Lessons Learned:
Applying routing filters for RIP both inbound and Outbound
Distribute-List
-standard access-list (can
only match on network and not on prefix length)
Example: If we have
ACL/s for –
10..0.0.0 | /8
10.0.0.0 | /16
10.0.0.0 | /24 –
Technically these are not the same route but form a Standard ACL’s perspective –
we can only match on the address portion - 10.0.0.0.
You
Can use a standard ACL
for in/out in RIP. This is not a best practice because you cannot do any sort of
granular match on the prefix and the length at the same time.
Note: This this normally
where the Prefix-list would be applied.
-extended access-list
-Source is route source, destination is prefix. Note: a prefix list can be used for both
the route and the prefix length(subnet mask)
Note: Prefix list can
sometimes be confusing to configure and understand. The syntax of a prefix list
has two separate meanings depending on if you’re matching the route itself or the
range of the subnet mask / bit-wise values.
Prefix-Lists:
If we’re matching an
actual route the syntax is pretty straight forward:
Example:
Ip prefix-list routelist
(permit | deny ) 10.0.0.0/24 – the actual route. This means the
prefix has to match exactly the network and subnet mask.
Note: This example would NOT match – 10.1.0.0/24 or
10.0.0.0/25
Prefix-List matching a range using the GE or LE keyword ( greater than or Less than)
Example: Prefix list that
matches all subnets that have a mask that is less than or equal to 10.
IP prefix-list lessthan permit 0.0.0.0/0 LE 10 (this does not mean the actual route 0.0.0.0, it means to
check “0” bit of the address 0.0.0.0 )
Note: the same prefix
list without the LE (or GE keywords) that will then mean the 0.0.0.0 prefix or
default route.
Prefix-list – matching all
classful networks with the mask of /8
In binary a Class A will
be defined as anything that starts with “0” (from 0 – 127)
Binary
|
Range
|
0XXX
|
0 -127 Class A
|
10XX
|
128 -191 Class B
|
110X
|
192 -223 Class C
|
1110
|
224 – 239 Class D
|
1111
|
240 -255 Class E
|
So if we want to match
anything that is a Class “A”. We need to look for the first most significant bit
being a “0”.
From a prefix
perspective
IP prefix-list Permit 0.0.0.0/1 GE 8 LE 8 - this says that the subnet value has to be exactly 8. The /0
says look at the first most significant bit.
If we wanted to match
all /16 or class “B” routes. We could configure a prefix list with the
following:
128.0.0.0/2 ge16 le 16. This
would match all Class “B” routes that are using the classful mask.
Class C: would be
192.0.0.0/3 ge 24 LE 24
We could also match all
Class “B” routes regardless of their mask –
Example:
128.0.0.0/2 LE 32 – This
is because every prefix will always have a mask that is /32 or below.
Another example:
0.0.0.0/0 GE32 – this says
check “0” bits of the address and as long as the subnet mask is greater than or
equal to 32, this essentially means all host routes. Anything with a mask of
/32.
Note: the key with the
prefix-list is we’re using it to match routing information.
This is why you would not need to use a prefix list for class “D” or “E” subnets.
This is why you would not need to use a prefix list for class “D” or “E” subnets.
When dealing with
routing protocols an trying to match routes – Use a prefix list.
When dealing with the
data plane and trying to match actual traffic, web traffic, etc. you should use
an Access-list.
You can filter out
router advertisements with an ACL example:
All routers are in the 192.168.1.0
/24 space off their FA0/0 interfaces – each router has a loopback based off the
router name: EX – router 4’s loopback ip is 4.4.4.4
Route table before filter:
R1#sh ip route rip
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 192.168.1.2,
00:00:03, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
R 3.3.3.0 [120/1] via 192.168.1.3,
00:00:02, FastEthernet0/0
4.0.0.0/24 is
subnetted, 1 subnets
R 4.4.4.0 [120/1]
via 192.168.1.4, 00:00:18, FastEthernet0/0
I’ll use a standard ACL
to filter out ruting updated from the 4.4.4.4 prefix into rip and premit
everything else.
access-list 1 deny
4.4.4.0
access-list 1 permit any
Then under the RIP
process, I’ll apply this as a distribute list
R1(config-router)#distribute-list 1 in – Note: this can be applied to a specific interface or
globally.
router rip
version 2
network 1.0.0.0
network 192.168.1.0
distribute-list 1 in
no auto-summary
R1#clear ip route *
Route table after Filter:
R1#sh ip route rip
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 192.168.1.2,
00:00:06, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
R 3.3.3.0 [120/1] via 192.168.1.3,
00:00:25, FastEthernet0/0
R1#
We can also see via the
debug, that we are receiving updated still from R4 but they’re not getting
installed into the routing table.
