Friday, December 16, 2011

Route Filtering RIP Access-list Distribute Lists Prefix Lists + Lab

Ok we have a few options when it comes to filtering particular rip updates of network
from sending or recieving
we have distribute list
        - these can be used with
               standard access-list
               extended acccess-list
               prefix list
In general prefix-list are the preference as they can match on subnet mask aswell as
network access-lists are typically used for dataplane traffic while prefix lists are
for route filtering
Extended access-list can be useful if you want to filter routes from a particular
source but this can also be done in prefix list. In general if you have a choice
prefix list are the newer technology with access list been legacy for route update
filtering

Prefix Lists
-------------
These match on mask and network which makes them more flexible + the provider method for router filtering.  Typically prefix list are used for routing updates filtering and access-list is used for filtering dataplane traffic. Although access list can also used for route filtering it is less used method as it can not filter on mask

Like access-list prefix list have a implicit deny at the end a common mistake is that you go to filter one route and define you prefix list and forget to do a permit everything else as the last statement.

example of prefix list

ip prefix-list ABC permit 10.0.0.0/24
this will match exactly 10.0.0.0/24 as it is matching on network and mask
it will not match
10.1.0.0/24 or 10.0.0.0/25
There are additional options for matching lenght of subnet mask
ip prefix-list ABC permit 10.0.0.0/24 le 32 -
this means match 10.0.0.0 and any mask from 24 less than or equal to 32
YOu can also do greater than or equal to
10.0.0.0/24 ge 26
so this mean match 10.0.0.0 with mask greater than or equal to 26 so that is /26 /27
/28 /29 /30 /31 /32
You can use both in conjuction
10.0.0.0/24  le 28 ge 26    so this will match /26/27 /28 with 10.0.0.0 only
when using the ge/le if you match 0.0.0.0/0 it does not match the default route only
it matches 0 bits of the first octet,0 of the second 0 of the 3rd 0 of the 4th and 0
of the mask so effectively means everything
                     begins with in  binary
so a class a address 0xxx
so a class b address 10xx
     class c address 110x
     class d address 1110
     class e address 1111
so if you wanted to match all class a address with correct major subnet
ip prefix-list ABC permit 0.0.0.0/1 ge8 le 8
so this means match the first bit to be 0 if the first bit is 0 it matches and if the
mask is ge8le8 it matches
class b
ip prefix-list ABC permit 128.0.0.0/2  ge16le16

if you do not mach ge le 0
ip prefix-list 0.0.0.0/0 means just the default route

you can use access list to filter on neighbor. So if you are recieving routes from a
source that you do not wish to recieve with extended access list you can filter the
source of the route.
To get the correct source do not look at the ip next hop rather look at the from
field in the
sh ip route "route"

You can also filter based on source using the gateway option in prefix list


We also have the option of filtering via the offset list which was already covered this setting routes to hop count 16 in order to  make them invalid

we can also filter with the distance command make routes distance of 255 which is uncreachable and not installed in routing table

access-list 1 permit 192.168.1.10

router rip
distance 255 155.10.0.2 0.0.0.0 1

so the distance command is saying set the distance to 255 for routes send to 155.10.0.2 and routes matching  access-list 1


LAB
----
For the lab i will filter a few 192.168.0.0/24 192.168.0.0/25 192.168.0.0/26
r2 will generate 192.168.0.0/24 it will be lo0
r4 will generate 192.168.0.0/25 it will be lo0
sw2 will generate 192.168.0/26  it will be lo0
and these will be filtered on sw1
so firstly i set up everything running rip version 2 no auto




Sw1
----

ok so i have setup rip and advertise the above subnets
so the output on switch 1 is as follows
switch1#sh ip route rip
     172.11.0.0/24 is subnetted, 1 subnets
R       172.11.11.0 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
     172.12.0.0/24 is subnetted, 1 subnets
R       172.12.12.0 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
     192.168.0.0/24 is variably subnetted, 3 subnets, 3 masks
R       192.168.0.0/26 [120/1] via 192.168.1.1, 00:00:11, Port-channel2
R       192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:11, Port-channel2
R       192.168.0.0/24 [120/2] via 192.168.1.1, 00:00:11, Port-channel2
switch1#

so we are learning 192.168.0 with different masks i will start by filtering the /24
with a prefix list

Ok so i define my deny 192.168.0.0/24 and i permitted everything else
switch1(config)#ip prefix-list EOGHAN deny 192.168.0.0/24
switch1(config)#ip prefix-list EOGHAN permit 0.0.0.0/0 le 32
now i need to apply it to the rip process. As i am filtering updates coming in. It is
in direction
switch1(config-router)#distribute-list EOGHAN in
I will just do clear ip route * rather than waiting the rip update times this will
flush the routing table forcing the routes to be relearnt
it did not work i am made the same mistake as i did early int the distribute list
EOGHAN in command this generated a access list called on blank access list so nothing
was filtered
i done a
switch1(config-router)#no distribute-list EOGHAN in
switch1(config-router)#distribute-list prefix EOGHAN in

