Consider the following scenario where routers 1,2 and 3 are connected on a common LAN segment. All routers are in a common RIP domain.
The requirement is for Routers 2 and 3 to not accept ANY routes from R1 WITHOUT changing the config on R2 and R3!
A solution here is to use a vlan filter on the intermediate switch.
My first attempt was to apply the following (incorrect) configuration.
access-list 1 permit 224.0.0.9
vlan access-map DROP_RIP permit 10
match ip address 1
action drop
vlan access-map DROP_RIP permit 20
vlan filter DROP_RIP vlan 232
With the above config ALL RIP neighbor adjacencies were lost!!! The problem was the access list i had used. A more targetted ACL is required to only drop RIP traffic from Router 1.
The following ACL achieves the requirement.
access-list 100 permit udp host 192.10.1.254 any eq rip
This question also got me thinking on how it would be possible to block other routing protocols of the switch.
The equivalent access list entries for EIGRP, OSPF and BGP are as follows......
Extended IP access list 100
20 permit eigrp host 50.0.0.254 any
30 permit ospf host 50.0.0.254 any
40 permit tcp host 50.0.0.254 any eq bgp
50 permit tcp host 50.0.0.254 eq bgp any
No comments:
Post a Comment