Passive Interfaces

The passive -interface command tells an interface to listen to RIP or IGRP routes but not to advertise them. By disabling routing announcements on an interface, we tell the router to "listen but don't talk." This feature can reduce routing load on the CPU by reducing the number of interfaces on which a protocol needs to communicate. For OSPF and EIGRP, this command completely disables route processing for that interface. Use this command only if you know for sure that the routing protocol doesn't need to talk to anything on the specified interface.

In Figure 8-2, Router 1 and Router 2 can be optimized with the passive-interface command. Without getting into the routing protocol specifics, we want to say, "Keep the EIGRP routing on the serial links and keep the RIP routing on the Ethernet interfaces." Here's how:

router eigrp 300
 network 192.168.10.0
 passive-interface ethernet0

Figure 8-2. Using passive interfaces

router rip
 network 192.168.10.0
 passive-interface serial0
 passive-interface serial1

This configuration tells Router 1 and Router 2 not to send any EIGRP updates over the Ethernet interface and not to send RIP updates over the serial links. It doesn't solve the problem of getting routing information from our EIGRP process into RIP and vice versa. We will solve this problem using route redistribution .

EIGRP normally multicasts route information to neighbor routers. But we put EIGRP into passive mode, which turned off all EIGRP processing. If this were IGRP, we could use the neighbor command in conjunction with the passive-interface command to establish the relationship we wanted. The neighbor command tells RIP to send unicast updates to a particular group of routers instead of broadcasting the updates on the link; it allows us to specify which routers should receive updates. (EIGRP ignores the neighbor commandit exists only for backward compatibility with IGRP and has no effect.)

The neighbor command has greater purposes, which we'll explore in Chapter 10.

8.6.1. Route Redistribution

If a router is running two or more routing processes, the processes don't automatically share their routing information. Route redistribution is a particular issue when different routing protocols are involved, but it also comes up when you have two different processes using the same protocol. Figure 8-3 shows a network that uses both RIP and EIGRP.

Figure 8-3. Using route redistribution

Table 8-3 shows what the routing table for each router might look like.

192.168.3.0/24 serial0

192.168.1.0/24 router2

192.168.4.0/24 router3

Table 8-3. Incomplete routing tables without redistribution

Router 1

Router 2

Router 3

192.168.2.0/24 serial1

192.168.1.0/24 ethernet0

192.168.2.0/24 router1

192.168.2.0/24 serial0

192.168.3.0/24 serial1

192.168.3.0/24 router1

192.168.4.0/24 ethernet0

 

Default 172.30.1.2

 

Router 1 knows how to get everywhere in our network. However, the other routers don't have enough information to reach all the destinations. These routing tables have three problems: Router 2 cannot get to Network 2, Router 3 cannot get to Network 1, and neither Router 2 nor Router 3 can get to the Internet.

To look at this correctly, here is the output of show ip route on each router:

Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

Gateway of last resort is 172.30.1.2 to network 0.0.0.0

 172.168.0.0/24 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, Ethernet0
D 192.168.4.0/24 [90/2195456] via 192.168.3.2, 00:02:00, Serial0
R 192.168.1.0/24 [120/1] via 192.168.2.2, 00:00:08, Serial1
C 192.168.2.0/24 is directly connected, Serial1
C 192.168.3.0/24 is directly connected, Serial0
S* 0.0.0.0/0 [1/0] via 172.30.1.2

Router2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, Ethernet0
C 192.168.2.0/24 is directly connected, Serial0
R 192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:26, Serial0

Router3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, Ethernet0
D 192.168.2.0/24 [90/2681856] via 192.168.3.1, 00:09:35, Serial1
C 192.168.3.0/24 is directly connected, Serial1

We can fix our routing problem in a couple of ways. One option is to run RIP on the EIGRP side of Router 1 and then set static routes on Router 2 and Router 3 to point to the Internet connection. The drawback is that we are relying on static routes; worse, we have static routes to the same destination on two routers. If our Internet connection changes, we'll have to change the configuration on both Router 2 and Router 3. In this example, changing the static routes wouldn't be too much work. But what if there were 20 routers?

