They are in completely separate VLANs.

I don't know for a fact that they are PCs. They are probably routers, but I don't know for sure. Everything on the other side of those 3550's are controlled by other companies/people. We don't control them. They go through that firewall to limit what can come through to our network.

We got the MAC addresses for the devices, and they apparently belong to Cisco. So I suppose it is a PIX, router, or switch, probably in that order, given our network layout.

James,

You can filter the RIP updates using VACLs on the 3550's. It would filter any RIP updates traversing the switch at Layer 2. You can use a config like this one - just change the values to suit your needs.

vlan access-map TEST 10

action drop

match ip address RIP

vlan access-map TEST 20

action forward

vlan filter TEST vlan-list 1-4094

!

ip access-list extended RIP

permit udp any host 224.0.0.9

HTH

Sundar

Sundar,

Thanks for the reply. We did that to stop the updates from coming through. I was just wondering why they were coming through in the first place. It just doesn't seem like they should.

Review the firewall log to find the device that the RIP updates are coming from. Check the mac address table on the 3550 to see the port associated to that device. The VLAN the port is part of should be the same as the port between the 3550 and the firewall or the link between the firewall and 3550 is possibly configured as a trunk.

HTH

Sundar

The link between the firewall and the 3550s is access vlan 251; no trunk. The vlans on the other side of the 3550 where RIP updates are coming from are 14 and 77. There are others, but those are the ones that matter.

Everything on the "dirty" side of the 3550s is NATted by whoever controls the network to a 10.x.x.x address coming into our firewall.