Ok we have a few options when it comes to filtering particular rip updates of network
from sending or recieving
we have distribute list
- these can be used with
standard access-list
extended acccess-list
prefix list
In general prefix-list are the preference as they can match on subnet mask aswell as
network access-lists are typically used for dataplane traffic while prefix lists are
for route filtering
Extended access-list can be useful if you want to filter routes from a particular
source but this can also be done in prefix list. In general if you have a choice
prefix list are the newer technology with access list been legacy for route update
filtering
Prefix Lists
-------------
These match on mask and network which makes them more flexible + the provider method for router filtering. Typically prefix list are used for routing updates filtering and access-list is used for filtering dataplane traffic. Although access list can also used for route filtering it is less used method as it can not filter on mask
Like access-list prefix list have a implicit deny at the end a common mistake is that you go to filter one route and define you prefix list and forget to do a permit everything else as the last statement.
example of prefix list
ip prefix-list ABC permit 10.0.0.0/24
this will match exactly 10.0.0.0/24 as it is matching on network and mask
it will not match
10.1.0.0/24 or 10.0.0.0/25
There are additional options for matching lenght of subnet mask
ip prefix-list ABC permit 10.0.0.0/24 le 32 -
this means match 10.0.0.0 and any mask from 24 less than or equal to 32
YOu can also do greater than or equal to
10.0.0.0/24 ge 26
so this mean match 10.0.0.0 with mask greater than or equal to 26 so that is /26 /27
/28 /29 /30 /31 /32
You can use both in conjuction
10.0.0.0/24 le 28 ge 26 so this will match /26/27 /28 with 10.0.0.0 only
when using the ge/le if you match 0.0.0.0/0 it does not match the default route only
it matches 0 bits of the first octet,0 of the second 0 of the 3rd 0 of the 4th and 0
of the mask so effectively means everything
begins with in binary
so a class a address 0xxx
so a class b address 10xx
class c address 110x
class d address 1110
class e address 1111
so if you wanted to match all class a address with correct major subnet
ip prefix-list ABC permit 0.0.0.0/1 ge8 le 8
so this means match the first bit to be 0 if the first bit is 0 it matches and if the
mask is ge8le8 it matches
class b
ip prefix-list ABC permit 128.0.0.0/2 ge16le16
if you do not mach ge le 0
ip prefix-list 0.0.0.0/0 means just the default route
you can use access list to filter on neighbor. So if you are recieving routes from a
source that you do not wish to recieve with extended access list you can filter the
source of the route.
To get the correct source do not look at the ip next hop rather look at the from
field in the
sh ip route "route"
You can also filter based on source using the gateway option in prefix list
We also have the option of filtering via the offset list which was already covered this setting routes to hop count 16 in order to make them invalid
we can also filter with the distance command make routes distance of 255 which is uncreachable and not installed in routing table
access-list 1 permit 192.168.1.10
router rip
distance 255 155.10.0.2 0.0.0.0 1
so the distance command is saying set the distance to 255 for routes send to 155.10.0.2 and routes matching access-list 1
LAB
----
For the lab i will filter a few 192.168.0.0/24 192.168.0.0/25 192.168.0.0/26
r2 will generate 192.168.0.0/24 it will be lo0
r4 will generate 192.168.0.0/25 it will be lo0
sw2 will generate 192.168.0/26 it will be lo0
and these will be filtered on sw1
so firstly i set up everything running rip version 2 no auto
Sw1
----
ok so i have setup rip and advertise the above subnets
so the output on switch 1 is as follows
switch1#sh ip route rip
172.11.0.0/24 is subnetted, 1 subnets
R 172.11.11.0 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
172.12.0.0/24 is subnetted, 1 subnets
R 172.12.12.0 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
192.168.0.0/24 is variably subnetted, 3 subnets, 3 masks
R 192.168.0.0/26 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
R 192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:11, Port-channel2
R 192.168.0.0/24 [120/2] via 192.168.1.1, 00:00:11, Port-channel2
switch1#
so we are learning 192.168.0 with different masks i will start by filtering the /24
with a prefix list
Ok so i define my deny 192.168.0.0/24 and i permitted everything else
switch1(config)#ip prefix-list EOGHAN deny 192.168.0.0/24
switch1(config)#ip prefix-list EOGHAN permit 0.0.0.0/0 le 32
now i need to apply it to the rip process. As i am filtering updates coming in. It is
in direction
switch1(config-router)#distribute-list EOGHAN in
I will just do clear ip route * rather than waiting the rip update times this will
