RIP Interface Parameters Overview
By default, RIP is disabled on all interfaces in the VR. You must enable RIP on an interface before RIP can use that interface to transmit receive packets. When you disable RIP on an interface, RIP does not transmit or receive packets on the specified interface, but interface configuration parameters are preserved.
For instructions for configuring RIP settings on the virtual router and on the interface, see the Network and Security Manager Online Help.
You can enable RIP on ethernet and tunnel interfaces. When configuring RIP on a tunnel interface, you can configure additional parameters to keep RIP tunnel traffic to a minimum.
You can configure the following RIP interface parameters:
Bind Interface to RIP—Select to bind this interface to RIP.
Run Demand Circuit (ScreenOS 5.1 and later tunnel interface only)—Configure the tunnel interface as a RIP demand circuit (a network segment on which connect time or usage affects the cost of using such connection). When traversing a demand circuit, the security device limits routing protocol traffic to changes in network topology, and suppresses sending RIP packets. To complete the demand circuit, you must configure both ends of the tunnel as demand circuits.
Enable Summarization (ScreenOS 5.1 and later only)—Select to enable route summarization on this interface. By default, the interface does not allow route summarization.
Add/Edit/Delete RIP Neighbor (ScreenOS 5.1 and later only)—You can define the static RIP neighbors for the interface.
RIP Versions (ScreenOS 5.1 and later only)—Select the version of RIP you want this interface to use for sending and receiving RIP information. By default, the interface uses the RIP version configured for the virtual router (Vrouter RIP Instance Version); if you select a different version, it overrides the virtual router setting.
Metric—Configure the metric used for RIP routes from this interface.
Passive Mode—Select to prevent the interface from transmitting packets (the interface can still receive packets). RIP advertises the IP address of the interface as a RIP route and not as an external route. By default, passive mode is disabled; however, you might want to select this option when BGP is also enabled on the interface.
Route Maps—To control which routes RIP learns and advertises, select a previously created route map for each of the following:
The Incoming Route Map Filter defines the routes that RIP learns.
The Outgoing Route Map Filter defines the routes that RIP advertises.
These settings override the route maps configured on the virtual router.
Split Horizon—Select Split-Horizon to prevent the interface from advertising learned routes in RIP updates sent to the same interface. When enabled, you can also select the Poison Reverse option, which instructs the interface to advertise learned routes with a metric of 16 when sending updates to the same interface. By default, split horizon is disabled.
Configuring RIP Authentication
Because RIP packets are unencrypted, most protocol analyzers can decapsulate them. Authenticating RIP neighbors using MD5 authentication or simple password is the best way to fend off these types of attacks. When authentication is enabled, the device discards all unauthenticated RIP packets received on the interface. By default, authentication is disabled.
To enable authentication, select one of the following authentication methods:
Clear Text Authentication—To use a simple password for authentication, select this option and enter the password.
All passwords handled by NSM are case-sensitive.
Multiple MD5 Authentication— To use MD5 keys for authentication, select this option, and then configure the active MD5 key.
To use an existing MD5 key, select the key ID as the Active MD5 Key ID.
To add a new MD5 key, click the Add icon and configure a Key ID for the new MD5 key.
You must use the same MD5 key for the sending and receiving RIP routers.