My Journey to CCIE: 10/26/15

Monday, 26 October 2015

RIPv2 filtering with Administrative distance

RIPv2 filtering with AD

In this example we are filtering from R2 the subnet 2.2.5.0/24

R1(config)#access-list 5 permit 2.2.5.0 ?
A.B.C.D Wildcard bits
log      Log matches against this entry
<cr>

R1(config)#access-list 5 permit 2.2.5.0 0.0.0.255 ?
log Log matches against this entry
<cr>

R1(config)#access-list 5 permit 2.2.5.0 0.0.0.255 log
R1(config)#router rip
R1(config-router)#dist
R1(config-router)#distance 255 0.0.0.0 255.255.255.255 ?
<1-99>       IP Standard access list number
<1300-1999> IP Standard expanded access list number
WORD         Standard access-list name
<cr>

R1(config-router)#distance 255 0.0.0.0 255.255.255.255 5
R1(config-router)#do clear ip route *
R1(config-router)#
*Mar 2 00:57:26.809: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 2.2.5.0 -> 0.0.0.0, 1 packet
R1(config-router)#do sh ip route 2.0.0.0
Routing entry for 2.0.0.0/24, 3 known subnets
Redistributing via rip

R       2.2.4.0 [120/1] via 12.1.1.2, 00:00:14, Serial0/0
R       2.2.6.0 [120/3] via 14.1.1.2, 00:00:18, Serial0/1
R       2.2.7.0 [120/1] via 12.1.1.2, 00:00:14, Serial0/0
R1(config-router)#

Another example

we have two paths to arrive to a destination in subnet 4.4.12.and 4.4.15 starting from R2 we wnat to make one path primary ,and filter the second one

       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     34.0.0.0/24 is subnetted, 1 subnets
R       34.1.1.0 [120/1] via 23.1.1.2, 00:00:29, Serial0/1
     1.0.0.0/24 is subnetted, 4 subnets
R       1.1.0.0 [120/1] via 12.1.1.1, 00:00:08, Serial0/0
R       1.1.1.0 [120/1] via 12.1.1.1, 00:00:08, Serial0/0
R       1.1.2.0 [120/1] via 12.1.1.1, 00:00:08, Serial0/0
R       1.1.3.0 [120/1] via 12.1.1.1, 00:00:08, Serial0/0
     2.0.0.0/24 is subnetted, 4 subnets
C       2.2.4.0 is directly connected, Loopback0
C       2.2.5.0 is directly connected, Loopback1
C       2.2.6.0 is directly connected, Loopback2
C       2.2.7.0 is directly connected, Loopback3
     3.0.0.0/24 is subnetted, 4 subnets
R       3.3.8.0 [120/1] via 23.1.1.2, 00:00:02, Serial0/1
R       3.3.9.0 [120/1] via 23.1.1.2, 00:00:02, Serial0/1
R       3.3.10.0 [120/1] via 23.1.1.2, 00:00:02, Serial0/1
R       3.3.11.0 [120/1] via 23.1.1.2, 00:00:02, Serial0/1
     4.0.0.0/24 is subnetted, 4 subnets
R       4.4.12.0 [120/2] via 23.1.1.2, 00:00:02, Serial0/1
                 [120/2] via 12.1.1.1, 00:00:11, Serial0/0
R       4.4.13.0 [120/2] via 12.1.1.1, 00:00:11, Serial0/0
R       4.4.14.0 [120/2] via 23.1.1.2, 00:00:02, Serial0/1
                 [120/2] via 12.1.1.1, 00:00:11, Serial0/0
R       4.4.15.0 [120/2] via 23.1.1.2, 00:00:02, Serial0/1
                 [120/2] via 12.1.1.1, 00:00:11, Serial0/0
     23.0.0.0/24 is subnetted, 1 subnets
C       23.1.1.0 is directly connected, Serial0/1
     172.16.0.0/32 is subnetted, 2 subnets
C       172.16.0.20 is directly connected, Loopback20
C       172.16.0.10 is directly connected, Loopback10
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial0/0
     14.0.0.0/24 is subnetted, 1 subnets
R       14.1.1.0 [120/1] via 12.1.1.1, 00:00:13, Serial0/0
R2#config t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#acc
R2(config)#access-list 12 permit 4.4.12.0
R2(config)#access-
R2(config)#access-list 13 permit 4.4.15.0
R2(config)#router rip
R2(config-router)#distance 255 23.1.1.2 0.0.0.0 ?
<1-99>       IP Standard access list number
<1300-1999> IP Standard expanded access list number
WORD         Standard access-list name
<cr>

