blackbird
22-12-2009, 13:44
Dear all
i want to block RIP updates from propagating using access-list
i know that RIP updates sent on UDP port 520 and sent either broadcast (RiIP v1) or multicast (RIP v2)
i know that we can make it easily by using passive-interface, but the main question if i make access-list to allow only TCP connections, is this mean that the RIP updates will not passed as it uses UDP port 520?
i tried it in example but rip updates is propagated .
i don't know why
https://img195.imageshack.us/img195/1808/net3t.jpg (https://img195.imageshack.us/i/net3t.jpg/)
R0 Cionfiguration
interface Ethernet0/0
ip address 11.0.0.1 255.0.0.0
ip access-group 100 out
half-duplex
!
interface Ethernet0/3
ip address 10.0.0.1 255.0.0.0
half-duplex
!
router rip
network 10.0.0.0
network 11.0.0.0
!
access-list 100 permit tcp any any
access-list 100 deny udp any any
!
R1 Cionfiguration
interface Ethernet0/0
ip address 11.0.0.2 255.0.0.0
half-duplex
!
interface Ethernet0/1
ip address 12.0.0.1 255.0.0.0
half-duplex
!
router rip
network 11.0.0.0
network 12.0.0.0
R2 Cionfiguration
interface Ethernet0/1
ip address 12.0.0.2 255.0.0.0
half-duplex
!
interface Ethernet0/3
ip address 13.0.0.1 255.0.0.0
half-duplex
!
router rip
network 12.0.0.0
network 13.0.0.0
!
although i make Access-list in R0 to block all UDP , the rip updates propagated from R0 to R1 and R2.
R1 and R2 have Network 10.0.0.0 in their Routing table from RIP
plz need help
Thanks
BR
i want to block RIP updates from propagating using access-list
i know that RIP updates sent on UDP port 520 and sent either broadcast (RiIP v1) or multicast (RIP v2)
i know that we can make it easily by using passive-interface, but the main question if i make access-list to allow only TCP connections, is this mean that the RIP updates will not passed as it uses UDP port 520?
i tried it in example but rip updates is propagated .
i don't know why
https://img195.imageshack.us/img195/1808/net3t.jpg (https://img195.imageshack.us/i/net3t.jpg/)
R0 Cionfiguration
interface Ethernet0/0
ip address 11.0.0.1 255.0.0.0
ip access-group 100 out
half-duplex
!
interface Ethernet0/3
ip address 10.0.0.1 255.0.0.0
half-duplex
!
router rip
network 10.0.0.0
network 11.0.0.0
!
access-list 100 permit tcp any any
access-list 100 deny udp any any
!
R1 Cionfiguration
interface Ethernet0/0
ip address 11.0.0.2 255.0.0.0
half-duplex
!
interface Ethernet0/1
ip address 12.0.0.1 255.0.0.0
half-duplex
!
router rip
network 11.0.0.0
network 12.0.0.0
R2 Cionfiguration
interface Ethernet0/1
ip address 12.0.0.2 255.0.0.0
half-duplex
!
interface Ethernet0/3
ip address 13.0.0.1 255.0.0.0
half-duplex
!
router rip
network 12.0.0.0
network 13.0.0.0
!
although i make Access-list in R0 to block all UDP , the rip updates propagated from R0 to R1 and R2.
R1 and R2 have Network 10.0.0.0 in their Routing table from RIP
plz need help
Thanks
BR