The second option, route redistribution, is a much better solution. To implement route redistribution across all the routing protocols on our network, we change Router 1's configuration to use redistribution between RIP and EIGRP:

! Define the static default route for this router and RIP
! We don't use 172.30.1.1 because that is our interface; we want to use
! the IP address of the router at the other end
ip route 0.0.0.0 0.0.0.0 172.30.1.2
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 redistribute static
 redistribute eigrp 100
 passive-interface ethernet0
 default-metric 10
!
router eigrp 100
 network 192.168.3.0
 network 192.168.4.0
 redistribute static
 redistribute rip
 passive-interface serial0
 default-metric 1000 250 255 1 1500

With this configuration, all the routes learned on Router 1 are shared among all the routing protocols. This sharing allows Router 2 and Router 3 to learn how to reach each other's networks and the Internet. Table 8-4 shows that our routing tables are complete. The default-metric statement tells each routing process how to interpret the routes it is receiving from other sources. For example, the default-metric statement for RIP tells it to assign the metric of 10 to routes it receives through redistribution. Since these routes are coming from other protocols, they won't have metrics that make sense to RIP. Likewise, the more complicated default-metric statement for EIGRP tells EIGRP how to interpret the routes it is receiving.

192.168.3.0/24 serial0

192.168.1.0/24 router2

192.168.4.0/24 router3

Default 172.30.1.2

Table 8-4. Routing tables completed by redistribution

Router 1

Router 2

Router 3

192.168.2.0/24 serial1

192.168.1.0/24 ethernet0

192.168.3.0/24 serial1

192.168.2.0/24 serial0

192.168.4.0/24 ethernet0

192.168.3.0/24 router1

192.168.2.0/24 router1

192.168.4.0/24 router1

192.168.1.0/24 router1

Default 172.30.1.2

Default images/U2192.jpg border=0> 172.30.1.2

The only thing left to do is to configure some filters to prevent routing loops from occurring; we'll do that in the next section.

The default-metric command is required for most redistribution to occur. It tells the other protocols what weight to give the learned routes. Without this command, redistribution occurs only between IGRP and EIGRP processes sharing the same process number (in which case, redistribution is automatic). Also, static routes do not require a default-metric in order to redistribute.

Here is the result of show ip route for each router, showing the new routing tables:

Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
 U - per-user static route, o - ODR

Gateway of last resort is 172.30.1.2 to network 0.0.0.0

 172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.30.0.0/16 [1/0] via 172.30.1.0
C 172.30.1.0/24 is directly connected, Ethernet0
D 192.168.4.0/24 [90/2195456] via 192.168.3.2, 00:23:26, Serial0
R 192.168.1.0/24 [120/1] via 192.168.2.2, 00:00:07, Serial1
C 192.168.2.0/24 is directly connected, Serial1
C 192.168.3.0/24 is directly connected, Serial0
S* 0.0.0.0/0 [1/0] via 172.30.1.2

Router2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
 U - per-user static route, o - ODR

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

R 172.30.0.0/16 [120/10] via 192.168.2.1, 00:00:19, Serial0
R 192.168.4.0/24 [120/10] via 192.168.2.1, 00:00:20, Serial0
C 192.168.1.0/24 is directly connected, Ethernet0
C 192.168.2.0/24 is directly connected, Serial0
R 192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:20, Serial0
R* 0.0.0.0/0 [120/10] via 192.168.2.1, 00:00:20, Serial0

Router3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
 U - per-user static route, o - ODR

