Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1625
Views
0
Helpful
3
Replies

RIPv2 Security

BlueyVIII
Level 1
Level 1

‎07-10-2011 02:17 AM - edited ‎03-07-2019 01:09 AM

We're connecting our network to a 3rd party network and have agreed with the 3rd party to send our routes to them using RIPv2

Our network currently uses EIGRP so we'll need to enable RIPv2 on the 6509 which will be connecting to the 3rd party.

To ensure security, we'll be using authentication on the interface linking to the 3rd party and we'll use the "passive-interface default" command to make sure all of the other interfaces on the switch are passive.

However, my understanding is that "passive interface" command only stops the interfaces from sending RIPv2 packets. Is there a command to stop the interfaces processing incoming RIPv2 packets. My concern is that someone could connect a rogue RIPv2 router our network which would then start sending RIPv2 updates.

Alternatively, is there a way to make the RIPv2 instance on the 6509 only process updates from an authenticated source (ie, put authentication on the RIPv2 instance rather than the connecting interface).

Any help greatfully received.

Labels:
0 Helpful
3 Replies 3

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-10-2011 04:28 AM

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Two possible methods to control what you accept from RIP sources, without setting RIPv2 authenication on every interface, might be to filter inbound routes using and in distribute-list or set the admin distance for RIP routes received from unknown RIP sources to infinity.

See http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1cindep.html#wp4929 for more information.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Joseph W. Doherty

‎07-10-2011 05:51 AM

Joseph,

I totally agree. Using either inbound distribution lists or modifying administrative distance for unknown sources to 255 would do the trick.

And of course, using an inbound ACL blocking all UDP/520 traffic from unknown sources would also solve the issue.

Best regards,

Peter

0 Helpful

BlueyVIII
Level 1
Level 1
In response to Peter Paluch

‎07-10-2011 06:14 AM

Thanks Guys...

As I don' want to receive any RIPv2 updates what so ever I'm planning on using the following conifig.

access-list 20 deny any

Router RIP

version 2

  no auto-summary

  redistribute eigrp xxx metric 10

  redistribute static metric 10

  passive-interface default

  no passive-interface gi5/1

  distribute list 20 in

Can you see any problems with that?

0 Helpful
Customers Also Viewed These Support Documents