We have a Netscreen firewall in the lab running ScreenOS 5.4.0, which is
interfaces with other firewalls via tunnels and there is dynamic routing
via BGP and RIP involved. I configured an IP Summary of 172.16.0.0/12
on the firewall (within the RIP instance), as it receives several
hundred subnets within 172.16.0.0/12 that I want to summarize to the
remote (branch office) firewalls.
What I found is that if the firewall no longer receives dynamic route
updates for any 172.16.0.0/12 subnet, it will still continue to
advertise 172.16.0.0/12 in its RIP advertisements to the remote
firewalls. As a result, the remote offices still send traffic for a
172.16/12 subnet to the firewall, which ends up black-holing it. Mind
you, the firewall that the IP Summary is on does not have any interfaces
within a 172.16/12 space.
Is this a "feature" or a bug in ScreenOS (I could not find any bug
report for this)? Is there a way to implement summarization on the
firewall so that if it no longer "sees" any advertisements for 172.16/12
subnets, it will no longer send a RIP adv for 172.16.0.0/12?
---john