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

D EX 172.30.0.0/16 [170/3136000] via 192.168.3.1, 00:00:34, Serial1
C 192.168.4.0/24 is directly connected, Ethernet0
D EX 192.168.1.0/24 [170/3136000] via 192.168.3.1, 00:00:34, Serial1
D 192.168.2.0/24 [90/2681856] via 192.168.3.1, 00:22:01, Serial1
C 192.168.3.0/24 is directly connected, Serial1
D*EX 0.0.0.0/0 [170/3136000] via 192.168.3.1, 00:00:34, Serial1

 

8.6.2. Filtering Routes

We can use access lists to get better control over route redistribution. Access lists define filters that control which routes the router will listen to or advertise, depending on the distribute-list command. The distribute-list command specifies the direction (in or out) and the access list to use. The access list is then applied to the route redistribution process. To put it another way, the access list allows us to say "Allow routes from here" and "Don't send routes here."

8.6.2.1. Filtering incoming routes

To filter incoming routes, the distribute-list command is followed by the in option. In other words, we are filtering routes that the router hears. The following example applies access list 10 to all incoming RIP routes. If the incoming routes do not match access list 10, they are dropped into a bit bucket:

access-list 10 permit 192.168.1.0 0.0.0.255
router rip
 network 192.168.1.0
 network 192.168.2.0
 distribute-list 10 in

No matter where the update comes from, any route that does not match network 192.168.1.0 is ignored by RIP. We can take this a step further and say "Any route that arrives via the ethernet0 interface will be checked with access list 10":

access-list 10 permit 192.168.1.0 0.0.0.255
router rip
 network 192.168.0.0
 distribute-list 10 in ethernet0

 

8.6.2.2. Filtering outgoing routes

The distribute-list command can also be applied to information the router sends. Just as distribute-list in controls what the router can hear, distribute-list out controls what the router can announce. In other words, we are filtering outgoing routes. If an outgoing route does not match the access list, it will not be sent. For example:

access-list 10 permit 192.168.1.0 0.0.0.255
router rip
 network 192.168.1.0
 network 192.168.2.0
 distribute-list 10 out

This configuration globally applies the distribute-list to all outgoing RIP routes. The result is that our router won't tell any other routers about routes that don't match the 192.168.1.0/24 network. And in the same way as before, we can apply the access list to one interface (ethernet0):

access-list 10 permit 192.168.1.0 0.0.0.255
router rip
 network 192.168.1.0
 network 192.168.2.0
 distribute-list 10 out ethernet0

The addition of ethernet0 says that the router applies access list 10 only to routes announced through the ethernet0 interface. The access list doesn't apply to routes advertised through other interfacesany other interfaces are allowed to announce any routes that are available.

8.6.2.3. Filtering updates during redistribution

We can do one more thing with the outgoing distribute-list command: control the redistribution of routes from one protocol into another protocol. In the example we have been using, we are redistributing into RIP. Now we add the distribute-list command to ensure that RIP ignores routes from EIGRP that originated from RIP. distribute-list 10 out eigrp 100 means "Apply access list 10 to announced routes that were derived from EIGRP 100."

access-list 10 deny 192.168.1.0 0.0.0.255
access-list 10 permit any
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 default-metric 10
 redistribute eigrp 100
 distribute-list 10 out eigrp 100

Filtering routes that are redistributed from one protocol into another helps to eliminate routing loops by preventing a protocol from learning its own routes from another source.

8.6.2.4. Revisiting the example

Now let's put all the pieces together. Figure 8-3 shows a network with a routing problem that we solved by redistributing EIGRP into RIP. EIGRP is smart enough to handle the RIP routes and label them as such. RIP is not that smart, so we want to control its redistribution by adding an access list that filters the routes originating from RIP before they are added back into the RIP routing table. Our final configuration adds the necessary filtering to prevent routing loops from forming:

! Define the static route for this router and RIP
ip route 0.0.0.0 0.0.0.0 172.30.1.2
!
! Define the RIP process
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 redistribute static
 redistribute eigrp 100
 passive-interface ethernet0
 default-metric 10
 ! Add the distribute-list command with access list 10
 distribute-list 10 out eigrp 100
!
! Define the EIGRP process
!
router eigrp 100
 network 192.168.3.0
 network 192.168.4.0
 redistribute static
 redistribute rip
 passive-interface serial0
 default-metric 1000 250 255 1 150
 distribute-list 11 out rip
!
! Define access list 10
! We want to deny routes from EIGRP that are RIP routes
! but permit everything else
access-list 10 deny 192.168.1.0 0.0.0.255
access-list 10 permit any
! Define access list 10
! We want to permit the RIP routes into EIGRP and
! deny everything else
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 deny any

 

8.6.3. Route Maps

Route maps allow you to influence network traffic by changing the attributes of a route based on its characteristics. We can use a route map to modify metrics, the next-hop address, the default interface, and other attributes. This feature becomes increasingly important in BGP and OSPF route redistribution because of the complexity of these protocols.

A route map comprises a list of match criteria, followed by a list of set instructions. The match criteria are similar to access list entries: they describe the incoming routing updates we want to modify. This match can in fact be based on whether a route passes an access list (i.e., matches can be based on an IP address), but it also allows you to select updates based on other criteria, such as route metrics and route tags. The set instructions tell the router what to do with the route once it has a match. In our first example, we change a route's metric based on the source IP address of the packet.

In this example, we define a route map using access list 10. The route map is given the name our-example-map. Route-map names (or tags, as they are also called) can be anything you want. After defining the map name, we say that the map uses access list 10 to match a route's destination IP address. (There are many other things we could match. For example, we could match the route's next-hop address, using the command match ip next-hop; or we could match the address of the router from which the route came by using the command match ip route-source. See Chapter 17 for a complete list of match items for route maps .) If any route's destination address matches access list 10, we set the route's metric to 20.

! Define the route map named "our-example-map"
route-map our-example-map
 match ip address 10
 set metric 20
!
! Define the access-list that is used in the route-map
access-list 10 permit 192.168.1.0 0.0.0.255

In the OSPF section of Chapter 9, route maps are used to control redistribution between RIP and OSPF. In that redistribution, we want to take the external routes from OSPF and redistribute them into RIP. The only way to achieve that granularity of routing control is to use route maps.

8.6.3.1. Enforcing routing policy with route maps

Route maps allow us to enforce routing policies. We'll start with an example in which we use a route map to control redistribution. We want to give a redistributed RIP route from certain routers a higher metric than a route coming from other routers. In other words, we are going to trust some routers more than others. We may make this decision for political reasons, or we could just know that one router has better routes, for reasons the routing protocol can't determine.

In this example, we will use two additional features of route maps. First, a route map can contain the permit or deny keyword, which gives us finer control over which routes match. Second, a route map can have a sequence number, which lets us build chains of route maps.

Here's how the permit and deny keywords and sequence numbers are used. If a route map includes the permit keyword, the following occurs when a route arrives:

  1. The route is tested against the access list. If it does not match, the next route map in the sequence is tried. If there are no more maps in the sequence, the route is not redistributed.
  2. If the route does match the access list, the route map's set options are applied, and the route is redistributed. No more maps in the sequence are processed.

If the route map includes the deny keyword and the route matches the map's access list, the route is not redistributed and no other route maps in the sequence are used.

If a map doesn't contain either deny or permit, the map is part of a policy. The operation specified by the set command is applied if there is a match. In any case, after this map is processed, processing proceeds to the next map in the sequence. No filtering takes place (all routes going through a policy map are eventually redistributed, since no routes are denied), but the route's properties may be changed.

Here is a configuration that redistributes routes from RIP into EIGRP using route maps . The example uses two route maps with the name rip-to-eigrp, but with different sequence numbers (10 and 15). The sequence numbers determine the order in which the two maps are processed: first map 10, then map 15.

It's a good idea to avoid using consecutive sequence numbers when you're first writing a policy. In our example, we used sequence numbers 10 and 15. If we later need to add a map that's processed after 10 and before 15, we can assign it number 12. If we used consecutive sequence numbers, it would be much harder to add a map to the sequence at a later time.

