We have 2 3550 switches that connect to some remote sites. They just have static and connected routes; no routing protocols are running. They run through a firewall to get to our network. Our firewall is showing RIPv2 packets hitting the firewall from hosts on the other side of the 3550's. Why are the 3550's propagating the updates? Shouldn't they not forward the updates since they are not running RIP? I added a drawing to help.
The question I have is what VLAN are the ports in that attach to the host and the firewall? If they are in the same VLAN, the 3550 will handle the packets at L2 so there will be no chance for the L3 function to block the routing updates.
They are in completely separate VLANs.
I don't know for a fact that they are PCs. They are probably routers, but I don't know for sure. Everything on the other side of those 3550's are controlled by other companies/people. We don't control them. They go through that firewall to limit what can come through to our network.
We got the MAC addresses for the devices, and they apparently belong to Cisco. So I suppose it is a PIX, router, or switch, probably in that order, given our network layout.
You can filter the RIP updates using VACLs on the 3550's. It would filter any RIP updates traversing the switch at Layer 2. You can use a config like this one - just change the values to suit your needs.
vlan access-map TEST 10
match ip address RIP
vlan access-map TEST 20
vlan filter TEST vlan-list 1-4094
ip access-list extended RIP
permit udp any host 126.96.36.199
Thanks for the reply. We did that to stop the updates from coming through. I was just wondering why they were coming through in the first place. It just doesn't seem like they should.
Review the firewall log to find the device that the RIP updates are coming from. Check the mac address table on the 3550 to see the port associated to that device. The VLAN the port is part of should be the same as the port between the 3550 and the firewall or the link between the firewall and 3550 is possibly configured as a trunk.
The link between the firewall and the 3550s is access vlan 251; no trunk. The vlans on the other side of the 3550 where RIP updates are coming from are 14 and 77. There are others, but those are the ones that matter.
Everything on the "dirty" side of the 3550s is NATted by whoever controls the network to a 10.x.x.x address coming into our firewall.
RIP uses multicast to send RIP updates. Moreover, Switches usally pass RIP traffic for ports on the same VLANs. THis is why you see multicast or RIP traffic from the interface.
It seems some device has rip enabled and sending these multicast!