RIP
NOTE: You must have an advanced features license to use RIP routing.
The Routing Information Protocol (RIP) is a distance-vector routing protocol that works best in small networks that have no more than 15 hops. Each router maintains a routing table by sending out its routing updates and by asking neighbors for their routes. RIP is relatively simple to configure on FortiSwitch units but slow to respond to network outages. RIP routing is better than static routing but less scalable than open shortest path first (OSPF) routing.
The FortiSwitch unit supports RIP version 1 and RIP version 2:
- RIP version 1 uses classful addressing and broadcasting to send out updates to router neighbors. It does not support different sized subnets or classless inter-domain routing (CIDR) addressing.
- RIP version 2 supports classless routing and subnets of various sizes. Router authentication supports MD5 and authentication keys. Version 2 uses multicasting to reduce network traffic.
RIP uses three timers:
- The update timer determines the interval between routing updates. The default setting is 30 seconds.
- The timeout timer is the maximum time that a route is considered reachable while no updates are received for the route. The default setting is 180 seconds. The timeout timer setting should be at least three times longer than the update timer setting.
- The garbage timer is the is the how long that the FortiSwitch unit advertises a route as being unreachable before deleting the route from the routing table. The default setting is 120 seconds.
You can enable bidirectional forwarding detection (BFD) with RIP. BFD is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and, if a timer runs out on a connection, that router is declared to be down. BFD then communicates this information to RIP, and the routing information is updated.
When you configure RIP routing, you can choose the strategy the access list uses to permit or deny IP addresses:
- Prefix—Specify the IP address and bit mask to allow or block.
- Wildcard—Specify the Cisco-style filter to allow or block.
For additional information about RIP routing, see the RIP section of the FortiOS Administration Guide.
Terminology
Access list: A list of IP addresses and the action to take for each one. Access lists provide basic route and network filtering.
Active RIP interface: Each RIP router sends and receives updates by actively communicating with its neighbors.
Keychain: A list of one or more authentication keys including its lifetime, which is how long each key is valid.
Metric: RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is connected directly to the FortiSwitch unit. A hop count of 16 represents a network that cannot be reached.
Passive RIP interface: The RIP router listens to updates from other routers but does not send out updates. A passive RIP interface reduces network traffic.
Prefix list: A more powerful prefix-based filtering mechanism. A prefix is an IP address and netmask.
Split horizon: A way to avoid routing loops.
Configuring RIP routing
NOTE: You must create a keychain first before you can use the MD5 authentication mode with RIP version 2.
To add a new keychain using the CLI:
config router key-chain
edit <keychain identifier>
next
end
Using the GUI and the prefix strategy:
- Create a switch virtual interface (SVI). See Switch virtual interfaces .
- Go to Router > Config > RIP > Settings.
- Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
- If you want to use BFD, select Bidirectional Forwarding Detection.
- If you want to use a default route, select Default Information Originate.
- If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and Garbage fields.
- If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
- If you select Enable under Connected, enter the routing metric to use.
- If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use the default routing metric and then enter the routing metric to use.
- Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.
- Go to Router > Config > Access Lists and select Add Access List.
- Enter an identifier with one or more alphabetic characters.
- Enter an optional description of the access list.
- Select Add.
- Select Config Rules in the row for the access list that you just created.
- Select Add Rule.
- Enter an identifier (1-65535), select Deny or Permit to specify if the rule will block or allow the specified IP addresses, and enter the prefix.
- If you entered the complete IP address, select the Exact Match checkbox.
- Select Add Rule if you want to add more rules.
- After you have added all of the rules that you want in the access list, select Update to save the rules you added.
- Go to Router > Config > RIP > Distances and select Add RIP Distance.
- Enter the distance identifier in the Distance ID field.
- Enter the distance.
- Select the access list that you added in the previous step.
- Enter the IP address and netmask, separated with a space or with a slash. For example, enter
1.2.3.4/5or1.2.3.4 248.0.0.0. - Select Add.
- Go to Router > Config > RIP > Networks and select Add Network.
- Enter a unique value to identify this network configuration.
- Enter an IP address and netmask for your RIP network, separated with a slash, and select Add. For example, enter 172.168.200.0/255.255.255.0. NOTE: Select an IP address for a network that includes all SVIs that you want to use. You can configure multiple network ranges to cover all SVIs that will be using RIP routing.
- Go to Router > Config > RIP > Interfaces and select Configure RIP for the appropriate interface.
- If you want to change the RIP version used to send and receive routing updates, select from the Send Version and Receive Version drop-down menus.
- If you do not want to send RIP updates from this interface, select Passive Interface.
- If you want to use authentication, select Text or MD5.
- Select Add.
Using the GUI and the wildcard strategy:
- Create a switch virtual interface (SVI). See Switch virtual interfaces .
- Go to Router > Config > RIP > Settings.
- Select whether you want to use RIP version 1 or RIP version 2. RIP version 2 is the default.
- If you want to use BFD, select Bidirectional Forwarding Detection.
- If you want to use a default route, select Default Information Originate.
- If you want to change the default timer values, enter the number of seconds in the Update, Timeout, and Garbage fields.
- If you want to redistribute non-RIP routes, select Enable under Connected, Static, OSPF, BGP, or ISIS.
- If you select Enable under Connected, enter the routing metric to use.
- If you select Enable under Static, OSPF, BGP, or ISIS, select Override Metric if you do not want to use the default routing metric and then enter the routing metric to use.
- Enter the default routing metric to use for static routing, OSPF, BGP, and ISIS.
- Go to Router > Config > Access Lists and select Add Access List.
- Enter an identifier with all digits (in the range of 1-99).
- Enter an optional description of the access list.
- Select Add.
