ACL does not match multicast traffic (RIP updates)

From: Huan Pham (Huan.Pham@peopletelecom.com.au)
Date: Mon Oct 27 2008 - 20:37:42 ARST

• Next message: Scott M Vermillion: "RE: Priority List Usage"
• Previous message: Scott M Vermillion: "RE: Priority List Usage"
• Next in thread: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Huan Pham: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi GS,

I am doing a simple lab in IEWB1 v5, trying to match all RIP traffic
coming to an interface, but I saw a weird problem. If the router does
not run RIP, and the RIP traffic coming to the interface are multicast,
then my ACL does not match any packets at all. Is there any special
thing I need to do to be able to catch those traffic? Any suggestion
pls, Thanks.

I've tried a couple of tricks but none can explain what I described
above.

Here's what I tried.

Topology:

       155.1.146.0/24
R4 ----------------------- R6
   Fa0/1 Fa0/0.146

ACL uses UDP 520 to match RIP
RIP traffic is coming from R6 (running RIP ver2). I have ACL on R4.
If R4 does not run RIP ver2, then ACL does not match any RIP traffic.
If R4 run RIP ver 2, then ACL does catch RIP traffic from R6.
If R4 does not run RIP, but R6 run RIPv1, then ACL also match RIP
traffic.

Rack1R4#
ip access-list extended LOGGING
 permit udp any any eq rip log-input
 permit ip any any

int fa0/1
 ip access-group LOGGING in

R4 does not have RIP running yet.

Rack1R4#sh access-list
Extended IP access list LOGGING
    10 permit udp any any eq rip log-input <<<<<<<<< NO MATCHES
    20 permit ip any any (189 matches)

Rack1R4#c
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#router rip
Rack1R4(config-router)#net 155.1.0.0
Rack1R4(config-router)#
Rack1R4#

Rack1R4#
*Apr 7 12:35:07.011: %SEC-6-IPACCESSLOGP: list LOGGING permitted udp
155.1.146.6(520) (Ethernet1/0 00d0.58f7.a961) -> 224.0.0.9(520), 1
packet

Rack1R4#sh access-list
Extended IP access list LOGGING
    10 permit udp any any eq rip log-input (5 matches) <<<<<< MACTCHES
    20 permit ip any any (240 matches)

CHANGE R6 from running RIP ver2 to Ver1, and Remove RIP from R4

Rack1R4(config)#no router rip

Rack1R6(config-router)#router rip
Rack1R6(config-router)#ver 1
Rack1R6(config-router)#

Rack1R4#
*Apr 7 12:37:26.211: %SEC-6-IPACCESSLOGP: list LOGGING permitted udp
155.1.146.6(520) (Ethernet1/0 00d0.58f7.a961) -> 255.255.255.255(520), 1
packet

Rack1R4#sh access-list
Extended IP access list LOGGING
    10 permit udp any any eq rip log-input (5 matches) <<<<<<< MATCHES
    20 permit ip any any (18 matches)

Blogs and organic groups at http://www.ccie.net

• Next message: Scott M Vermillion: "RE: Priority List Usage"
• Previous message: Scott M Vermillion: "RE: Priority List Usage"
• Next in thread: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Huan Pham: "RE: ACL does not match multicast traffic (RIP updates)"
• Maybe reply: Scott M Vermillion: "RE: ACL does not match multicast traffic (RIP updates)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:23 ARST