R2(config-router)#distance 255 23.1.1.2 0.0.0.0 12
R2(config-router)#distance 255 12.1.1.1 0.0.0.0 13
R2(config-router)#do clear ip route *
R2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     34.0.0.0/24 is subnetted, 1 subnets
R       34.1.1.0 [120/1] via 23.1.1.2, 00:00:09, Serial0/1
     1.0.0.0/24 is subnetted, 4 subnets
R       1.1.0.0 [120/1] via 12.1.1.1, 00:00:09, Serial0/0
R       1.1.1.0 [120/1] via 12.1.1.1, 00:00:09, Serial0/0
R       1.1.2.0 [120/1] via 12.1.1.1, 00:00:09, Serial0/0
R       1.1.3.0 [120/1] via 12.1.1.1, 00:00:09, Serial0/0
     2.0.0.0/24 is subnetted, 4 subnets
C       2.2.4.0 is directly connected, Loopback0
C       2.2.5.0 is directly connected, Loopback1
C       2.2.6.0 is directly connected, Loopback2
C       2.2.7.0 is directly connected, Loopback3
     3.0.0.0/24 is subnetted, 4 subnets
R       3.3.8.0 [120/1] via 23.1.1.2, 00:00:12, Serial0/1
R       3.3.9.0 [120/1] via 23.1.1.2, 00:00:12, Serial0/1
R       3.3.10.0 [120/1] via 23.1.1.2, 00:00:12, Serial0/1
R       3.3.11.0 [120/1] via 23.1.1.2, 00:00:12, Serial0/1
     4.0.0.0/24 is subnetted, 4 subnets
R       4.4.12.0 [120/2] via 12.1.1.1, 00:00:12, Serial0/0
R       4.4.13.0 [120/2] via 12.1.1.1, 00:00:12, Serial0/0
R       4.4.14.0 [120/2] via 23.1.1.2, 00:00:12, Serial0/1
                 [120/2] via 12.1.1.1, 00:00:12, Serial0/0
R       4.4.15.0 [120/2] via 23.1.1.2, 00:00:12, Serial0/1
     23.0.0.0/24 is subnetted, 1 subnets
C       23.1.1.0 is directly connected, Serial0/1
     172.16.0.0/32 is subnetted, 2 subnets
C       172.16.0.20 is directly connected, Loopback20
C       172.16.0.10 is directly connected, Loopback10
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial0/0
     14.0.0.0/24 is subnetted, 1 subnets
R       14.1.1.0 [120/1] via 12.1.1.1, 00:00:13, Serial0/0
R2(config-router)#

RIPv2 filtering with standard access-list

example

R1 and R2 We have applied in R1 an access-list to filter from route R2 a particular route 2.2.6.0 255.255.255.0

R1(config)#ip access-list standard NET226
R1(config-std-nacl)#5 deny 2.2.6.0 0.0.0.255
R1(config-std-nacl)#20 permit any
R1(config-std-nacl)#do sh run | s ip acc
ip access-list standard NET226
deny   2.0.0.0 0.0.0.255
permit any

R1(config t)#router rip

R1(config-router)#distribute-list NET226 in
R1(config-router)#do clear ip route *

R1# sh run | s rou
router rip
version 2
offset-list 10 in 5 Serial0/0
network 1.0.0.0
network 12.0.0.0
network 14.0.0.0
distribute-list NET226 in
no auto-summary

R1(config-std-nacl)#do sh ip access
Standard IP access list 10
    10 permit 172.16.0.10 (651 matches)
Standard IP access list NET226
    5 deny   2.2.6.0, wildcard bits 0.0.0.255
    20 permit any (484 matches)

