Tuesday, December 23, 2008

vlan filter

Consider the following scenario where routers 1,2 and 3 are connected on a common LAN segment. All routers are in a common RIP domain.

The requirement is for Routers 2 and 3 to not accept ANY routes from R1 WITHOUT changing the config on R2 and R3!

A solution here is to use a vlan filter on the intermediate switch.
My first attempt was to apply the following (incorrect) configuration.

access-list 1 permit

vlan access-map DROP_RIP permit 10
match ip address 1
action drop
vlan access-map DROP_RIP permit 20

vlan filter DROP_RIP vlan 232

With the above config ALL RIP neighbor adjacencies were lost!!! The problem was the access list i had used. A more targetted ACL is required to only drop RIP traffic from Router 1.

The following ACL achieves the requirement.

access-list 100 permit udp host any eq rip

This question also got me thinking on how it would be possible to block other routing protocols of the switch.

The equivalent access list entries for EIGRP, OSPF and BGP are as follows......

Extended IP access list 100
20 permit eigrp host any
30 permit ospf host any
40 permit tcp host any eq bgp
50 permit tcp host eq bgp any

No comments: