*===================================*
Filtering
*===================================*
- RIP can use distribute-lists, offset-lists and the distance command to filter traffic.
- Inbound filtering can be source based, like the distribute-list/ACL example below.
- If required to match the subnet mask, rather use prefix lists.
- Access-list "0" matches all routes.
- If no interface is identified, the list will modify all incoming or outgoing updates specified by the access list on any interface.
- If no access-list is called (by using a zero as the access list number), the offset list will modify all incoming or outgoing updates.
1. Distribute-lists
- can use either prefix-list or ACL
a. using prefix-list to filter routes coming in or out
config set1:
router rip
distribute-list prefix RIP_FILTER_TO_SW2 out FastEthernet0/0
distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in
!
ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.0.4/32
ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list RIP_FILTER_TO_SW2 seq 5 deny 30.0.0.0/14
ip prefix-list RIP_FILTER_TO_SW2 seq 10 deny 31.0.0.0/14
ip prefix-list RIP_FILTER_TO_SW2 seq 15 permit 0.0.0.0/0 le 32
config set2:
this allow 10.0.0.0/8 network from 1.2.3.4
router rip
distribute-list prefix ROUTE gateway SOURCE in
!
ip prefix-list ROUTE permit 10.0.0.0/8
ip prefix-list SOURCE permit 1.2.3.4/32
- Filters all routers to/from a neighbor using gateway
distribute-list gateway {prefix-list} {in|out} {interface}
- Filters prefixes from a specific source from entering the routing table
distribute-list prefix {prefix-routes} gateway {prefix-source} {in|out}
- filter routes coming form particular neighbor or gateways.
i.e.
ip prefix-list only24 seq 5 permit 0.0.0.0/0 ge 24 le 24 --allow only /24
!
ip prefix-list badgateway seq 5 permit 208.102.37.113/32
!
router rip
distribute-list prefix-list only24 gateway badgateway in
b. using Access-list to filter routes coming in or out
standard ACL
router rip
distribute-list 1 in Serial0/0
!
access-list 1 permit 0.0.1.0 255.255.254.255
extended ACL
router rip
distribute-list 100 in
!
access-list 100 permit ip host 1.2.3.4 host 10.0.0.0
Note: this accepts route only from 1.2.3.4 for network 10.0.0.0
2. Offset-list
- A "offset-list" can be used to modify the metric, but only to increase the metric.The metric cannot be decreased.
- A "offset-list" can also be used to filter traffic, by setting the metric to unreachable.
configset1:
access-list 1 permit 10.33.0.0 0.0.0.0
!
router rip
network 10.0.0.0
offset-list 1 in 2 Serial0
configset2:
router rip
offset-list 0 out 5 FastEthernet0/0.146
note: all routes going to fa0/0.146 will have an additional metric of 5.
3. Distance AD
Even though administrative distance is locally significant to the router, the RIP
process, like the EIGRP process, cannot advertise a route that is not actually
installed in the routing table.
distance AD {source address} {wildcard mask} {acl no}
configset1:
router rip
distance 255 0.0.0.0 255.255.255.255 1
!
access-list 1 permit 150.1.4.0
note: 0.0.0.0 255.255.255.255 - is from any source.
By setting the distance of the route 150.1.4.0 to
255, it is invalidated from being installed in the routing table, and hence
invalidated from being advertised to any neighbors.
configset2:
router rip
distance 55 150.0.1.1 0.0.0.0
all routes advertise by 150.0.1.1 neighbor will be having an admin distance of 55.
VIRTUALRACK for Network Engineers... This blog is all about networking technologies that drives the human network today... Welcome to the Human Network!!
No comments:
Post a Comment