Friday 25 November 2011

Nugget 17
IPv4 Redistribution - Implementing Simple Redistribution Steps 3 & 4

Lets crack on with the next step now steps 1 & 2 are complete;

Step 3.
Implement distribute-list filtering in such a way that the OSPF domain only sees odd numbered loopback networks coming from R1. Any even numbered subnet (including physical networks) should be hidden from OSPF.

So looking at the diagram again, we are going to need to advertise the follow loopbacks only to OSPF:

Advertise the ODD Routes
10.1.1.0/24
10.1.3.0/24
10.1.5.0/24
BUT hide the EVEN routes:

10.1.0.0/24
10.1.2.0/24
10.1.4.0/24
10.1.6.0/24
and including the physical interface;
10.1.12.0/24


Lets create an ACL that the distribution-list can use (always try and give a descriptive name to the ACL so we know what it does!):

R2(config)#ip access-list standard ODD-OSPF-NETWORKS
R2(config-std-nacl)#permit 10.1.1.0 0.0.0.255
R2(config-std-nacl)#permit 10.1.3.0 0.0.0.255
R2(config-std-nacl)#permit 10.1.5.0 0.0.0.255

Lets apply the ACL so it actually does something, this is done under the OSPF process;

R2(config-std-nacl)#router ospf 1
R2(config-router)#distribute-list ODD-OSPF-NETWORKS ?
  in   Filter incoming routing updates
  out  Filter outgoing routing updates

So the direction is key here, this is done from router2's perspective, so we want to filter the routes we advertise OUT to R3







So now we know the direction, lets check the routes we can see on R3 before we apply the distribution-list;




R3#show ip route

     10.0.0.0/8 is variably subnetted, 17 subnets, 3 masks
C       10.1.11.0/30 is directly connected, Loopback11
C       10.1.10.0/24 is directly connected, Loopback10
C       10.1.9.0/24 is directly connected, Loopback9
C       10.1.8.0/24 is directly connected, Loopback8
C       10.1.11.4/30 is directly connected, Loopback12
O E2    10.1.12.1/32 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
O E2    10.1.12.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
O E2    10.1.3.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
C       10.1.11.8/30 is directly connected, Loopback13
C       10.1.2.0/24 is directly connected, FastEthernet0/0
O E2    10.1.1.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
O E2    10.1.0.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
C       10.1.7.0/24 is directly connected, Loopback7
O E2    10.1.6.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
O E2    10.1.5.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
O E2    10.1.4.0/24 [110/100] via 10.1.23.2, 00:59:49, Serial1/0
C       10.1.23.0/24 is directly connected, Serial1/0

So notice we have even and off routes being seen in OSPF, lets apply the distribution list;

R2(config-std-nacl)#router ospf 1
R2(config-router)#distribute-list ODD-OSPF-NETWORKS out

I'm all excited!! lets jump over and check R3!!!;


R3#show ip route

     10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C       10.1.11.0/30 is directly connected, Loopback11
C       10.1.10.0/24 is directly connected, Loopback10
C       10.1.9.0/24 is directly connected, Loopback9
C       10.1.8.0/24 is directly connected, Loopback8
C       10.1.11.4/30 is directly connected, Loopback12
O E2    10.1.3.0/24 [110/100] via 10.1.23.2, 01:07:10, Serial1/0
C       10.1.11.8/30 is directly connected, Loopback13
C       10.1.2.0/24 is directly connected, FastEthernet0/0
O E2    10.1.1.0/24 [110/100] via 10.1.23.2, 01:07:10, Serial1/0
C       10.1.7.0/24 is directly connected, Loopback7
O E2    10.1.5.0/24 [110/100] via 10.1.23.2, 01:07:10, Serial1/0
C       10.1.23.0/24 is directly connected, Serial1/0


SWEEEET! sure enough we are now only seeing the ODD numbered subnets from the EIGRP domain :0)

STEP 3 COMPLETE

P.S
R2#show ip access-list ODD-OSPF-NETWORKS
Standard IP access list ODD-OSPF-NETWORKS
    permit 10.1.1.0, wildcard bits 0.0.0.255 (1 match)<----
    permit 10.1.3.0, wildcard bits 0.0.0.255 (1 match)<----
    permit 10.1.5.0, wildcard bits 0.0.0.255 (1 match)<---- YEAH BOI!




4. Implement route-map filtering in such a way that the EIGRP domain does not see routes with a more specific subnet mask than /24.

SO we could just accomplish this with an ACL and specify the /24 routes only are permitted, but thats boring, we are going to check out prefix-lists!

So prefix lists are here to help us get very specific with subnetmasks with route filtering and BGP, however we can also them to apply to route redistribution (remember to give them a meaning name, just like the ACLs)

So prefix lists work by given the prefix-list a name, they i would like to permit/deny the general network and mask, then we allow the specific mask;


R2(config)#ip prefix-list /24-MASK permit 10.0.0.0/8 ?
  ge  Minimum prefix length to be matched
  le  Maximum prefix length to be matched
  <cr>

SO if i was to press enter now, it would only allow JUST that mask 10.0.0.0/8 (Class A), so we would be denying pretty much everything, including the WAN links (the name of the prefix-list is /24-MASK)


R2(config)#ip prefix-list /24-MASK permit 10.0.0.0/8 le 24

So the above command (as an example, lets say a route of 10.1.7.0/24 comes into the router2, the router will check the prefix-list and check that it belongs to the 10. network (Class A 10.0.0.0/8), which it does, next it will see if it is LESS than or equal to /24, in this case, yes it is equal to /24, the router PERMITs the route to pass over to the other side.

HOWEVER the 10.1.11.8/30 is not LESS than /24, it is GREATER than a /24, so he is denied.



R2(config)#ip prefix-list /24-MASK permit 10.0.0.0/8 le 24
So its kind of a range really, from the 10.0.0.0/8 ------> le or ge /24 or /30 Soooo you can do this;


R2(config)#ip prefix-list /24-MASK permit 10.0.0.0/8 ge /16 le /24
how kool is that, so we can really pin down what subnets are allowed, between a range!

SO know we can create a route map which can use the prefix-list, as the route-map is pretty much if and then statements, but they are actually called match and set, your'll see:


R2(config)#route-map FILTER_OSPF_TO_EIGRP
R2(config-route-map)#match ip address prefix-list /24-MASK


R2#show route-map FILTER_OSPF_TO_EIGRP
route-map FILTER_OSPF_TO_EIGRP, permit, sequence 10
  Match clauses:
    ip address prefix-lists: /24-MASK
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

So the route-map is permitting (thats the default) anything that matches the prefix-list /24-MASK

NOW the kool part, we need to go under the EIGRP process and apply it to the re-distribution!
But first, lets just check the routes that R1 can see now


R1#show ip route

     10.0.0.0/8 is variably subnetted, 17 subnets, 3 masks
D EX    10.1.11.0/30 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
D EX    10.1.10.0/24 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
D EX    10.1.9.0/24 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
D EX    10.1.8.0/24 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
D EX    10.1.11.4/30 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
C       10.1.12.2/32 is directly connected, Serial0/0
C       10.1.12.0/24 is directly connected, Serial0/0
D EX    10.1.11.8/30 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
C       10.1.3.0/24 is directly connected, Loopback3
C       10.1.2.0/24 is directly connected, Ethernet0/0
C       10.1.1.0/24 is directly connected, Loopback1
C       10.1.0.0/24 is directly connected, Loopback0
D EX    10.1.7.0/24 [170/26137600] via 10.1.12.2, 01:45:44, Serial0/0
C       10.1.6.0/24 is directly connected, Loopback6
C       10.1.5.0/24 is directly connected, Loopback5
C       10.1.4.0/24 is directly connected, Loopback4
D EX    10.1.23.0/24 [170/26137600] via 10.1.12.2, 01:46:01, Serial0/0



R2(config)#router eigrp 100
R2(config-router)#redistribute ospf 1 metric 100 100 100 100 100 route-map FILTER_OSPF_TO_EIGRP


R1#show ip route

     10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
D EX    10.1.10.0/24 [170/26137600] via 10.1.12.2, 01:47:23, Serial0/0
D EX    10.1.9.0/24 [170/26137600] via 10.1.12.2, 01:47:23, Serial0/0
D EX    10.1.8.0/24 [170/26137600] via 10.1.12.2, 01:47:23, Serial0/0
C       10.1.12.2/32 is directly connected, Serial0/0
C       10.1.12.0/24 is directly connected, Serial0/0
C       10.1.3.0/24 is directly connected, Loopback3
C       10.1.2.0/24 is directly connected, Ethernet0/0
C       10.1.1.0/24 is directly connected, Loopback1
C       10.1.0.0/24 is directly connected, Loopback0
D EX    10.1.7.0/24 [170/26137600] via 10.1.12.2, 01:47:23, Serial0/0
C       10.1.6.0/24 is directly connected, Loopback6
C       10.1.5.0/24 is directly connected, Loopback5
C       10.1.4.0/24 is directly connected, Loopback4
D EX    10.1.23.0/24 [170/26137600] via 10.1.12.2, 01:47:39, Serial0/0


YAYE! it works! only the /24's subnets are showing
SO to confirm and clarify;


R2#show route-map FILTER_OSPF_TO_EIGRP
route-map FILTER_OSPF_TO_EIGRP, permit, sequence 10
  Match clauses:
    ip address prefix-lists: /24-MASK
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes <-- wont see matching as we are not performing policy routing(yet)


R2#show ip prefix-list /24-MASK
ip prefix-list /24-MASK: 1 entries
   seq 5 permit 10.0.0.0/8 le 24


NUGGET COMPLETE, ROLL on the advanced lab!

Posted by at No comments:
Subscribe to: Posts (Atom)