ACL vs Routing Protocols

Christopher DobkowskiChristopher Dobkowski Posts: 98Member ■■□□□□□□□□
Hi there fellows! icon_cheers.gif

I'm studying for my CCNA and I just finished the ACLs and I thought to experiment and what I came up with is to create an extended ACL that will deny Rip (port 520) from sending updates to a router on the far end of the link, the IPs are point-to-point 10.0.0.0/30 and what I want to do is:
Router 1 = FastEthernet 0/0 IP address -> 10.0.0.1/30 and Rip running (no-autosummary and ver is 2)
Router 2 = -||- -||- IP address -> 10.0.0.2/30 and Rip running (-||-)..
On both Routers I have one Loopback interface 0 with another network that I advertise over RIP.

Ok I set everything up the Rip works and the networks are advertised correctly. Now what I want to do is to set an access list on the Router 1 interface as Outbound to DENY Rip updates from going out that interface, I don't want to set it on the Router 2 as Inbound.

Can anyone tell me the ACL syntax to do this? I believe I need to use RIPs multicast but I'm not sure icon_sad.gif

Comments

  • Dan-HumphreysDan-Humphreys Posts: 20Member ■□□□□□□□□□
    Don't count on this being accurate, but I believe the updates are UDP so I'm guessing the syntax would be,

    deny udp any any eq 520
  • Christopher DobkowskiChristopher Dobkowski Posts: 98Member ■■□□□□□□□□
    Don't count on this being accurate, but I believe the updates are UDP so I'm guessing the syntax would be,

    deny udp any any eq 520

    Nope, still not working icon_sad.gif
    Thanks for help though, appreciate it! icon_thumright.gif
  • Dan-HumphreysDan-Humphreys Posts: 20Member ■□□□□□□□□□
    try tcp instead of udp? or add the same line for both

    so deny udp any any eq 520
    deny tcp any any eq 520
  • ZartanasaurusZartanasaurus Posts: 2,008Member
    Outbound ACLs don't filter router generated traffic. You'll have to do it inbound on the other router. Or you could deny everything outbound with a distribute-list.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • Christopher DobkowskiChristopher Dobkowski Posts: 98Member ■■□□□□□□□□
    Outbound ACLs don't filter router generated traffic. You'll have to do it inbound on the other router. Or you could deny everything outbound with a distribute-list.

    Oh my God! I totally forgot about that!!!! Thank You very much!!!!!!!! icon_cheers.gif bowing.gifbowing.gifbowing.gifbowing.gifbowing.gifbowing.gif
  • Christopher DobkowskiChristopher Dobkowski Posts: 98Member ■■□□□□□□□□
    try tcp instead of udp? or add the same line for both

    so deny udp any any eq 520
    deny tcp any any eq 520

    RIP uses UDP so TCP won't work... But thank's for trying! icon_thumright.gif:D
  • DiZzDiZz Posts: 2Registered Users ■□□□□□□□□□
    I believe you can just put rip in instead of the port number, kinda like you can put in eigrp

    soo maybe: deny udp any any eq rip

    but i dont remember if the version number matters.
  • LinuxRacrLinuxRacr Posts: 649Member ■■■■□□□□□□
    I think version may matter because Ripv2 uses the multicast address of 224.0.0.9 to send updates I believe.
    My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
    AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
    WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE!
Sign In or Register to comment.