While reading through my Cisco Press CCIE lab workbook, I came upon a section of the configs that kind of threw me off. The lab asked you to configure RIP to unicast updates without using the neighbor/passive-interface command. For those of you unfamiliar with the “neighbor” way of doing things, here’s how it goes. You configure “neighbor x.x.x.x” as the neighbors address (obviously). This will unicast updates, however, it will also broadcast (for RIPv1) or multicast (for RIPv2) updates regardless. See below.
The following shows
Apr 9 17:29:42.815: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (10.25.1.1)
R1(config-router)#neighbor 10.25.1.2 (added the neighbors IP here)
*Apr 9 17:31:04.575: RIP: sending v2 update to 224.0.0.9 via Serial1/0 (10.25.1.1)
*Apr 9 17:31:04.583: RIP: sending v2 update to 10.25.1.2 via Serial1/0 (10.25.1.1)
As you can see, unicast RIP updates are being sent, but the multicast updates are still going out. How do we stop them? Using the passive-interface command.
R1(config-router)#passive-interface s1/0
*Apr 9 17:34:50.887: RIP: sending v2 update to 10.25.1.2 via Serial1/0 (10.25.1.1)
As you can see, RIP updates are no longer being multicasted now, however the unicast ones are still exiting the interface..success! That’s fine and dandy, but let’s see another tricky way to pull this off. What happens if the lab says you cannot use the neighbor statement?…
Enter NAT. I won’t lie, NAT is one of my least favorite subjects due to the unfamiliarity, but I’m sure after reading the following text, you’ll be impressed. I found this to be a sneaky way of unicasting RIP updates. Here’s the idea, since the neighbor statement is out of the question, we’ll use NAT to translate any outgoing traffic on UDP port 520 (RIP updates) to multicast address 224.0.0.9 into our neighbors interface address..in this case 10.25.1.2. Here is the configuration.
R1(config)#int s1/0
R1(config-if)#ip nat outside
Above, we simply identified our s1/0 as the outside interface for NAT purposes. Next, we’ll create our NAT statement which will do the magic.
R1(config)#ip nat outside source static udp 10.25.1.2 520 224.0.0.9 520
Here’s the catch. If we look at R1′s debug ip packet detail output:
*Apr 9 17:49:04.739: IP: s=10.25.1.2 (Serial1/0), d=224.0.0.9, len 52, rcvd 2
*Apr 9 17:49:04.743: UDP src=520, dst=520
My first impression was: “damn, not working”. Then I checked R2′s debug ip packet detail output..low and behold..
*Apr 9 17:51:13.915: IP: s=10.25.1.1 (Serial1/0), d=10.25.1.2 (Serial1/0), len52, rcvd 3
*Apr 9 17:51:13.915: UDP src=520, dst=520
Ah ha! The RIP updates sourced from R1 (10.25.1.1) are being sent to 10.25.1.2..or unicasted. We can verify this is unicast only, because without the NAT configuration, you will see the destination as the RIP multicast address, or 224.0.0.9. Pretty sneaky! Now, why can’t we see this NAT solution in R1 through debug ip rip, or debug ip packet det? It all comes down to the NAT order of operation. When performing NAT inside-to-outside translation, routing is done before NAT (with good reason)..therefore your RIP output shows that it is addressed to the 224.0.0.9 address, but by looking at debug ip nat detail on R1, we could see the NAT translation taking place.
*Apr 9 17:56:45.843: NAT: i: udp (10.25.1.1, 520) -> (224.0.0.9, 520) [0]
*Apr 9 17:56:17.815: NAT: s=10.25.1.1, d=224.0.0.9->10.25.1.2 [0]
There you have it! The lesson learned here is to 1) use 100% of the debug commands available, and 2) sometimes debugging from a neighboring router will help troubleshoot the node with an issue.
Edit: Although I used RIPv2 in the example above, you can do the same with RIPv1, but instead of putting the RIPv2 multicast address in the NAT statement, use the broadcast address. It is key to note that you have to specify UDP port 520, or else you will translate all broadcast traffic that leaves the router instead of just RIP updates!
This is awesome. I never would have thought to NAT multicast to unicast. Very clever and creative.
What about updates coming back from R2 to R1 using standard RIPv2 updates ?
They would be originated as
src 10.25.1.2 –> dst 224.0.0.9 UDP 520
R1 will see packet sourced from 10.25.1.2 and translate it to 224.0.0.9
After NAT, R1 RIP process will see a RIP update coming from 224.0.0.9
src 224.0.0.9 –> dst 224.0.0.9
I dont think that would be a valid update and it will be discarded.
Is there a fix for this ?
Regards,
Luis,
Good question. Packets coming back from R2 are being multicasted as standard RIPv2 updates even with the NAT translation. What you say makes sense, however here is my take.
“They would be originated as
src 10.25.1.2 -> dest 224.0.0.9 UDP 520
R1 will see a packet sourced from 10.25.1.2 and translate it to 224.0.0.9″
Here’s the thing. On the outbound NAT, we are translating based on destination (224.0.0.9) (inside to outside NAT), which means that on the inbound translation, it would look for the source at translation. Here’s the catch things work as you described- then yes, the source would be 224.0.0.9 and it would not be a valid update as far as I know. However, I cannot for the life of me get the source to translate to 224.0.0.9 (unless going to R2 and forcing it there). Here’s what I got. This shows R2 is translating the source to 224.0.0.9…so that we can force an invalid RIP update on R1 for testing purposes.
*Apr 19 18:11:36.859: IP: s=10.25.1.2 (local), d=224.0.0.9 (Serial1/0), len 52,
sending broad/multicast
R2#
*Apr 19 18:11:36.863: UDP src=520, dst=520
*Apr 19 18:11:36.863: NAT: i: udp (10.25.1.2, 520) -> (224.0.0.9, 520) [0]
R2#
But then we go over to R1..and what do we have?
*Apr 19 18:13:57.691: IP: s=10.25.1.2 (Serial1/0), d=224.0.0.9, len 52, rcvd 2
*Apr 19 18:13:57.695: UDP src=520, dst=520
R1#
Yep, you read that right. Leaving @ R2 translated to be sourced as 224.0.0.9, but arrives from the R2 interface address of 10.25.1.2 anyways. Hmm..this has my mind a little messed up. Although the NAT trick for RIP works fine, I can’t give an honest answer as to WHY. I’m working on it! In the meantime this debug output should give you a minute or two of confusion
There would be no translation back to 224.0.0.9 because the ip inside is not set on any physicla or logical interface. the process of static NAT will only work in a single direction.
In my tests, I did have an inside interface set. It *does* translate to source 224.0.0.9 coming back from R2, however only following a clearing of the routing table/rip process. After that it will unicast as normal.