R1(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     34.0.0.0/24 is subnetted, 1 subnets
R       34.1.1.0 [120/1] via 14.1.1.2, 00:00:05, Serial0/1
     1.0.0.0/24 is subnetted, 4 subnets
C       1.1.0.0 is directly connected, Loopback0
C       1.1.1.0 is directly connected, Loopback1
C       1.1.2.0 is directly connected, Loopback2
C       1.1.3.0 is directly connected, Loopback3
     2.0.0.0/24 is subnetted, 3 subnets
R       2.2.4.0 [120/1] via 12.1.1.2, 00:00:05, Serial0/0
no presen 2.2.6.0[120/1] via 12.1.1.2-============
R       2.2.5.0 [120/1] via 12.1.1.2, 00:00:05, Serial0/0
R       2.2.7.0 [120/1] via 12.1.1.2, 00:00:06, Serial0/0
     3.0.0.0/24 is subnetted, 4 subnets
R       3.3.8.0 [120/2] via 14.1.1.2, 00:00:06, Serial0/1
                [120/2] via 12.1.1.2, 00:00:06, Serial0/0
R       3.3.9.0 [120/2] via 14.1.1.2, 00:00:01, Serial0/1
                [120/2] via 12.1.1.2, 00:00:09, Serial0/0
R       3.3.10.0 [120/2] via 12.1.1.2, 00:00:09, Serial0/0
R       3.3.11.0 [120/2] via 12.1.1.2, 00:00:09, Serial0/0
     4.0.0.0/24 is subnetted, 4 subnets
R       4.4.12.0 [120/1] via 14.1.1.2, 00:00:01, Serial0/1
R       4.4.13.0 [120/1] via 14.1.1.2, 00:00:01, Serial0/1
R       4.4.14.0 [120/1] via 14.1.1.2, 00:00:01, Serial0/1
R       4.4.15.0 [120/1] via 14.1.1.2, 00:00:01, Serial0/1
     23.0.0.0/24 is subnetted, 1 subnets
R       23.1.1.0 [120/1] via 12.1.1.2, 00:00:09, Serial0/0
     172.16.0.0/32 is subnetted, 2 subnets
R       172.16.0.20 [120/3] via 14.1.1.2, 00:00:01, Serial0/1
R       172.16.0.10 [120/3] via 14.1.1.2, 00:00:01, Serial0/1
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial0/0
     14.0.0.0/24 is subnetted, 1 subnets
C       14.1.1.0 is directly connected, Serial0/1
R1(config)#

R1 filters incoming update about net 2.2.6.0/24 from both R4 and R2, in other words it prevents route installation in its rip database regardless of the source of the incoming update.
------------------- NOTE -----------------------
The distribute-list is not a standalone filtering mechanism, the distribute-list command lets us to apply different filtering mechanisms to a routing process.
---------------- END NOTE -------------------
I can be more specific when using a distribute-list and filtering only the update coming in from a specific neighbor-->link-->interface. For example let's suppose that R1 must learn about network 2.2.6.0/24 only from R4 and not directly from the R2. here what can I do using the same ACL defined before:

R1(config)#router rip
R1(config-router)#no distribute-list NET226 in
R1(config-router)#do clear ip route *

R1(config-router)#do sh ip route 2.2.6.0 --everything restore to original
Routing entry for 2.2.6.0/24
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 12.1.1.2 on Serial0/0, 00:00:02 ago
Routing Descriptor Blocks:
* 12.1.1.2, from 12.1.1.2, 00:00:02 ago, via Serial0/0
      Route metric is 1, traffic share count is 1

R1(config-router)# ----we applied again the access-list but to interface
R1(config-router)#
R1(config-router)#distribute-list NET226 in serial 0/0

