Sunday, September 22, 2013

RIP Distribute-lists and the Extended ACL

Here’s a neat trick that’s an easy one to screw up or forget the syntax on.  In RIP (and EIGRP as well I believe) you can use an extended access-list to filter out specific routes advertised by specific neighbours.  This is done using the source and destination fields of the extended ACL to specify source of the routing update, and the route(s) you want to filter respectively.

Example after the jump.


I’ve got the following topology set up for this example:




The config on each router is very basic.  I’ve configured the interfaces with IP addresses, and enabled RIPv2 on all links (auto-summary is enabled, but that is irrelevant here).  Nothing else fancy has been done.

To demonstrate I’m going to use R3 and filter routes inbound with a distribute-list. Let’s take a look at our routing table and the RIP routes we currently have.


R3(config-router)#do sh ip ro rip
R    1.0.0.0/8 [120/2] via 10.23.13.13, 00:00:25, FastEthernet0/1
               [120/2] via 10.23.13.2, 00:00:26, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
R       10.1.13.0/24 [120/1] via 10.23.13.13, 00:00:25, FastEthernet0/1
R       10.1.12.0/24 [120/2] via 10.23.13.13, 00:00:25, FastEthernet0/1
                     [120/2] via 10.23.13.2, 00:00:26, FastEthernet0/1
R       10.1.2.1/32 [120/1] via 10.23.13.2, 00:00:26, FastEthernet0/1
R       10.1.2.0/24 [120/2] via 10.23.13.13, 00:00:25, FastEthernet0/1
R       10.1.2.2/32 [120/1] via 10.23.13.2, 00:00:26, FastEthernet0/1
R       10.11.12.0/24 [120/3] via 10.23.13.13, 00:00:25, FastEthernet0/1
                      [120/3] via 10.23.13.2, 00:00:26, FastEthernet0/1

You can see that we have multiple paths for both the 1.0.0.0/8 route, and the 10.1.12.0 route.  We’ll use these routes as our test routes to demonstrate the feature in question.

But first, let’s just do a simple example to show the concept. I’m going to apply the following ACL as an inbound distribute list on R3.

access-list 102 permit ip host 10.23.13.13 host 1.0.0.0

Before I do though let’s walk through it.  The access-list 102 permit ip should be straightforward. Next is the short notation for 10.23.13.13 0.0.0.0, or anything that exactly matches 10.23.13.13.  The last field is the same but for 1.0.0.0.  Now under normal ACL operation those fields are the source and destination fields respectively.  However, normal operation is to match traffic, and we’re matching routing updates.  Instead these fields specify the routing source, and the actual route itself. 

If we look at our routing table we should be able to figure out that this is going to match the 1.0.0.0 route, and that it’s going to match the entry we having originating from 10.23.13.13 and not the entry we have from 10.23.13.2

R    1.0.0.0/8 [120/2] via 10.23.13.13, 00:00:25, FastEthernet0/1
               [120/2] via 10.23.13.2, 00:00:26, FastEthernet0/1

Or at least we hope that’s what this is going to match!

Let’s apply the ACL via a distribute-list and verify that this works as intended.

R3(config)#access-list 102 permit ip host 10.23.13.13 host 1.0.0.0
R3(config)#router rip
R3(config-router)# distribute-list 102 in
R3(config-router)#end
R3#cl
*Sep 23 02:26:07.395: %SYS-5-CONFIG_I: Configured from console by console
R3#clear ip ro *

The clearing of the routing table is just because I’m too impatient to wait for RIP to converge…

Shall we take a look at our routing table now?


R3#sh ip ro rip
R    1.0.0.0/8 [120/2] via 10.23.13.13, 00:00:21, FastEthernet0/1
R3#

Oooh, ouch.  That trimmed out a few things…

Think about it though.  This is a good example of how the logic works in the feature we’re looking at here.  We created an ACL that permitted 1.0.0.0 from 10.23.13.13 and applied it inbound for the entire RIP process.  And that’s exactly what we got: routes that match 1.0.0.0 from 10.23.13.13 are permitted!  Everything else has been discarded.

So let’s modify our ACL a bit to deny the route instead of permitting it, and then we’ll add on a permit any any so that everything else will still make it into the routing table.


R3(config)#no access-list 102
R3(config)#access-list 102 deny ip host 10.23.13.13 host 1.0.0.0
R3(config)#access-list 102 permit ip any any
R3(config)#do clear ip ro *
R3(config)#
R3(config)#do sh ip ro rip
R    1.0.0.0/8 [120/2] via 10.23.13.2, 00:00:09, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
R       10.1.13.0/24 [120/1] via 10.23.13.13, 00:00:09, FastEthernet0/1
R       10.1.12.0/24 [120/2] via 10.23.13.13, 00:00:09, FastEthernet0/1
                     [120/2] via 10.23.13.2, 00:00:09, FastEthernet0/1
R       10.1.2.1/32 [120/1] via 10.23.13.2, 00:00:09, FastEthernet0/1
R       10.1.2.0/24 [120/2] via 10.23.13.13, 00:00:09, FastEthernet0/1
R       10.1.2.2/32 [120/1] via 10.23.13.2, 00:00:09, FastEthernet0/1
R       10.11.12.0/24 [120/3] via 10.23.13.13, 00:00:09, FastEthernet0/1
                      [120/3] via 10.23.13.2, 00:00:09, FastEthernet0/1

Now we’re talking.  We have our routes back, and this time only the 1.0.0.0/8 route from 10.23.13.13 is filtered out.

Very cool.

Let’s take this one step further and filter out the 10.1.12.0/24 route, but from 10.23.13.2 and not 10.23.13.13, using the same ACL.

R3(config)#no access-list 102
R3(config)#access-list 102 deny ip host 10.23.13.13 host 1.0.0.0
R3(config)#access-list 102 deny ip host 10.23.13.2 host 10.1.12.0
R3(config)#access-list 102 permit ip any any
R3(config)#do clear ip ro *
R3(config)#do sh ip ro rip
R    1.0.0.0/8 [120/2] via 10.23.13.2, 00:00:24, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
R       10.1.13.0/24 [120/1] via 10.23.13.13, 00:00:18, FastEthernet0/1
R       10.1.12.0/24 [120/2] via 10.23.13.13, 00:00:18, FastEthernet0/1
R       10.1.2.1/32 [120/1] via 10.23.13.2, 00:00:24, FastEthernet0/1
R       10.1.2.0/24 [120/2] via 10.23.13.13, 00:00:18, FastEthernet0/1
R       10.1.2.2/32 [120/1] via 10.23.13.2, 00:00:24, FastEthernet0/1
R       10.11.12.0/24 [120/3] via 10.23.13.13, 00:00:18, FastEthernet0/1
                      [120/3] via 10.23.13.2, 00:00:24, FastEthernet0/1

I should be a freakin’ magician with the way I can make routes disappear! 

And that’s really all there is to this.  Of course you don’t have to use host entries in the ACL and instead match range of routes and route sources.  One thing you cannot do is match on the prefix length like you can with prefix lists. If you need to match on prefix length then you’ll have to use a prefix list in the distribute-list.






No comments:

Post a Comment