[c-nsp] Filtering incoming advertisements in RIP

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Jan 25 00:58:58 EST 2007 

cisco-nsp-bounces at puck.nether.net <> wrote on :

>> How about setting "passive-interface default" in the router config,
>> and then "no passive-interface interface-name"? That way you can
>> explicitly define the interfaces that listen/respond to RIPv2
>> packets. 
> 
> Quote from cisco.com:
> 
>> For RIP and IGRP, the passive interface  command stops the router
>> from sending updates to a particular neighbor, but the router
>> continues to listen and use routing updates from that neighbor;
> 
> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09
> 186a0080208748.shtml#disin 
> 
> The whole process described in that document seems to be not working
> on 
> 12.2(18)SXF, it explicitly states that the global
> distribute-list should
> not be checked if there is one configured for the ingress interface. I
> tried a (named) ACL instead of a prefix list as well, no difference.

Well, actually: If you read this document very closely (and I also had
to read it twice after looking at the code), it says:

Step 3: Is there a distribute list applied to that interface?
      Yes: Is the network denied by that list?
            Yes: the network does not make it to the routing table;
return to step 1
            No: the network is allowed; continue to step 4.
      No: Go to step 4.
Step 4: Is there a global distribute list?
      Yes: Is the network denied by that list?
            Yes: the network does not make it to the routing table;
return to step 1.
            No: the network makes it to the routing table; return to
step 1.
      No: The network makes it to the routing table; return to step 1.

So all networks allowed by the interface-specific list in step 3 are
still checked by the global list, so if you do a "deny any" in the
global dist-list, the interface-specific dist-list will become a no-op.

While this might not be very intuitive, it works as described.

I already suggested some possible alternatives to you unicast:

1) use distance to ignore everything expect announcements from specific
peers (option to filter those announcement with acl's as well)

 distance 255
 distance 120 <peer1> 0.0.0.0 [acl]
 distance 120 <peer2> 0.0.0.0 [acl]

2) do a similar approach using an extended ACL and apply this as global
dist-list

access-list 123 permit ip host <peer1> <network1> <wildcard>
access-list 123 permit ip host <peer1> <network2> <wildcard>
access-list 123 permit ip host <peer2> <network3> <wildcard>
access-list 123 permit ip host <peer2> <network4> <wildcard>
access-list 123 deny ip any any

router rip
 distribute-list 123 in


	oli

More information about the cisco-nsp mailing list