R1#
*Mar 1 00:38:23.059: RIP: received v2 update from
192.168.1.4 on FastEthernet0/0
*Mar 1 00:38:23.063: 4.4.4.0/24 via 0.0.0.0 in 1 hops
Filtering using an Extended ACL:
Note: an extended ACL is
a different syntax when using it in an IGP as apposed to BGP. In BGP by using
an extended ACL, it was a workaround before the prefix-list was invented. So in
BGP and Extended ACL can match both the Prefix and the subnet mask.
In the case of IGP – RIP
and EIGRP specifically – and extended ACL can be used to match what is the address
of the prefix but also what neighbor this is coming from. So on any multi-point
segment, you can filter what neighbors you do or do not want to receive a
particular
Route from.
Example:
R1#sh ip route rip
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 192.168.1.2,
00:00:19, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
R 3.3.3.0 [120/1] via 192.168.1.3,
00:00:23, FastEthernet0/0
4.0.0.0/24 is subnetted, 1 subnets
R 4.4.4.0 [120/1] via 192.168.1.4,
00:00:25, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
R 10.1.56.0
[120/1] via 192.168.1.4, 00:00:25, FastEthernet0/0
[120/1] via 192.168.1.3, 00:00:23, FastEthernet0/0
So here on R1, I have the network
learned from R3 and R4. I want to keep learning this route but only from R4.
So I know the prefix and
I need to match the address that the update is coming from. In the case of RIP
this will always be the neighbors address.
R1#sh ip route 10.1.56.0
Routing entry for 10.1.56.0/24
Known via "rip", distance 120,
metric 1
Redistributing via rip
Last update from 192.168.1.3 on
FastEthernet0/0, 00:00:07 ago
Routing Descriptor Blocks:
* 192.168.1.4, from 192.168.1.4, 00:00:09 ago, via FastEthernet0/0
Route metric is 1, traffic share count is
1
192.168.1.3, from 192.168.1.3, 00:00:07 ago, via FastEthernet0/0
Route metric is 1, traffic share count is
1
Note: the from field is the route
source.
Note: is the case of RIP
the route source is the next-hop. In the case of BGP the route source will not
always be the Next hop.
So any time you’re doing
a route source based filter we need to look at the from field in the route
output not the next hop, etc.
Create ACL – so the ACL
will now say – match the from address as the “source” and the routing entry as
the route itself. Note you cannot match on the subnet mask.
ACL:
R1(config)#access-list
100 deny ip host 192.168.1.3 host 10.1.56.0
access-list 100 deny ip host 192.168.1.3 host 10.1.56.0
access-list 100 permit
ip any any
then under the routing
process – apply the filter.
R1(config-router)#distribute-list
100 in fastEthernet 0/0
Now the route is still
in the routing table but it’s only learned from R4.
R1#sh ip route 10.1.56.0
Routing entry for 10.1.56.0/24
Known via "rip", distance 120,
metric 1
Redistributing via rip
Last update from 192.168.1.4 on
FastEthernet0/0, 00:00:06 ago
Routing Descriptor Blocks:
* 192.168.1.4, from
192.168.1.4, 00:00:06 ago, via FastEthernet0/0
Route metric is 1, traffic share count is
1
R1#traceroute 10.1.56.6
Type escape sequence to
abort.
Tracing the route to
10.1.56.6
1 192.168.1.4 24 msec 20 msec 20 msec
2 10.1.56.6 44 msec * 16 msec
R1#
This result can also be
accomplished by using a prefix list.
EX:
Ip prefix-list R3_route
deny 192.168.1.3 /32
Ip prefix-list R3_route permit
0.0.0.0/0 le 32
Ip prefix-list FROM_R4 permit
10.1.56.0 /24
Router rip:
Dist list prefix R3_route
gateway FROM_R4 in
Offset-list
-Metric of 16 = infinite
(cannot put into routing table)
Distance
-255=infinite
-can be pre prefix and
per neighbor.
We can also filter out
the route by using the distance command. This will receive the route but when it
actually goes to install it in the routing table, it’s not going to install. Basically
poisoning the route.
This will still require you
to use an Access-list.
Example:
Access-list 2 permit 10.1.56.0
Access-list 2 permit 10.1.56.0
Under RIP Process:
R1(config-router)#distance
255 192.168.1.3 0.0.0.0 2
This is the neighbor with
a wildacard mask and referencing the ACL 2.
No comments:
Post a Comment