george at shorelink
Jul 20, 2003, 4:34 PM
I have what on the surface seems like a silly question but ...
I have some ServerIron 800's running 8.1R that are layer3 aware running
RIP and OSPF. The OSPF is used inside the network between various sites
and RIP is used locally on the site. I use Netscalers ahead of the
ServerIrons to aggregate tens of thousands of internet client connections
to a few thousand more persistant backend connections to the load
balancers. These persistant connections carry source addresses that are
programmed on the Netscalers. Each one is on its own /27 subnet and RIP
is used to make the servers behind the ServerIrons aware of how to reach
each of these subnets so return traffic passes back to the correct
ServerIron and Netscaler. The machines are running zebra/ripd.
What I want to do is further simplify the server config by also announcing
a default route via RIP. The default route is my problem.
It *APPEARS* that in order to make sure a default route gets to the
servers, I have to create a filter list that 1. Excludes all routes I dont
want sent and 2. sends all the rest that aren't blocked.
This scares me because I would rather have a filter list that says: 1.
Send all these routes and 2. include a default.
In other words, I would like the logic to be "not sent via RIP unless
explicitly allowed" rather than "always send via RIP unless explicitly
denied." But I find no way to allow 0.0.0.0/0 with their filter language
without that also allowing literally every route.
So lets say the route table on the SI contains:
What I want to do is pass the /27 routes and the default via RIP while not
passing any of the 10/8 routes or the /25 and I DONT want to have to worry
about a new route that might be created leaking to the servers via RIP
bacuse the servers will have something like:
220.127.116.11/27 via eth0
18.104.22.168/27 via eth0
22.214.171.124/27 via eth0
126.96.36.199/27 via eth0
0.0.0.0/0 via eth0
10/8 via eth1 (which goes to a router, not the SI).
Is there a Foundry RIP filter statement that says "pass 0.0.0.0/0 and only
that route, not everything that 0.0.0.0/0 'means' ... which is everything"