Screen OS

Hi,

I have to configure a SSG, and I have some troubles with RIP (I am a really newby concerning RIP in SSG). Here is what I have to do:

 - I have two physical interfaces. Each one is in one zone. e0 is in the trust zone and e1 is in the untrust zone.

 - Concerning e1, I have two subinterfaces that are tagged: e1.10 and e1.15.  

 - I have to do source NAT with IP addresses that  are not the ones of the egress interfaces (for example, I have to use the subnet 10.1.1.0/24 as a source NAT subnet instead my egress interface use the subnet 192.168.1.0/24). For that point, no problem, I use a loopback on each interface, and I define the subnet I use for NAT on the loopback interface.

 - I need to configure RIP on the SSG, but with access-lists. For example, I can learn the networks N1, N2, N3 and N4 from e0, N5, N6 and N7 from e1.10, and N8 and N9 from e1.15.

Concerning e0, I only want to learn N1, N2 and N3. I also want to redistribute N5, N7, and N8 (not N9), and the subnet of my loopback interface used for the source NAT (N10).

Concerning e1.10, I only want to redistribute N1, N2 and the subnet of my loopback interface used for the source NAT (N11).

Concerning e1.15, I only want to redistribute N1, N3, and the subnet of my loopback interface used for the source NAT (N11).

I already know how to create the access-lists. My problem is :

 - On wich interfaces should I activate RIP (are loopbacks concerned?)?

 - How should I configure my route-maps? I know that there are some incoming and outgoing filters, but I am not sure how to use them. I do not know what must be selected in mys route-maps (ACL and interfaces, ACL or interfaces, etc.). But I think I should create several ones.

If someone is the king of RIP on SSG, I would really appreciate any help. I have already readden all the chapters of the complete books concerning routing, but there is no information about how to do what I need. 

jr94

Hi,

I've quickly run this up in the lab, and it is fairly straight forward. You need to enable RIP in the VR, then the interfaces. You need to define the ACL and Route-Maps in the VR, then apply them to the interfaces for RIP outbound. Received routes at the neighboring devices are only those permitted through the repsective route-map.

My setup was as follows, using loopback interfaces for all the remote subnets..

                           11.11.11.0                      5.5.5.0

                               |                         / 6.6.6.0

  1.1.1.0                      |     /-- 10.2.2.0 ---[R2]  7.7.7.0

  2.2.2.0  [R1]-- 10.1.1.0 --[SSG]--+

  3.3.3.0                      |     \-- 10.3.3.0 ---[R3]

  4.4.4.0                      |                         \ 8.8.8.0

                           10.10.10.0                      9.9.9.0

The config of the SSG was as below. Before adding the route-maps, all routes were visible from all devices. After the route-maps, only the specified routes are seen.

Note: you need to enable RIP on the loopbacks as well, else they will not be included in outgoing advertisements.

set vrouter "trust-vr"
set protocol rip
set enable
exit
exit

set interface "ethernet0/4" zone "Trust"
set interface "ethernet0/5" zone "Untrust"
set interface "ethernet0/6" zone "Untrust"
set interface "loopback.9" zone "Trust"
set interface "loopback.10" zone "Untrust"

set interface ethernet0/4 ip 10.1.1.1/24
set interface ethernet0/5 ip 10.2.2.1/24
set interface ethernet0/6 ip 10.3.3.1/24
set interface loopback.9  ip 11.11.11.11/24
set interface loopback.10 ip 10.10.10.10/24

set vrouter "trust-vr"
set access-list 1
set access-list 1 permit ip 5.5.5.0/24 1
set access-list 1 permit ip 7.7.7.0/24 2
set access-list 1 permit ip 8.8.8.0/24 3
set access-list 1 permit ip 10.10.10.0/24 4
set access-list 2
set access-list 2 permit ip 1.1.1.0/24 1
set access-list 2 permit ip 2.2.2.0/24 2
set access-list 2 permit ip 11.11.11.0/24 3
set access-list 3
set access-list 3 permit ip 1.1.1.0/24 1
set access-list 3 permit ip 3.3.3.0/24 2
set access-list 3 permit ip 11.11.11.0/24 3

set route-map name "map1" permit 1
set match ip 1
exit

set route-map name "map2" permit 1
set match ip 2
exit

set route-map name "map3" permit 1
set match ip 3
exit

exit

set interface ethernet0/4 protocol rip
set interface ethernet0/4 protocol rip enable
set interface ethernet0/4 protocol rip route-map "map1" out

set interface loopback.9  protocol rip
set interface loopback.9  protocol rip enable

set interface loopback.10 protocol rip
set interface loopback.10 protocol rip enable

set interface ethernet0/6 protocol rip
set interface ethernet0/6 protocol rip enable
set interface ethernet0/6 protocol rip route-map "map3" out

set interface ethernet0/5 protocol rip
set interface ethernet0/5 protocol rip enable
set interface ethernet0/5 protocol rip route-map "map2" out

If it's not working, check that all interfaces are enabled with "get vr trust protocol rip" output.

