Cisco Routing & Switching

Filtering routes with RIP.

If our network is running RIP we have several options for route filtering. As always, we can play with various parameters in order to get the desired target: delete those unnecessary routes from the routing table. For this example we will practice filtering based on:

  1. Distribute lists.
  2. Administrative distance.
  3. Offset lists.

In our scenario we will configure RIP on R1, R4, R5 and R7 from the base topology.

Initializing RIP on every routers is quite simple, so I will jump to the first type of filtering:

1.Distribute lists.

Looking at R7 routing table we can see how it is learning R4 advertised network twice, via Se0/0 and fa0/1. Given the default IOS load balancing behaviour, packets targeted for those networks will do load balancing between both links. For some reason, we could refuse using the low speed serial link for traffic towards the default nework, so we decide to filter the default route received on the Serial interface and leave the remaining.

R7(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 Gateway of last resort is 85.0.146.4 to network 0.0.0.0
     85.0.0.0/24 is subnetted, 5 subnets
R       85.0.12.0 [120/1] via 85.0.146.1, 00:00:07, Serial0/0
R       85.0.44.0 [120/2] via 85.0.146.4, 00:00:06, Serial0/0
                  [120/2] via 85.0.47.4, 00:00:00, FastEthernet0/1
C       85.0.47.0 is directly connected, FastEthernet0/1
R       85.0.145.0 [120/1] via 85.0.146.4, 00:00:06, Serial0/0
                   [120/1] via 85.0.47.4, 00:00:00, FastEthernet0/1
C       85.0.146.0 is directly connected, Serial0/0
R*   0.0.0.0/0 [120/1] via 85.0.146.4, 00:00:02, Serial0/0
               [120/1] via 85.0.47.4, 00:00:04, FastEthernet0/1

I always recommend the use of prefix-list for matching routes because they provide more flexibility than access-lists. For the present example we need to filter only the default route and allow the rest.

R7(config)#ip prefix-list RIP_FILTER deny 0.0.0.0/0
R7(config)#ip prefix-list RIP_FILTER permit 0.0.0.0/0 le 32
R7(config)#router rip
R7(config-router)#distribute-list prefix RIP_FILTER in se0/0

Now we are blocking all the default route advertisements coming through se0/0 from R4. Of course we can use standard and extended ACLs:

R7(config)#access-list 1 deny 0.0.0.0 0.0.0.0
R7(config)#access-list 1 permit any any
R7(config)#router rip
R7(config-router)#distribute-list 1 in se0/0

or:

R7(config)#access-list 100 deny ip host 85.0.146.4 0.0.0.0 0.0.0.0
R7(config)#access-list 100 permit ip any any
R7(config)#router rip
R7(config-router)#distribute-list 100 in se0/0

We get the same result for all of them:

R7(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 85.0.47.4 to network 0.0.0.0
     85.0.0.0/24 is subnetted, 5 subnets
R       85.0.12.0 [120/1] via 85.0.146.1, 00:00:07, Serial0/0
R       85.0.44.0 [120/2] via 85.0.146.4, 00:00:07, Serial0/0
                  [120/2] via 85.0.47.4, 00:00:00, FastEthernet0/1
C       85.0.47.0 is directly connected, FastEthernet0/1
R       85.0.145.0 [120/1] via 85.0.146.4, 00:00:07, Serial0/0
                   [120/1] via 85.0.47.4, 00:00:00, FastEthernet0/1
C       85.0.146.0 is directly connected, Serial0/0
R*   0.0.0.0/0 [120/1] via 85.0.47.4, 00:00:01, FastEthernet0/1

The default route to R4 via Serial 0/0 has now disappeared.

2. Administrative Distance

Playing with AD is less restrictive because give us the possibility of “hide” a route while other with a lower AD is present at the routing table, thats commonly knwon as floating routes. Of course we can keep blocking at all giving a metric of 255 (unreachable).

In this case, route matching changes a little bit. Now, the ACLs must permit the “interesting” networks and leave the rest unchangeg with  a denying sentence. In addition we can’t use prefix-lists nor extended ACLs, only standard:

R7(config)#access-list 1 permit 0.0.0.0 0.0.0.0
R7(config)#access-list 1 deny any
R7(config)#router rip
R7(config-router)#distance 255 85.0.146.1 0.0.0.0 1

If we don’t specify a source address or ACL, the new distance will be applied to all received updates.

Gateway of last resort is 85.0.47.4 to network 0.0.0.0
     85.0.0.0/24 is subnetted, 5 subnets
R       85.0.12.0 [120/1] via 85.0.146.1, 00:00:08, Serial0/0
R       85.0.44.0 [120/2] via 85.0.146.4, 00:00:05, Serial0/0
                  [120/2] via 85.0.47.4, 00:00:06, FastEthernet0/1
C       85.0.47.0 is directly connected, FastEthernet0/1
R       85.0.145.0 [120/1] via 85.0.146.4, 00:00:05, Serial0/0
                   [120/1] via 85.0.47.4, 00:00:06, FastEthernet0/1
C       85.0.146.0 is directly connected, Serial0/0
R*   0.0.0.0/0 [120/1] via 85.0.47.4, 00:00:08, FastEthernet0/1

3. Offset-lists:

Before, we have manipulated the AD, now is the turn of metric and that’s offset-lists were designed to. Like before, the only route matching mechanism allowed is standard ACLs.

R7(config)#access-list 1 permit 0.0.0.0 0.0.0.0
R7(config)#access-list 1 deny any
R7(config)#router rip
R7(config-router)#offset-list 1 in 15 se0/0

On the above command we instruct the router to add 15 hops to every route matched in the standard ACL 1 coming in serial 0/0. Notice we can select a value of 0 for the ACL, this makes the router changes all the routes.

Resulting:

      Gateway of last resort is 85.0.47.4 to network 0.0.0.0
      85.0.0.0/24 is subnetted, 5 subnets
R       85.0.12.0 [120/1] via 85.0.146.1, 00:00:08, Serial0/0
R       85.0.44.0 [120/2] via 85.0.146.4, 00:00:05, Serial0/0
                  [120/2] via 85.0.47.4, 00:00:06, FastEthernet0/1
C       85.0.47.0 is directly connected, FastEthernet0/1
R       85.0.145.0 [120/1] via 85.0.146.4, 00:00:05, Serial0/0
                   [120/1] via 85.0.47.4, 00:00:06, FastEthernet0/1
C       85.0.146.0 is directly connected, Serial0/0
R*   0.0.0.0/0 [120/1] via 85.0.47.4, 00:00:08, FastEthernet0/1

 

Related Posts

No Comments

Leave a Reply