flush the routing table forcing the routes to be relearnt
it did not work i am made the same mistake as i did early int the distribute list
EOGHAN in command this generated a access list called on blank access list so nothing
was filtered
i done a
switch1(config-router)#no distribute-list EOGHAN in
switch1(config-router)#distribute-list prefix EOGHAN in
ok i am not longer learning 192.168.0.0/24
switch1#clear ip route *
switch1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
172.11.0.0/24 is subnetted, 1 subnets
R 172.11.11.0 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
172.12.0.0/24 is subnetted, 1 subnets
R 172.12.12.0 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R 192.168.0.0/26 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
R 192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:02, Port-channel2
C 192.168.1.0/24 is directly connected, Port-channe
ok so we will broaden it out i want remove the routes
192.168.0.0/24 and /25
switch1(config)#ip prefix-list EOGHAN2 deny 192.168.0.0/24 le 25
switch1(config)#ip prefix-list EOGHAN2 permit 0.0.0.0/0 le 32
switch1(config)#router rip
switch1(config-router)#no distribute-list EOGHAN in
switch1(config-router)#no distribute-list prefix EOGHAN in
switch1(config-router)#distribute-list prefix EOGHAN2 in
ok now i will deny /26 with ge le in conjuction
switch1(config)#ip prefix-list EOGHAN3 deny 192.168.0.0/24 ge 26
switch1(config)#ip prefix-list EOGHAN3 permit 0.0.0.0/0 le 32
switch1(config)#
switch1(config)#router rip
switch1(config-router)#no distribute-list prefix EOGHAN2 in
switch1(config-router)#distribute-list prefix EOGHAN3 in
switch1#clear ip route *
switch1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
172.11.0.0/24 is subnetted, 1 subnets
R 172.11.11.0 [120/1] via 192.168.1.1, 00:00:05, Port-channel2
172.12.0.0/24 is subnetted, 1 subnets
R 172.12.12.0 [120/1] via 192.168.1.1, 00:00:05, Port-channel2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R 192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:05, Port-channel2
R 192.168.0.0/24 [120/2] via 192.168.1.1, 00:00:05, Port-channel2
C 192.168.1.0/24 is dir
Ok the next portion of the LAB i will move onto sw2 which is getting updates from both r2 and r4. I will filter all updates from r4 using an extended access list and
then i will do it using the gateway option
sw2
----
switch2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 192.168.1.2, 00:00:13, Port-channel2
172.11.0.0/24 is subnetted, 1 subnets
C 172.11.11.0 is directly connected, FastEthernet0/4
172.12.0.0/24 is subnetted, 1 subnets
C 172.12.12.0 is directly connected, FastEthernet0/2
192.168.0.0/24 is variably subnetted, 3 subnets, 3 masks
C 192.168.0.0/26 is directly connected, Loopback0
R 192.168.0.0/25 [120/1] via 172.11.11.4, 00:00:14, FastEthernet0/4
R 192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:09, FastEthernet0/2
C 192.168.1.0/24 is directly connected, Port-channel2
switch2#sh ip route 192.168.0.0 255.255.255.128
Routing entry for 192.168.0.0/25
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 172.11.11.4 on FastEthernet0/4, 00:00:17 ago
Routing Descriptor Blocks:
* 172.11.11.4, from 172.11.11.4, 00:00:17 ago, via FastEthernet0/4
Route metric is 1, traffic share count is 1
from the rip process i am learning 172.11.11.4 from r4 the source address is from the lo 172.11.11.4
switch2(config)#access-list 101 deny ip 172.11.11.4 0.0.0.0 any
switch2(config)#access-list 101 permit ip any any
switch2(config-router)#distribute-list 101 in
I am no longer learning rip routes from r4
switch2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 192.168.1.2, 00:00:02, Port-channel2
172.11.0.0/24 is subnetted, 1 subnets
C 172.11.11.0 is directly connected, FastEthernet0/4
172.12.0.0/24 is subnetted, 1 subnets
C 172.12.12.0 is directly connected, FastEthernet0/2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/26 is directly connected, Loopback0
R 192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:02, FastEthernet0/2
C 192.168.1.0/24 is directly connected, Port-channel2
switch2#
ok now i took of the distribute list 101
Now i will do the same with prefix list using the gateway option
First you define the source of the route
switch2(config)#ip prefix-list EOGHAN2 deny 172.11.11.4/32
then apply with the gateway keyword
switch2#sh run | begin router rip
router rip
version 2
network 1.0.0.0
network 172.11.0.0
network 172.12.0.0
network 172.25.0.0
network 192.168.0.0
network 192.168.1.0
distribute-list gateway EOGHAN2 in FastEthernet0/4
no auto-summary
!
We are now not learning rip updates 172.11.11.4
switch2#sh ip route rip
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 192.168.1.2, 00:00:12, Port-channel2
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R 192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:01, FastEthernet0/2
switch2#
No comments:
Post a Comment