You can also verify what is being sent with "debug rip transmit" (and 'get db stream' to see the output).

Hope this helps.

Rodney.

Hi,

Many thanks for your reply. As I did not received answers I have also made some tests yesterday, and I have found exactly the same things. Just one more question. What is the purpose of selecting one or more interface in the route-map as we can define the route-map on the incoming and on the outgoing interface?  

I think that this "how to" could be very helpfull.

jr94

The idea is to have control of what you advertised on each interface using "out" in the route map. "in" will determine what you will install in the routing table. 

Hi jr94 I have a question about the loopback interface. why did you use the loopback interface to do the source nat?? I ask you that because I had used the DIP in the interface menu and after I used the opnion "In the same subnet as the extended IP to do the source NAT. 

What is it the different? If you can explain me I'm pleasure....

 Thank you

Pazzeo 

Hello,

I need to use the loopback interface because I use some MIP for static source NAT (you create a loopback on the egress interface, and then you can create your MIP.).

Concerning DIP, there is no problem to use an extended IP. If you do not have to use a MIP, do not set a loopback interface and do what you have done (it can work with a loopback, but there is no reason to have a configuration more complicated). 

But if you have to do source NAT "one for one", I believe that it is easier to use a MIP, than a DIP. Because, with a MIP you do not have to define NAT in the policy rules.

jr94  

Hi Cesar,

I know what is the purpose of setting the incoming and outgoing route-map on an interface. But what I do not exactly understand is what is the difference with the fact of defining a route-map with access-lists and interfaces selected and mapped to trust-vr? Is it exactly the same behaviour, or is there some differences?

jr94 

Hi jr94,

I assume you are referring to the 'interface' option as part of the route-map match criteria. As for all the match criteria, this options adds to the filter of which routes are selected.

Multiple 'match' statements are an AND condition, and multiple values within a match statement are an OR condition. We have already added an ACL match statement, which means the routes need to be included in the ACL, adding an interface match criteria means the routes ALSO need to point out that interface.

Looking at the example already shown in this thread (above), I'll focues on the SSG and the routes sent out interface e0/4 (to R1).

With no filtering, we would send routes 2, 3, 5, 6, 7, 8, 9, 10 & 11.

After applying our route-map, we have restricted this to only routes 5, 7, 8 & 10 (these match against ACL 1).

If we add an 'interface' setting to the match criteria, to say, e0/5 (R2) interface, then only routes pointing out e0/5 will be advertised.

Routes 5 & 7 are the only routes which match ACL 1 and match interface e0/5.

This is how I changed the route-map..

set route-map name "map1" permit 1
set match interface ethernet0/5
set match ip 1
exit

Here is "debug rip recv" output for routes received at R1.

Before modifying filter..

## 2009-05-08 12:35:16 : rip: update on ifp ethernet4 from 10.1.1.1, RIP port 520
## 2009-05-08 12:35:16 : rip: [rx] 10.10.10.0/24, nhop 10.1.1.1, metric 2, tag 0.0.0.0
## 2009-05-08 12:35:16 : rip: resetting timer for existing route
## 2009-05-08 12:35:16 : rip: [rx] 5.5.5.0/24, nhop 10.1.1.1, metric 3, tag 0.0.0.0
## 2009-05-08 12:35:16 : rip: resetting timer for existing route
## 2009-05-08 12:35:16 : rip: [rx] 7.7.7.0/24, nhop 10.1.1.1, metric 3, tag 0.0.0.0
## 2009-05-08 12:35:16 : rip: resetting timer for existing route
## 2009-05-08 12:35:16 : rip: [rx] 8.8.8.0/24, nhop 10.1.1.1, metric 3, tag 0.0.0.0
## 2009-05-08 12:35:16 : rip: resetting timer for existing route

After modifying filter..

## 2009-05-11 09:48:56 : rip: [rx] RIP packet on interface ethernet4, vr (trust-vr)
## 2009-05-11 09:48:56 : rip: update on ifp ethernet4 from 10.1.1.1, RIP port 520
## 2009-05-11 09:48:56 : rip: [rx] 5.5.5.0/24, nhop 10.1.1.1, metric 3, tag 0.0.0.0
## 2009-05-11 09:48:56 : rip: resetting timer for existing route
## 2009-05-11 09:48:56 : rip: [rx] 7.7.7.0/24, nhop 10.1.1.1, metric 3, tag 0.0.0.0
## 2009-05-11 09:48:56 : rip: resetting timer for existing route

I also added the loopback.10 interface, and routes 5, 7 & 10 were all received.

I hope this clears it up for you.

Rodney.

Hello,

Many thanks for your help. I better understand how it works now. 

jr94 

The new king of RIP 🙂