! EIGRP configuration
router eigrp 99
 network 10.0.0.0
 default-metric 1000 250 255 1 1500
 ! Set up redistribution of RIP routes into EIGRP using the route-map
 ! named rip-to-eigrp
 redistribute rip route-map rip-to-eigrp
!
! RIP configuration
router rip
 network 10.0.0.0
!
! Define our route-maps
route-map rip-to-eigrp permit 10
 match ip route-source 2
 set metric 1000 100 250 100 1500
route-map rip-to-eigrp permit 15
 match ip route-source 3
 set metric 500 100 250 100 1500
!
! Define the access lists that are used in the route maps
access-list 2 permit 10.11.1.1 0.0.0.0
access-list 3 permit any

In this example, routes are first processed by the map named rip-to-eigrp, which consists of two submaps, numbered 10 and 15. Map 10 uses access list 2 to select routes that were learned from the router at 10.11.1.1. These routes are given the default metric, which has a bandwidth parameter of 1000. If the route matches, processing ends, and the route is redistributed with the default metric. If the route doesn't match, processing continues with route map 15. This route map uses access list 3, which matches all IP addresses. Therefore, the route map gives all routes that reach it the bandwidth metric of 500, instead of the default; the other parameters are the same. Therefore, we are saying that the 10.11.1.1 router knows about routes that have more bandwidth available than any other routers. Consequently, EIGRP computes a better (lower) metric for them and uses them in preference to routes learned from other routers.

8.6.3.2. Enforcing routing policy with the ip policy command

In the previous example, we relied on the redistribute command to enforce our redistribution policy. Routing policies can also be enforced on the interface level using the command ip policy, which applies route maps to packets arriving at that interface. The ip policy command can be extremely CPU-intensive, so use it with care. Another tool for enforcing routing policies is the ip local policy route-map command. Unlike the ip policy command, which defines a policy (route map) to be applied to routes coming in an interface, ip local policy route-map is a global configuration command that applies the route maps to all routing packets generated by the router.

In this example, we want to assign specific routes based on the packet's destination IP address. The routes are assigned if there are no default routes for the addresses we are matching. We accomplish this by configuring the serial0 interface to use the route map called examplemap. Our route map implements the following rules for packets arriving on serial0:

  1. Packets to the 172.30.10.0 network are sent to router 172.30.100.1.
  2. Packets to the 172.30.15.0 network are sent to router 172.30.200.1.
  3. Rules 1 and 2 apply only if the packets arrive on interface serial0 and no default route already exists for that destination.
  4. All other routes coming in serial0 are passed along as usual.

The router configuration would look like this:

! Configure the interface serial0
interface serial0
 ip policy route-map examplemap
 ip address 172.30.1.1 255.255.255.0
!
! Set up the first part of the route map
route-map examplemap permit 10
 match ip address 1
 set ip default next-hop 172.30.100.1
!
! Set up the second part of the route map
route-map examplemap permit 15
 match ip address 2
 set ip default next-hop 172.30.200.1
!
! Define the access lists for use in the route maps
access-list 1 permit 172.30.10.0 0.0.0.255
access-list 1 deny any
access-list 2 permit 172.30.15.0 0.0.0.255
access-list 2 deny any

Route maps are explored again in Chapters 9 and 10.

Getting Started

IOS Images and Configuration Files

Basic Router Configuration

Line Commands

Interface Commands

Networking Technologies

Access Lists

IP Routing Topics

Interior Routing Protocols

Border Gateway Protocol

Quality of Service

Dial-on-Demand Routing

Specialized Networking Topics

Switches and VLANs

Router Security

Troubleshooting and Logging

Quick Reference

Appendix A Network Basics

Index



Cisco IOS in a Nutshell
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596008694
EAN: 2147483647
Year: 2006
Pages: 1031
Authors: James Boney

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net