ok i am not longer learning 192.168.0.0/24

switch1#clear ip route *
switch1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     172.11.0.0/24 is subnetted, 1 subnets
R       172.11.11.0 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
     172.12.0.0/24 is subnetted, 1 subnets
R       172.12.12.0 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R       192.168.0.0/26 [120/1] via 192.168.1.1, 00:00:02, Port-channel2
R       192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:02, Port-channel2
C    192.168.1.0/24 is directly connected, Port-channe
ok so we will broaden it out i want remove the routes
192.168.0.0/24 and /25

switch1(config)#ip prefix-list EOGHAN2 deny 192.168.0.0/24 le 25
switch1(config)#ip prefix-list EOGHAN2 permit 0.0.0.0/0 le 32
switch1(config)#router rip
switch1(config-router)#no distribute-list EOGHAN in
switch1(config-router)#no distribute-list prefix EOGHAN in
switch1(config-router)#distribute-list prefix EOGHAN2 in

ok now i will deny /26 with ge le in conjuction

switch1(config)#ip prefix-list EOGHAN3 deny 192.168.0.0/24 ge 26
switch1(config)#ip prefix-list EOGHAN3 permit 0.0.0.0/0 le 32
switch1(config)#
switch1(config)#router rip
switch1(config-router)#no distribute-list prefix EOGHAN2 in
switch1(config-router)#distribute-list prefix EOGHAN3 in

switch1#clear ip route *
switch1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
     172.11.0.0/24 is subnetted, 1 subnets
R       172.11.11.0 [120/1] via 192.168.1.1, 00:00:05, Port-channel2
     172.12.0.0/24 is subnetted, 1 subnets
R       172.12.12.0 [120/1] via 192.168.1.1, 00:00:05, Port-channel2
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R       192.168.0.0/25 [120/2] via 192.168.1.1, 00:00:05, Port-channel2
R       192.168.0.0/24 [120/2] via 192.168.1.1, 00:00:05, Port-channel2
C    192.168.1.0/24 is dir

Ok the next portion of the LAB i will move onto sw2 which is getting updates from both r2 and r4. I will filter all updates from r4 using an extended access list and
then i will do it using the gateway option

sw2
----
switch2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
R       1.1.1.0 [120/1] via 192.168.1.2, 00:00:13, Port-channel2
     172.11.0.0/24 is subnetted, 1 subnets
C       172.11.11.0 is directly connected, FastEthernet0/4
     172.12.0.0/24 is subnetted, 1 subnets
C       172.12.12.0 is directly connected, FastEthernet0/2
     192.168.0.0/24 is variably subnetted, 3 subnets, 3 masks
C       192.168.0.0/26 is directly connected, Loopback0
R       192.168.0.0/25 [120/1] via 172.11.11.4, 00:00:14, FastEthernet0/4
R       192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:09, FastEthernet0/2
C    192.168.1.0/24 is directly connected, Port-channel2
switch2#sh ip route 192.168.0.0 255.255.255.128
Routing entry for 192.168.0.0/25
  Known via "rip", distance 120, metric 1
  Redistributing via rip
  Last update from 172.11.11.4 on FastEthernet0/4, 00:00:17 ago
  Routing Descriptor Blocks:
  * 172.11.11.4, from 172.11.11.4, 00:00:17 ago, via FastEthernet0/4
      Route metric is 1, traffic share count is 1
from the rip process i am learning 172.11.11.4 from r4 the source address is from the lo 172.11.11.4
switch2(config)#access-list 101 deny ip 172.11.11.4 0.0.0.0 any
switch2(config)#access-list 101 permit ip any any
switch2(config-router)#distribute-list 101 in
I am no longer learning rip routes from r4

switch2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
R       1.1.1.0 [120/1] via 192.168.1.2, 00:00:02, Port-channel2
     172.11.0.0/24 is subnetted, 1 subnets
C       172.11.11.0 is directly connected, FastEthernet0/4
     172.12.0.0/24 is subnetted, 1 subnets
C       172.12.12.0 is directly connected, FastEthernet0/2
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.0.0/26 is directly connected, Loopback0
R       192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:02, FastEthernet0/2
C    192.168.1.0/24 is directly connected, Port-channel2
switch2#

ok now i took of the distribute list 101
Now i will do the same with prefix list using the gateway option

First you define the source of the route
switch2(config)#ip prefix-list EOGHAN2 deny 172.11.11.4/32

then apply with the gateway keyword

switch2#sh run | begin router rip
router rip
 version 2
 network 1.0.0.0
 network 172.11.0.0
 network 172.12.0.0
 network 172.25.0.0
 network 192.168.0.0
 network 192.168.1.0
 distribute-list gateway EOGHAN2 in FastEthernet0/4
 no auto-summary
!

We are now not learning rip updates 172.11.11.4

switch2#sh ip route rip
     1.0.0.0/24 is subnetted, 1 subnets
R       1.1.1.0 [120/1] via 192.168.1.2, 00:00:12, Port-channel2
     192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
R       192.168.0.0/24 [120/1] via 172.12.12.32, 00:00:01, FastEthernet0/2
switch2#

No comments:

Post a Comment