The passive -interface command tells an interface to listen to RIP or IGRP routes but not to advertise them. By disabling routing announcements on an interface, we tell the router to "listen but don't talk." This feature can reduce routing load on the CPU by reducing the number of interfaces on which a protocol needs to communicate. For OSPF and EIGRP, this command completely disables route processing for that interface. Use this command only if you know for sure that the routing protocol doesn't need to talk to anything on the specified interface.
In Figure 8-2, Router 1 and Router 2 can be optimized with the passive-interface command. Without getting into the routing protocol specifics, we want to say, "Keep the EIGRP routing on the serial links and keep the RIP routing on the Ethernet interfaces." Here's how:
router eigrp 300 network 192.168.10.0 passive-interface ethernet0
Figure 8-2. Using passive interfaces
router rip network 192.168.10.0 passive-interface serial0 passive-interface serial1
This configuration tells Router 1 and Router 2 not to send any EIGRP updates over the Ethernet interface and not to send RIP updates over the serial links. It doesn't solve the problem of getting routing information from our EIGRP process into RIP and vice versa. We will solve this problem using route redistribution .
EIGRP normally multicasts route information to neighbor routers. But we put EIGRP into passive mode, which turned off all EIGRP processing. If this were IGRP, we could use the neighbor command in conjunction with the passive-interface command to establish the relationship we wanted. The neighbor command tells RIP to send unicast updates to a particular group of routers instead of broadcasting the updates on the link; it allows us to specify which routers should receive updates. (EIGRP ignores the neighbor commandit exists only for backward compatibility with IGRP and has no effect.)
The neighbor command has greater purposes, which we'll explore in Chapter 10.
8.6.1. Route Redistribution
If a router is running two or more routing processes, the processes don't automatically share their routing information. Route redistribution is a particular issue when different routing protocols are involved, but it also comes up when you have two different processes using the same protocol. Figure 8-3 shows a network that uses both RIP and EIGRP.
Figure 8-3. Using route redistribution
Table 8-3 shows what the routing table for each router might look like.
192.168.3.0/24 serial0
192.168.1.0/24 router2
192.168.4.0/24 router3
Router 1 |
Router 2 |
Router 3 |
---|---|---|
192.168.2.0/24 serial1 |
192.168.1.0/24 ethernet0 |
192.168.2.0/24 router1 |
192.168.2.0/24 serial0 |
192.168.3.0/24 serial1 |
|
192.168.3.0/24 router1 |
192.168.4.0/24 ethernet0 |
|
Default 172.30.1.2 |
Router 1 knows how to get everywhere in our network. However, the other routers don't have enough information to reach all the destinations. These routing tables have three problems: Router 2 cannot get to Network 2, Router 3 cannot get to Network 1, and neither Router 2 nor Router 3 can get to the Internet.
To look at this correctly, here is the output of show ip route on each router:
Router1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Gateway of last resort is 172.30.1.2 to network 0.0.0.0 172.168.0.0/24 is subnetted, 1 subnets C 172.30.1.0 is directly connected, Ethernet0 D 192.168.4.0/24 [90/2195456] via 192.168.3.2, 00:02:00, Serial0 R 192.168.1.0/24 [120/1] via 192.168.2.2, 00:00:08, Serial1 C 192.168.2.0/24 is directly connected, Serial1 C 192.168.3.0/24 is directly connected, Serial0 S* 0.0.0.0/0 [1/0] via 172.30.1.2 Router2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Gateway of last resort is not set C 192.168.1.0/24 is directly connected, Ethernet0 C 192.168.2.0/24 is directly connected, Serial0 R 192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:26, Serial0 Router3#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Gateway of last resort is not set C 192.168.4.0/24 is directly connected, Ethernet0 D 192.168.2.0/24 [90/2681856] via 192.168.3.1, 00:09:35, Serial1 C 192.168.3.0/24 is directly connected, Serial1
We can fix our routing problem in a couple of ways. One option is to run RIP on the EIGRP side of Router 1 and then set static routes on Router 2 and Router 3 to point to the Internet connection. The drawback is that we are relying on static routes; worse, we have static routes to the same destination on two routers. If our Internet connection changes, we'll have to change the configuration on both Router 2 and Router 3. In this example, changing the static routes wouldn't be too much work. But what if there were 20 routers?
