RIP summary addresses do not appear to honor split horizon or posion reverse



Article ID: KB11544 KB Last Updated: 19 Jun 2010Version: 3.0
RIP summary address is advertised out the same interface when it learns a particular route from the summarized prefix.

Split Horizon and Poison Reverse do not seem to work properly when it comes to RIP summary routes.   See below for an explanation.


Let's say is advertised via RIPv2 from FW-A to FW-B.  It arrives on FW-B's e1/1 interface.  FW-B has a RIP summary route for and this is configured to be advertised out e1/1 as well.  So, due to split horizon and poison reverse, you would think that this summary route would be "poisoned" and would not be sent out e1/1 due to the fact that FW-B is learning a subset of this summary route, from FW-A.  This is not the case however as FW-B advertises the summary route to FW-A.

Debug output from FW-B :

## 2008-04-27 01:30:39 : rip: [rx] RIP packet on interface ethernet1/1, vr (trust-vr)
## 2008-04-27 01:30:39 : rip: update on ifp ethernet1/1 from, RIP port 520
## 2008-04-27 01:30:39 : rip: [rx], nhop, metric 16, tag 0
## 2008-04-27 01:30:39 : rip: update ignored
## 2008-04-27 01:30:39 : rip: [rx], nhop, metric 2, tag 0
## 2008-04-27 01:30:39 : rip: resetting timer for existing route
## 2008-04-27 01:30:59 : rip: send timer-driven update on ethernet1/1
## 2008-04-27 01:30:59 : rip: [tx] nhop met 2 tag 0
## 2008-04-27 01:30:59 : rip: [tx] number of routes: 1
## 2008-04-27 01:30:59 : rip: [tx] pkt dest, len 24, ifp ethernet1/1
## 2008-04-27 01:31:07 : rip: received packet> on interface ethernet1/1, len 44 "

This behavior is by design and is not a bug.  Because the summary route is configured on the firewall, FW-B in the above example, and because it differs from what is learned from FW-A, i.e., the summary route should be advertised as normal.  In this scenario, split horizon and poison reverse do not apply. 
