Re: Rogue UNIX machines running 'routed'

dedetmer · ‎04-01-2005

I'm running a segmented network on a Class C network (Cat5000 w/MSFC). There are 2 machines on this network that are running 'routed' configured as Class B. I have previous disabled their ports and network responses throughout the Class C immediately improved. I was forced to enable these ports again with no changes. That was about 3 weeks ago. There has been no complaints of sluggishness since then until this week.

I've run diagnostics using a Fluke Optiview on all 3 segments of my network and find nothing except those 2 machines again.

Can this scenario be intermittent? I'm wondering why there was an immediate improvement when I disabled these machines and a 3-week delay in the problems occurring again.

smif101 · ‎04-01-2005

Well what I would do is disable the routing daemon on those machines. They do not need to be running RIP. Give them an IP address on the proper subnet and change the subnet mask to be 255.255.255.0 (or the proper mask that the network is running) and give them the proper default gateway. This should fix your problems.

dedetmer · ‎04-01-2005

I did that smif. They made me set it back. Then they complained again. Such is the successful life of network engineering...

Has CISCO published a manual on user stupidity yet? I'll pay a good sum for it.

smif101 · ‎04-01-2005

What possible reason did they want to have it set that way. What reasons do they have to run RIP and to have their subnet mask not match the rest of the network. On thing you could do is put them on their own vlan and that could help things. Also do these unix machines have more than one ethernet connection to a switch.

dedetmer · ‎04-01-2005

Turns out these guys are using dual-nics and separately connecting a network that I'm already routing through a 3550.

It just keep getting better...

scottmac · ‎04-01-2005

It would still be easier / better to put in a single default gateway plus a static route to the other LAN (route add

There's no reason to be running routed on a workstation.

Segregating them to their own VLAN is probably a good idea (if nothing else). If you have a corporate network security group (and a policy to back it up), they probably have the juice to make them change.

If everything else fails, just point & giggle at them. Bring strangers past their desk and get THEM to point and giggle at them for being such stupid (L)users.

Maybe you can embarrass them into compliance. `nixheads hate to be laughed at.

Good Luck

Scott

sstudsdahl · ‎04-01-2005

What version of RIP are you running? If you are running RIPv2, you could setup route authentication. This should result in the routers not accepting routes from the Unix stations.

The easiset solution might be to use the distance command under the router rip configuration to set any route that is learned from the Unix stations to an administrative distance of 255. This will mark the route as unreachable and should result in the route no being installed into the routing table. This configuration would look like:

distance 255 172.16.32.1 0.0.0.0

In the example, the 172.16.32.1 IP address is that of the advertising device that I want to change the distance of the routes for. In your case, this would be the IP address of the Unix stations.

The other thing that you can do is setup an ACL that will filter RIP updates from coming into the routed interface of the Cat5000 for the VLAN that they are on. The config for this would look something like:

access-list 100 deny udp host 172.16.32.1 any eq rip

access-list 100 permit ip any any

interface vlan 100

ip access-group 100 in

The first line of the ACL from the example matches any RIP packet coming form a source IP address of 172.16.32.1. If you replace this with the IP address of the rogue Unix system, it should prevent any RIP packet from entering into your router and thus preventing the routes from entering your routing table. The second line of the ACL above allows all other traffic to enter the router interface and be passed onto the network.

Once the ACL is built, you just need to apply it to the VLAN interfaces for both networks that the systems are connected to.

You could also configure the RIP process to not advertise routes out to the VLAN that these systems are connected to by using the command passive-interface VLAN 100 under the router rip configuration. This will likely result in the systems not getting any routes and will not communicate to the network unless they have a default route setup within their system. Be careful with this one if you need to advertise routes out to another router on this subnet as it will stop all routing updates from going out that interface. When the Unix users call and say they can't get to the network, have them ping the router interface. Since it is on the same subnet, it will respond. That shows that they have network connectivity so it must be they don't have a default gateway setup. Then tell them that all they need to do is configure a default gateway within their system and while they are at it, they can shutoff the routed process.

HTH

Steve

dedetmer · ‎04-02-2005

Steve,

That's a great suggestion. I'm pretty sure we're running IGRP. I had actually set VLANs up for this test network but didn't think of authentication and ACLs (duh). Guess it's time to changeover to EIGRP.

Thank you so much.

dedetmer · ‎04-02-2005

BRILLIANT, Scott! Loved your last resort. That sort of Interpersonal Skills principle is right up my alley. Shame of me for not thinking of it!