Configuring Rip Authentication - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring RIP Authentication

326
You can enable RIP on ethernet and tunnel interfaces. When configuring RIP on a tunnel
interface, you can configure additional parameters to keep RIP tunnel traffic to a minimum.
You can configure the following RIP interface parameters:
Bind Interface to RIP—Select to bind this interface to RIP.
Run Demand Circuit (ScreenOS 5.1 and later tunnel interface only)—Configure the
tunnel interface as a RIP demand circuit (a network segment on which connect time
or usage affects the cost of using such connection). When traversing a demand circuit,
the security device limits routing protocol traffic to changes in network topology, and
suppresses sending RIP packets. To complete the demand circuit, you must configure
both ends of the tunnel as demand circuits.
Enable Summarization (ScreenOS 5.1 and later only)—Select to enable route
summarization on this interface. By default, the interface does not allow route
summarization.
Add/Edit/Delete RIP Neighbor (ScreenOS 5.1 and later only)—You can define the static
RIP neighbors for the interface.
RIP Versions (ScreenOS 5.1 and later only)—Select the version of RIP you want this
interface to use for sending and receiving RIP information. By default, the interface
uses the RIP version configured for the virtual router (Vrouter RIP Instance Version); if
you select a different version, it overrides the virtual router setting.
Metric—Configure the metric used for RIP routes from this interface.
Passive Mode—Select to prevent the interface from transmitting packets (the interface
can still receive packets). RIP advertises the IP address of the interface as a RIP route
and not as an external route. By default, passive mode is disabled; however, you might
want to select this option when BGP is also enabled on the interface.
Route Maps—To control which routes RIP learns and advertises, select a previously
created route map for each of the following:
The Incoming Route Map Filter defines the routes that RIP learns.
The Outgoing Route Map Filter defines the routes that RIP advertises.
These settings override the route maps configured on the virtual router.
Split Horizon—Select Split-Horizon to prevent the interface from advertising learned
routes in RIP updates sent to the same interface. When enabled, you can also select
the Poison Reverse option, which instructs the interface to advertise learned routes
with a metric of 16 when sending updates to the same interface. By default, split horizon
is disabled.
Because RIP packets are unencrypted, most protocol analyzers can decapsulate them.
Authenticating RIP neighbors using MD5 authentication or simple password is the best
way to fend off these types of attacks. When authentication is enabled, the device discards
all unauthenticated RIP packets received on the interface. By default, authentication is
disabled.
Copyright © 2010, Juniper Networks, Inc.