The second option, route redistribution, is a much better solution. To implement route redistribution across all the routing protocols on our network, we change Router 1's configuration to use redistribution between RIP and EIGRP:
! Define the static default route for this router and RIP ! We don't use 172.30.1.1 because that is our interface; we want to use ! the IP address of the router at the other end ip route 0.0.0.0 0.0.0.0 172.30.1.2 ! router rip network 192.168.1.0 network 192.168.2.0 redistribute static redistribute eigrp 100 passive-interface ethernet0 default-metric 10 ! router eigrp 100 network 192.168.3.0 network 192.168.4.0 redistribute static redistribute rip passive-interface serial0 default-metric 1000 250 255 1 1500
With this configuration, all the routes learned on Router 1 are shared among all the routing protocols. This sharing allows Router 2 and Router 3 to learn how to reach each other's networks and the Internet. Table 8-4 shows that our routing tables are complete. The default-metric statement tells each routing process how to interpret the routes it is receiving from other sources. For example, the default-metric statement for RIP tells it to assign the metric of 10 to routes it receives through redistribution. Since these routes are coming from other protocols, they won't have metrics that make sense to RIP. Likewise, the more complicated default-metric statement for EIGRP tells EIGRP how to interpret the routes it is receiving.
192.168.3.0/24 serial0
192.168.1.0/24 router2
192.168.4.0/24 router3
Default 172.30.1.2
Router 1 |
Router 2 |
Router 3 |
---|---|---|
192.168.2.0/24 serial1 |
192.168.1.0/24 ethernet0 |
192.168.3.0/24 serial1 |
192.168.2.0/24 serial0 |
192.168.4.0/24 ethernet0 |
|
192.168.3.0/24 router1 |
192.168.2.0/24 router1 |
|
192.168.4.0/24 router1 |
192.168.1.0/24 router1 |
|
Default 172.30.1.2 |
Default images/U2192.jpg border=0> 172.30.1.2 |
The only thing left to do is to configure some filters to prevent routing loops from occurring; we'll do that in the next section.
|
Here is the result of show ip route for each router, showing the new routing tables:
Router1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is 172.30.1.2 to network 0.0.0.0 172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks S 172.30.0.0/16 [1/0] via 172.30.1.0 C 172.30.1.0/24 is directly connected, Ethernet0 D 192.168.4.0/24 [90/2195456] via 192.168.3.2, 00:23:26, Serial0 R 192.168.1.0/24 [120/1] via 192.168.2.2, 00:00:07, Serial1 C 192.168.2.0/24 is directly connected, Serial1 C 192.168.3.0/24 is directly connected, Serial0 S* 0.0.0.0/0 [1/0] via 172.30.1.2 Router2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is 192.168.2.1 to network 0.0.0.0 R 172.30.0.0/16 [120/10] via 192.168.2.1, 00:00:19, Serial0 R 192.168.4.0/24 [120/10] via 192.168.2.1, 00:00:20, Serial0 C 192.168.1.0/24 is directly connected, Ethernet0 C 192.168.2.0/24 is directly connected, Serial0 R 192.168.3.0/24 [120/1] via 192.168.2.1, 00:00:20, Serial0 R* 0.0.0.0/0 [120/10] via 192.168.2.1, 00:00:20, Serial0 Router3#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is 192.168.3.1 to network 0.0.0.0 D EX 172.30.0.0/16 [170/3136000] via 192.168.3.1, 00:00:34, Serial1 C 192.168.4.0/24 is directly connected, Ethernet0 D EX 192.168.1.0/24 [170/3136000] via 192.168.3.1, 00:00:34, Serial1 D 192.168.2.0/24 [90/2681856] via 192.168.3.1, 00:22:01, Serial1 C 192.168.3.0/24 is directly connected, Serial1 D*EX 0.0.0.0/0 [170/3136000] via 192.168.3.1, 00:00:34, Serial1
8.6.2. Filtering Routes
We can use access lists to get better control over route redistribution. Access lists define filters that control which routes the router will listen to or advertise, depending on the distribute-list command. The distribute-list command specifies the direction (in or out) and the access list to use. The access list is then applied to the route redistribution process. To put it another way, the access list allows us to say "Allow routes from here" and "Don't send routes here."