R1(config-router)#do clear ip route *

We have one path to 2.2.6.2 using R1-To R4, R3 and R2

R1(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     34.0.0.0/24 is subnetted, 1 subnets
R       34.1.1.0 [120/1] via 14.1.1.2, 00:00:06, Serial0/1
     1.0.0.0/24 is subnetted, 4 subnets
C       1.1.0.0 is directly connected, Loopback0
C       1.1.1.0 is directly connected, Loopback1
C       1.1.2.0 is directly connected, Loopback2
C       1.1.3.0 is directly connected, Loopback3
     2.0.0.0/24 is subnetted, 4 subnets
R       2.2.4.0 [120/1] via 12.1.1.2, 00:00:00, Serial0/0
R       2.2.5.0 [120/1] via 12.1.1.2,
*Mar 2 00:09:56.394: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up 00:00:00, Serial0/0
R       2.2.6.0 [120/3] via 14.1.1.2, 00:00:07, Serial0/1
R       2.2.7.0 [120/1] via 12.1.1.2, 00:00:02, Serial0/0
     3.0.0.0/24 is subnetted, 4 subnets
R       3.3.8.0 [120/2] via 14.1.1.2, 00:00:15, Serial0/1
                [120/2] via 12.1.1.2, 00:00:09, Serial0/0
R       3.3.9.0 [120/2] via 14.1.1.2, 00:00:15, Serial0/1
                [120/2] via 12.1.1.2, 00:00:09, Serial0/0
R       3.3.10.0 [120/2] via 12.1.1.2, 00:00:09, Serial0/0
R       3.3.11.0 [120/2] via 12.1.1.2, 00:00:09, Serial0/0
     4.0.0.0/24 is subnetted, 4 subnets
R       4.4.12.0 [120/1] via 14.1.1.2, 00:00:15, Serial0/1
R       4.4.13.0 [120/1] via 14.1.1.2, 00:00:15, Serial0/1
R       4.4.14.0 [120/1] via 14.1.1.2, 00:00:15, Serial0/1
R       4.4.15.0 [120/1] via 14.1.1.2, 00:00:15, Serial0/1
     23.0.0.0/24 is subnetted, 1 subnets
R       23.1.1.0 [120/1] via 12.1.1.2, 00:00:09, Serial0/0
     172.16.0.0/32 is subnetted, 2 subnets
R       172.16.0.20 [120/3] via 14.1.1.2, 00:00:15, Serial0/1
R       172.16.0.10 [120/3] via 14.1.1.2, 00:00:15, Serial0/1
     12.0.0.0/24 is subnetted, 1 subnets
C       12.1.1.0 is directly connected, Serial0/0
     14.0.0.0/24 is subnetted, 1 subnets
C       14.1.1.0 is directly connected, Serial0/1
R1(config-router)#

R1 will reach 2.2.6.2 in three hops

R1#sh ip route 2.2.6.0
Routing entry for 2.2.6.0/24
Known via "rip", distance 120, metric 3 -========
Redistributing via rip
Last update from 14.1.1.2 on Serial0/1, 00:00:12 ago
Routing Descriptor Blocks:
* 14.1.1.2, from 14.1.1.2, 00:00:12 ago, via Serial0/1
      Route metric is 3, traffic share count is 1

R1#

RIPv2 filtering with Passive interface

RIP filtering with Passive interface

We can consider passive-interface an indirect form of filtering.

R1#sh run | s rou
router rip
version 2
offset-list 10 in 5 Serial0/0
network 1.0.0.0
network 12.0.0.0
no auto-summary
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#pass
R1(config-router)#passive-interface s0/0 -===condition 1

in this router we have

R1(config-router)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM administratively down down
Serial0/0                  12.1.1.1        YES NVRAM up                    up
FastEthernet0/1            unassigned      YES NVRAM administratively down down
Serial0/1                  unassigned      YES NVRAM administratively down down
Loopback0                  1.1.0.1         YES NVRAM up                    up
Loopback1                  1.1.1.1         YES NVRAM up                    up
Loopback2                  1.1.2.1         YES NVRAM up                    up
Loopback3                  1.1.3.1         YES NVRAM up                    up

before condition 1

R2#sh ip route 1.0.0.0
Routing entry for 1.0.0.0/24, 4 known subnets
Redistributing via rip

R       1.1.0.0 [120/1] via 12.1.1.1, 00:02:46, Serial0/0
R       1.1.1.0 [120/1] via 12.1.1.1, 00:02:46, Serial0/0
R       1.1.2.0 [120/1] via 12.1.1.1, 00:02:46, Serial0/0
R       1.1.3.0 [120/1] via 12.1.1.1, 00:02:46, Serial0/0

after condition 1 applied i a few minutes

R2#sh ip route 1.0.0.0
% Network not in table
R2#

if we run debup ip rip we will see that s0/0 is rx routes but not sending over the interface

after so time we will not see any route from R1 or any other interface behind it .

if we applied in R2

R1# sh ip route 2.0.0.0
Routing entry for 2.0.0.0/24, 4 known subnets
Redistributing via rip

R       2.2.4.0/24 is possibly down,
          routing via 12.1.1.2, Serial0/0
R       2.2.5.0/24 is possibly down,
          routing via 12.1.1.2, Serial0/0
R       2.2.6.0/24 is possibly down,
          routing via 12.1.1.2, Serial0/0
R       2.2.7.0/24 is possibly down,
          routing via 12.1.1.2, Serial0/0
R1# sh ip route 2.0.0.0

