10-26-2006 11:30 AM - edited 03-05-2019 12:28 PM
We have 2 3550 switches that connect to some remote sites. They just have static and connected routes; no routing protocols are running. They run through a firewall to get to our network. Our firewall is showing RIPv2 packets hitting the firewall from hosts on the other side of the 3550's. Why are the 3550's propagating the updates? Shouldn't they not forward the updates since they are not running RIP? I added a drawing to help.
10-26-2006 11:52 AM
The question I have is what VLAN are the ports in that attach to the host and the firewall? If they are in the same VLAN, the 3550 will handle the packets at L2 so there will be no chance for the L3 function to block the routing updates.
10-26-2006 12:08 PM
They are in completely separate VLANs.
I don't know for a fact that they are PCs. They are probably routers, but I don't know for sure. Everything on the other side of those 3550's are controlled by other companies/people. We don't control them. They go through that firewall to limit what can come through to our network.
10-26-2006 11:55 AM
Based on what you have shown us I'm curios why you have host pc's sending RIP packets?
10-26-2006 01:04 PM
We got the MAC addresses for the devices, and they apparently belong to Cisco. So I suppose it is a PIX, router, or switch, probably in that order, given our network layout.
10-26-2006 03:47 PM
James,
You can filter the RIP updates using VACLs on the 3550's. It would filter any RIP updates traversing the switch at Layer 2. You can use a config like this one - just change the values to suit your needs.
vlan access-map TEST 10
action drop
match ip address RIP
vlan access-map TEST 20
action forward
vlan filter TEST vlan-list 1-4094
!
ip access-list extended RIP
permit udp any host 224.0.0.9
HTH
Sundar
10-26-2006 05:41 PM
Sundar,
Thanks for the reply. We did that to stop the updates from coming through. I was just wondering why they were coming through in the first place. It just doesn't seem like they should.
10-27-2006 10:40 AM
Review the firewall log to find the device that the RIP updates are coming from. Check the mac address table on the 3550 to see the port associated to that device. The VLAN the port is part of should be the same as the port between the 3550 and the firewall or the link between the firewall and 3550 is possibly configured as a trunk.
HTH
Sundar
10-27-2006 05:57 PM
The link between the firewall and the 3550s is access vlan 251; no trunk. The vlans on the other side of the 3550 where RIP updates are coming from are 14 and 77. There are others, but those are the ones that matter.
Everything on the "dirty" side of the 3550s is NATted by whoever controls the network to a 10.x.x.x address coming into our firewall.
10-27-2006 12:58 PM
RIP uses multicast to send RIP updates. Moreover, Switches usally pass RIP traffic for ports on the same VLANs. THis is why you see multicast or RIP traffic from the interface.
It seems some device has rip enabled and sending these multicast!
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide