Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

RIPv2 updates question

We have 2 3550 switches that connect to some remote sites. They just have static and connected routes; no routing protocols are running. They run through a firewall to get to our network. Our firewall is showing RIPv2 packets hitting the firewall from hosts on the other side of the 3550's. Why are the 3550's propagating the updates? Shouldn't they not forward the updates since they are not running RIP? I added a drawing to help.

  • LAN Switching and Routing
9 REPLIES
New Member

Re: RIPv2 updates question

The question I have is what VLAN are the ports in that attach to the host and the firewall? If they are in the same VLAN, the 3550 will handle the packets at L2 so there will be no chance for the L3 function to block the routing updates.

Bronze

Re: RIPv2 updates question

They are in completely separate VLANs.

I don't know for a fact that they are PCs. They are probably routers, but I don't know for sure. Everything on the other side of those 3550's are controlled by other companies/people. We don't control them. They go through that firewall to limit what can come through to our network.

New Member

Re: RIPv2 updates question

Based on what you have shown us I'm curios why you have host pc's sending RIP packets?

Bronze

Re: RIPv2 updates question

We got the MAC addresses for the devices, and they apparently belong to Cisco. So I suppose it is a PIX, router, or switch, probably in that order, given our network layout.

Re: RIPv2 updates question

James,

You can filter the RIP updates using VACLs on the 3550's. It would filter any RIP updates traversing the switch at Layer 2. You can use a config like this one - just change the values to suit your needs.

vlan access-map TEST 10

action drop

match ip address RIP

vlan access-map TEST 20

action forward

vlan filter TEST vlan-list 1-4094

!

ip access-list extended RIP

permit udp any host 224.0.0.9

HTH

Sundar

Bronze

Re: RIPv2 updates question

Sundar,

Thanks for the reply. We did that to stop the updates from coming through. I was just wondering why they were coming through in the first place. It just doesn't seem like they should.

Re: RIPv2 updates question

Review the firewall log to find the device that the RIP updates are coming from. Check the mac address table on the 3550 to see the port associated to that device. The VLAN the port is part of should be the same as the port between the 3550 and the firewall or the link between the firewall and 3550 is possibly configured as a trunk.

HTH

Sundar

Bronze

Re: RIPv2 updates question

The link between the firewall and the 3550s is access vlan 251; no trunk. The vlans on the other side of the 3550 where RIP updates are coming from are 14 and 77. There are others, but those are the ones that matter.

Everything on the "dirty" side of the 3550s is NATted by whoever controls the network to a 10.x.x.x address coming into our firewall.

Silver

Re: RIPv2 updates question

RIP uses multicast to send RIP updates. Moreover, Switches usally pass RIP traffic for ports on the same VLANs. THis is why you see multicast or RIP traffic from the interface.

It seems some device has rip enabled and sending these multicast!

Regards,

294
Views
5
Helpful
9
Replies
This widget could not be displayed.