RIPv2 Offset list example

RIPv2 - Manipulation of the Metric with Offset Lists

An offset-list is a filtering tool when used as an extrema ratio. By default an offset-list is a tool used to INCREASE the metric of a route. Of course, if we increase the metric so it reaches 16 hops or more the route will become inaccessible and then discarded/filtered. Note

offset-list keyword can invoke Standard-ACL (numbered or named)

This tutorial shows how to manipulate the metric in RIPv2 with the help of offset lists. Offset Lists Lets take a lab of 2 routers and do some basic RIPv2 configuration:

Both routers just have the interface serial 1/0 and the interface loopback 0 configured. If you use the basic RIPv2 configuration and start the routers you can ping the other router.
The routing table of R1:
Two more loopback interfaces are added to R2. The routes have an administrative distance of 120 and a metric of "1", which basically is a hop count. This value has a range of 1 to 15.

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface loopback 10
R2(config-if)#ip address 172.17.0.10 255.255.255.255
R2(config-if)#exit
R2(config)#interface loopback 20
R2(config-if)#ip address 172.17.0.20 255.255.255.255
R2(config-if)#end

R1#show ip route
Gateway of last resort is not set

     172.17.0.0/32 is subnetted, 4 subnets
R       172.17.0.20 [120/1] via 192.168.100.2, 00:00:05, Serial1/0
R       172.17.0.10 [120/1] via 192.168.100.2, 00:00:05, Serial1/0
C       172.17.0.1 is directly connected, Loopback0
R       172.17.0.2 [120/1] via 192.168.100.2, 00:00:05, Serial1/0
     192.168.100.0/30 is subnetted, 1 subnets
C       192.168.100.0 is directly connected, Serial1/0

The two new routes now appear in the routing table of router R1. The metric of RIP routes can be manipulated with offset lists. For this to work an accesslist has to be configured. The metric of 172.17.0.10 will be increased by 5 on router R1 incoming on the interface S1/0, the metric of 172.17.0.20 will be increased by 7 outgoing on router R2.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#access-list 10 permit 172.17.0.10 0.0.0.0
R1(config)#router rip
R1(config-router)#offset-list 10 in 5 Serial 1/0
R1(config-router)#end

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 20 permit 172.17.0.20 0.0.0.0
R2(config)#router rip
R2(config-router)#offset-list 20 out 7 Serial 1/0
R2(config-router)#end

R1#show ip route
Gateway of last resort is not set

     172.17.0.0/32 is subnetted, 4 subnets
R       172.17.0.20 [120/8] via 192.168.100.2, 00:00:00, Serial1/0
R       172.17.0.10 [120/6] via 192.168.100.2, 00:00:00, Serial1/0
C       172.17.0.1 is directly connected, Loopback0
R       172.17.0.2 [120/1] via 192.168.100.2, 00:00:00, Serial1/0
     192.168.100.0/30 is subnetted, 1 subnets
C       192.168.100.0 is directly connected, Serial1/0

offset-list

To add an offset to incoming and outgoing metrics to routes learned via Routing Information Protocol (RIP), use the offset-list command in router configuration mode. To remove an offset list, use the no form of this command.

offset-list {access-list-number | access-list-name} {in | out} offset [interface-type interface-number]

no offset-list {access-list-number | access-list-name} {in | out} offset [interface-type interface-number]

Syntax Description


access-list-number	Standard access list number to be applied. Access list number 0 indicates all access lists. If offset is 0, no action is taken. For IGRP, the offset is added to the delay component only.
access-list-name	Standard access list name to be applied.
in	Applies the access list to incoming metrics.
out	Applies the access list to outgoing metrics.
offset	Positive offset to be applied to metrics for networks matching the access list. If the offset is 0, no action is taken.
interface-type	(Optional) Interface type to which the offset list is applied.
interface-number	(Optional) Interface number to which the offset list is applied.

Defaults

This command is disabled by default.

Command Modes

Router configuration

Command History


Release	Modification
10.0	This command was introduced.
10.3	The interface-type and interface-number arguments were added.
11.2	The access-list-name argument was added.

Usage Guidelines

The offset value is added to the routing metric. An offset list with an interface type and interface number is considered extended and takes precedence over an offset list that is not extended. Therefore, if an entry passes the extended offset list and the normal offset list, the offset of the extended offset list is added to the metric.

Examples

In the following example, the router applies an offset of 10 to the delay component of a router only to access list 21:

offset-list 21 out 10

In the following example, the router applies an offset of 10 to routes learned from Ethernet interface 0:

offset-list 21 in 10 ethernet 0