.

user@R1> show log rip-authentication-messages | match md5


The (needs MD5) output shows that all route updates require MD5 authentication.

Related Documentation