8.6.2.1. Filtering incoming routes
To filter incoming routes, the distribute-list command is followed by the in option. In other words, we are filtering routes that the router hears. The following example applies access list 10 to all incoming RIP routes. If the incoming routes do not match access list 10, they are dropped into a bit bucket:
access-list 10 permit 192.168.1.0 0.0.0.255 router rip network 192.168.1.0 network 192.168.2.0 distribute-list 10 in
No matter where the update comes from, any route that does not match network 192.168.1.0 is ignored by RIP. We can take this a step further and say "Any route that arrives via the ethernet0 interface will be checked with access list 10":
access-list 10 permit 192.168.1.0 0.0.0.255 router rip network 192.168.0.0 distribute-list 10 in ethernet0
8.6.2.2. Filtering outgoing routes
The distribute-list command can also be applied to information the router sends. Just as distribute-list in controls what the router can hear, distribute-list out controls what the router can announce. In other words, we are filtering outgoing routes. If an outgoing route does not match the access list, it will not be sent. For example:
access-list 10 permit 192.168.1.0 0.0.0.255 router rip network 192.168.1.0 network 192.168.2.0 distribute-list 10 out
This configuration globally applies the distribute-list to all outgoing RIP routes. The result is that our router won't tell any other routers about routes that don't match the 192.168.1.0/24 network. And in the same way as before, we can apply the access list to one interface (ethernet0):
access-list 10 permit 192.168.1.0 0.0.0.255 router rip network 192.168.1.0 network 192.168.2.0 distribute-list 10 out ethernet0
The addition of ethernet0 says that the router applies access list 10 only to routes announced through the ethernet0 interface. The access list doesn't apply to routes advertised through other interfacesany other interfaces are allowed to announce any routes that are available.
8.6.2.3. Filtering updates during redistribution
We can do one more thing with the outgoing distribute-list command: control the redistribution of routes from one protocol into another protocol. In the example we have been using, we are redistributing into RIP. Now we add the distribute-list command to ensure that RIP ignores routes from EIGRP that originated from RIP. distribute-list 10 out eigrp 100 means "Apply access list 10 to announced routes that were derived from EIGRP 100."
access-list 10 deny 192.168.1.0 0.0.0.255 access-list 10 permit any ! router rip network 192.168.1.0 network 192.168.2.0 default-metric 10 redistribute eigrp 100 distribute-list 10 out eigrp 100
Filtering routes that are redistributed from one protocol into another helps to eliminate routing loops by preventing a protocol from learning its own routes from another source.
8.6.2.4. Revisiting the example
Now let's put all the pieces together. Figure 8-3 shows a network with a routing problem that we solved by redistributing EIGRP into RIP. EIGRP is smart enough to handle the RIP routes and label them as such. RIP is not that smart, so we want to control its redistribution by adding an access list that filters the routes originating from RIP before they are added back into the RIP routing table. Our final configuration adds the necessary filtering to prevent routing loops from forming:
! Define the static route for this router and RIP ip route 0.0.0.0 0.0.0.0 172.30.1.2 ! ! Define the RIP process ! router rip network 192.168.1.0 network 192.168.2.0 redistribute static redistribute eigrp 100 passive-interface ethernet0 default-metric 10 ! Add the distribute-list command with access list 10 distribute-list 10 out eigrp 100 ! ! Define the EIGRP process ! router eigrp 100 network 192.168.3.0 network 192.168.4.0 redistribute static redistribute rip passive-interface serial0 default-metric 1000 250 255 1 150 distribute-list 11 out rip ! ! Define access list 10 ! We want to deny routes from EIGRP that are RIP routes ! but permit everything else access-list 10 deny 192.168.1.0 0.0.0.255 access-list 10 permit any ! Define access list 10 ! We want to permit the RIP routes into EIGRP and ! deny everything else access-list 11 permit 192.168.1.0 0.0.0.255 access-list 11 deny any
8.6.3. Route Maps
Route maps allow you to influence network traffic by changing the attributes of a route based on its characteristics. We can use a route map to modify metrics, the next-hop address, the default interface, and other attributes. This feature becomes increasingly important in BGP and OSPF route redistribution because of the complexity of these protocols.
A route map comprises a list of match criteria, followed by a list of set instructions. The match criteria are similar to access list entries: they describe the incoming routing updates we want to modify. This match can in fact be based on whether a route passes an access list (i.e., matches can be based on an IP address), but it also allows you to select updates based on other criteria, such as route metrics and route tags. The set instructions tell the router what to do with the route once it has a match. In our first example, we change a route's metric based on the source IP address of the packet.
In this example, we define a route map using access list 10. The route map is given the name our-example-map. Route-map names (or tags, as they are also called) can be anything you want. After defining the map name, we say that the map uses access list 10 to match a route's destination IP address. (There are many other things we could match. For example, we could match the route's next-hop address, using the command match ip next-hop; or we could match the address of the router from which the route came by using the command match ip route-source. See Chapter 17 for a complete list of match items for route maps .) If any route's destination address matches access list 10, we set the route's metric to 20.
! Define the route map named "our-example-map" route-map our-example-map match ip address 10 set metric 20 ! ! Define the access-list that is used in the route-map access-list 10 permit 192.168.1.0 0.0.0.255
In the OSPF section of Chapter 9, route maps are used to control redistribution between RIP and OSPF. In that redistribution, we want to take the external routes from OSPF and redistribute them into RIP. The only way to achieve that granularity of routing control is to use route maps.