- Select Config Rules in the row for the access list that you just created.
- Select Add Rule.
- Enter an identifier (1-65535), select Deny or Permit to specify if the rule will block or allow the specified IP addresses, and enter the Cisco-style wildcard filter.
- Select Add Rule if you want to add more rules.
- After you have added all of the rules that you want in the access list, select Update to save the rules you added.
- Go to Router > Config > RIP > Distances and select Add RIP Distance.
- Enter the distance identifier in the Distance ID field.
- Enter the distance.
- Select the access list that you added in the previous step.
- Enter the IP address and netmask, separated with a space or with a slash. For example, enter
1.2.3.4/5or1.2.3.4 248.0.0.0. - Select Add.
- Go to Router > Config > RIP > Networks and select Add Network.
- Enter a unique value to identify this network configuration.
- Enter an IP address and netmask for your RIP network, separated with a slash, and select Add. For example, enter 172.168.200.0/255.255.255.0. NOTE: Select an IP address for a network that includes all SVIs that you want to use. You can configure multiple network ranges to cover all SVIs that will be using RIP routing.
- Go to Router > Config > RIP > Interfaces and select Configure RIP for the appropriate interface.
- If you want to change the RIP version used to send and receive routing updates, select from the Send Version and Receive Version drop-down menus.
- If you do not want to send RIP updates from this interface, select Passive Interface.
- If you want to use authentication, select Text or MD5.
- Select Add.
Using the CLI for IPv4 traffic:
config router access-list
edit <access_list_name>
set comments <comments>
config rule
edit <rule_int>
set action {deny | permit}
set prefix {<xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> | any}
set wildcard <IP_address>
set exact-match {enable | disable}
end
end
config router rip
set bfd {disable | enable}
set default-information-originate {disable | enable}
set garbage-timer <5-2147483647 seconds>
set timeout-timer <5-2147483647 seconds>
set update-timer <5-2147483647 seconds>
set default-metric <1-16>
config redistribute {bgp | connected | isis | ospf | static}
set status {disable | enable}
set metric <0-16>
end
config distance
edit <distance_ID>
set access-list <access_list_name>
set distance <1-255>
set prefix <IPv4_address> <netmask>
end
config network
edit <network identifier>
set prefix <IPv4_address> <netmask>
end
config interface
edit <interface_name>
set auth-keychain <keychain_str>
set auth-mode {md5 | none |text}
set auth-string <password_str>
set receive-version {1 | 2 | both | global}
set send-version {1 | 2 | both | global}
end
end
end
Using the CLI for IPv6 traffic:
config router access-list6
edit <access_list_name>
set comments <comments>
config rule
edit <rule_int>
set action {deny | permit}
set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}
set exact-match {enable | disable}
end
end
config router ripng
set bfd {disable | enable}
set default-information-originate {disable | enable}
set garbage-timer <5-2147483647 seconds>
set timeout-timer <5-2147483647 seconds>
set update-timer <5-2147483647 seconds>
set default-metric <1-16>
config redistribute {bgp | connected | isis | ospf6 | static}
set status {disable | enable}
set metric <0-16>
end
config offset-list
edit <offset-list_name>
set access-list6 <access-list_name>
set direction {in | out}
set interface {in | out}
set offset <1-16>
set status {disable | enable}
end
config aggregate-address
edit <aggregate-address_entry_ID>
set prefix6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>
end
config interface
edit <interface_name>
set passive {disable | enable}
set split-horizon-statsus {disable | enable}
set split-horizon {poisoned |regular}
end
end
end
Checking the RIP configuration
The get router info rip and get router info6 rip commands have options to display different aspects of the RIP configuration and status. For example, there are options to display the RIP general information and the RIP database:
get router info rip status
get router info6 rip status
get router info rip database
get router info6 rip database
Example configuration
The following example shows a very simple RIP network:
Switch 1: Configure the switch interface
config switch interface
edit "port9"
set allowed-vlans 35
next
edit "port7"
set allowed-vlans 85
next
end
Switch 1: Configure the system interface
config system interface
edit "vlan35"
set ip 170.38.65.1/24
set allowaccess ping https http ssh snmp telnet
set vlanid 35
next
edit "vlan85"
set ip 180.1.1.1/24
set allowaccess ping https http ssh snmp telnet
set vlanid 85
next
end
Switch 1: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 180.1.1.0/24
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
Switch 1: Add a static route and redistribute it
config router static
edit 1
set dst 39.3.2.0 255.255.255.0
set gateway 180.1.1.2
set status enable
next
end
config router rip
config redistribute "static"
set status enable
next
end
Switch 2: Configure the switch interface
config switch interface
edit "port10"
set allowed-vlans 35
next
edit "port25"
set allowed-vlans 70
next
end
Switch 2: Configure the system interface
config system interface
edit "vlan35"
set ip 170.38.65.2/24
set allowaccess ping https http ssh snmp telnet
set vlanid 35
next
edit "vlan70"
set ip 128.8.2.1/16
set allowaccess ping https http ssh snmp telnet
set vlanid 70
next
end
Switch 2: Configure the RIP router; add authentication between FortiSwitch 1 and FortiSwitch 2
config router rip
config network
edit 1
set prefix 170.38.65.0/24
next
edit 2
set prefix 128.8.0.0/16
next
end
config interface
edit "vlan35"
set auth-mode text
set auth-string simplepw1
next
end
end
Switch 2: Add a connected route and redistribute it
config switch interface
edit "port6"
set allowed-vlans 25
next
end
config system interface
edit "vlan25"
set ip 100.20.40.1/24
set allowaccess ping https http ssh snmp telnet
set vlanid 25
next
end
config router rip
config redistribute "connected"
set status enable
next
end