automaty do gry

Social Icons

Sunday, July 28, 2013

CCNP ROUTE: 11.EIGRP Route filtering: Distribute Lists with Prefix Lists

To use the prefix-list, the configuration simply refers to the prefix-list with the same distribute-list command seen earlier.

The IP prefix list consists of one or more global configuration commands(like numbered ACLs), with commands using the same name being in the same list (like named ACLs).
Each command has a permit or deny action—but because it is used only for matching routes, and not for packet filtering, the permit or deny keyword just implies whether a route is matched (permit) or not (deny).

General syntax:
ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefixlength}[ge ge-value] [le le-value]

Parameters (optional):
ge-value, which stand for greater-than-or-equal-to
le-value, which stand for less-than-or-equal-to

Rule: prefix-length < ge-value <= le-value

The matching of the prefix works much like the ACL matching logic. The configured prefix/prefix-length implies a range of IP addresses.
For example, an ip prefix-list barney deny 10.0.0.0/8... implies any number whose first 8 bits (per the /8) match 10.0.0.0–in other words, all IPv4 addresses that begin with 10. Any route whose prefix is in this range-for example, 10.0.0.0, 10.1.1.0, and 10.5.255.128-would be considered to match this part of the logic.

Objective 1: Router R7 should not learn by EIGRP any routes starting with 192.168.44 and prefixes greater than (and including) /24.
     For this, we should configure a prefix list first, on R6:

Before configuring the distribute list/prefix list:
R7#show ip route
...
D    192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:26:27, Serial0/0
     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D       172.16.0.12/30 [90/2707456] via 172.16.0.9, 00:26:27, Serial0/0
C       172.16.0.8/30 is directly connected, Serial0/0
D       172.16.0.4/30 [90/2195456] via 172.16.0.9, 00:26:27, Serial0/0
D       172.16.0.0/30 [90/2681856] via 172.16.0.9, 00:26:27, Serial0/0
D       172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:26:27, Serial0/0
D    192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:26:29, Serial0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.0.0/30 is directly connected, FastEthernet0/1
R       10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:01, FastEthernet0/1

Now, the distribution list must be created and applied under the EIGRP process, in the outbound direction to R7:
R6(config)#ip prefix-list TEST1 deny 192.168.44.0/23 ge 24 le 32 (since we have to filter routes with masks > /24 and the rule states "prefix-length < ge-value <= le-value", then we can choose /23)
R6(config)#ip prefix-list TEST1 permit 0.0.0.0/0 le 32 (permit all other routes)
R6#show ip prefix-list 
ip prefix-list TEST1: 2 entries
   seq 5 deny 192.168.44.0/23 ge 24
   seq 10 permit 0.0.0.0/0 le 32
R6(config)#router eigrp 1
R6(config-router)#distribute-list prefix TEST1 out serial 0/1
*Mar  1 00:28:32.875: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is resync: route configuration changed

Verifying the routing table on R7 - route to 192.168.44.0/24 (and prefix lenghts above) are now filtered and do not reach R7:
R7#show ip route
...
     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D       172.16.0.12/30 [90/2707456] via 172.16.0.9, 00:03:38, Serial0/0
C       172.16.0.8/30 is directly connected, Serial0/0
D       172.16.0.4/30 [90/2195456] via 172.16.0.9, 00:03:38, Serial0/0
D       172.16.0.0/30 [90/2681856] via 172.16.0.9, 00:03:38, Serial0/0
D       172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:03:38, Serial0/0
D    192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:03:38, Serial0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.0.0/30 is directly connected, FastEthernet0/1
R       10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:06, FastEthernet0/1

Note: As with ACLs, prefix lists have an implicit deny at the end, so the "ip prefix-list TEST1 permit 0.0.0.0/0 le 32" is necessary after defining the desired routes to be filtered.
"0.0.0.0/0 le 32" means ALL prefix/mask pairs. If this statement is not configured in the prefix lists, then R6 would not advertise any routes to R7:

R6(config)#no ip prefix-list TEST1 seq 10 permit 0.0.0.0/0 le 32
R6(config)#
*Mar  1 00:47:27.731: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is resync: route configuration changed
R6#show ip prefix-list 
ip prefix-list TEST1: 1 entries
   seq 5 deny 192.168.44.0/23 ge 24
 
Now R7 does not have any EIGRP routes in the routing table, because all the routes it knew about came from R6:
R7#sho ip route
...
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.8 is directly connected, Serial0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.0.0/30 is directly connected, FastEthernet0/1
R       10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:23, FastEthernet0/1

Objective 2: R7 should not learn any EIGRP routes to networks with /30 masks (prefix list TEST1 was deleted from R6):
R7#show ip route
...
D    192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:00:50, Serial0/0
     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D       172.16.0.12/30 [90/2707456] via 172.16.0.9, 00:00:50, Serial0/0
C       172.16.0.8/30 is directly connected, Serial0/0
D       172.16.0.4/30 [90/2195456] via 172.16.0.9, 00:00:50, Serial0/0
D       172.16.0.0/30 [90/2681856] via 172.16.0.9, 00:00:50, Serial0/0
D       172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:00:50, Serial0/0
D    192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:00:52, Serial0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.0.0/30 is directly connected, FastEthernet0/1
R       10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:17, FastEthernet0/1

On R6, configure a new prefix list and a distribution list which refers to the prefix list and apply it to the EIGRP process:
R6(config)#ip prefix-list TEST2 deny 0.0.0.0/0 ge 30 le 30 (any routes with a /30 mask)
R6(config)#ip prefix-list TEST2 permit 0.0.0.0/0 le 32 (permit all other routes)
R6(config)#router eigrp 1
R6(config-router)#distribute-list prefix TEST2 out serial 0/1
*Mar  1 00:54:32.995: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is resync: route configuration changed

Verifying the routing table on R7 - EIGRP routes with a /30 mask have been filtered by R6 and did not reach R7 (the only /30 routes in the routing table are Connected):
R7#show ip route
...
D    192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:09:57, Serial0/0
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.0.8/30 is directly connected, Serial0/0
D       172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:09:57, Serial0/0
D    192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:09:57, Serial0/0
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.0.0.0/30 is directly connected, FastEthernet0/1
R       10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:03, FastEthernet0/1
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)