8.6.3.1. Enforcing routing policy with route maps
Route maps allow us to enforce routing policies. We'll start with an example in which we use a route map to control redistribution. We want to give a redistributed RIP route from certain routers a higher metric than a route coming from other routers. In other words, we are going to trust some routers more than others. We may make this decision for political reasons, or we could just know that one router has better routes, for reasons the routing protocol can't determine.
In this example, we will use two additional features of route maps. First, a route map can contain the permit or deny keyword, which gives us finer control over which routes match. Second, a route map can have a sequence number, which lets us build chains of route maps.
Here's how the permit and deny keywords and sequence numbers are used. If a route map includes the permit keyword, the following occurs when a route arrives:
If the route map includes the deny keyword and the route matches the map's access list, the route is not redistributed and no other route maps in the sequence are used.
If a map doesn't contain either deny or permit, the map is part of a policy. The operation specified by the set command is applied if there is a match. In any case, after this map is processed, processing proceeds to the next map in the sequence. No filtering takes place (all routes going through a policy map are eventually redistributed, since no routes are denied), but the route's properties may be changed.
Here is a configuration that redistributes routes from RIP into EIGRP using route maps . The example uses two route maps with the name rip-to-eigrp, but with different sequence numbers (10 and 15). The sequence numbers determine the order in which the two maps are processed: first map 10, then map 15.
|
! EIGRP configuration router eigrp 99 network 10.0.0.0 default-metric 1000 250 255 1 1500 ! Set up redistribution of RIP routes into EIGRP using the route-map ! named rip-to-eigrp redistribute rip route-map rip-to-eigrp ! ! RIP configuration router rip network 10.0.0.0 ! ! Define our route-maps route-map rip-to-eigrp permit 10 match ip route-source 2 set metric 1000 100 250 100 1500 route-map rip-to-eigrp permit 15 match ip route-source 3 set metric 500 100 250 100 1500 ! ! Define the access lists that are used in the route maps access-list 2 permit 10.11.1.1 0.0.0.0 access-list 3 permit any
In this example, routes are first processed by the map named rip-to-eigrp, which consists of two submaps, numbered 10 and 15. Map 10 uses access list 2 to select routes that were learned from the router at 10.11.1.1. These routes are given the default metric, which has a bandwidth parameter of 1000. If the route matches, processing ends, and the route is redistributed with the default metric. If the route doesn't match, processing continues with route map 15. This route map uses access list 3, which matches all IP addresses. Therefore, the route map gives all routes that reach it the bandwidth metric of 500, instead of the default; the other parameters are the same. Therefore, we are saying that the 10.11.1.1 router knows about routes that have more bandwidth available than any other routers. Consequently, EIGRP computes a better (lower) metric for them and uses them in preference to routes learned from other routers.
8.6.3.2. Enforcing routing policy with the ip policy command
In the previous example, we relied on the redistribute command to enforce our redistribution policy. Routing policies can also be enforced on the interface level using the command ip policy, which applies route maps to packets arriving at that interface. The ip policy command can be extremely CPU-intensive, so use it with care. Another tool for enforcing routing policies is the ip local policy route-map command. Unlike the ip policy command, which defines a policy (route map) to be applied to routes coming in an interface, ip local policy route-map is a global configuration command that applies the route maps to all routing packets generated by the router.
In this example, we want to assign specific routes based on the packet's destination IP address. The routes are assigned if there are no default routes for the addresses we are matching. We accomplish this by configuring the serial0 interface to use the route map called examplemap. Our route map implements the following rules for packets arriving on serial0:
The router configuration would look like this:
! Configure the interface serial0 interface serial0 ip policy route-map examplemap ip address 172.30.1.1 255.255.255.0 ! ! Set up the first part of the route map route-map examplemap permit 10 match ip address 1 set ip default next-hop 172.30.100.1 ! ! Set up the second part of the route map route-map examplemap permit 15 match ip address 2 set ip default next-hop 172.30.200.1 ! ! Define the access lists for use in the route maps access-list 1 permit 172.30.10.0 0.0.0.255 access-list 1 deny any access-list 2 permit 172.30.15.0 0.0.0.255 access-list 2 deny any
Route maps are explored again in Chapters 9 and 10.
Getting Started
IOS Images and Configuration Files
Basic Router Configuration
Line Commands
Interface Commands
Networking Technologies
Access Lists
IP Routing Topics
Interior Routing Protocols
Border Gateway Protocol
Quality of Service
Dial-on-Demand Routing
Specialized Networking Topics
Switches and VLANs
Router Security
Troubleshooting and Logging
Quick Reference
Appendix A Network Basics
Index