Filtering Routes with RIP

Problem

You want to restrict what routing information is exchanged within RIP.

Solution

You can filter inbound RIP routes on a per interface basis with a distribute-list:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 10 deny 192.168.20.0
Router2(config)#access-list 10 permit any 
Router2(config)#router rip
Router2(config-router)#distribute-list 10 in Serial 0.1
Router2(config-router)#network 172.25.0.0
Router2(config-router)#network 192.168.30.0
Router2(config-router)#exit
Router2(config)#end
Router2#

This configuration example shows how to filter outbound RIP-based routes on a per interface basis:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 20 permit 0.0.0.0
Router1(config)#access-list 20 deny any 
Router1(config)#router rip
Router1(config-router)#distribute-list 20 out Serial0/0.2
Router1(config-router)#network 172.25.0.0
Router1(config-router)#exit
Router1(config)#end
Router1#

 

Discussion

The access list in the first configuration example of this recipe prevents this router from accepting any routing information about the network 192.168.20.0:

Router2(config)#access-list 10 deny 192.168.20.0
Router2(config)#access-list 10 permit any 

You can see that this route, which was visible in Recipe 6.1, no longer appears in the routing table:

Router2#show ip route rip
R 172.22.0.0/16 [120/1] via 172.25.2.1, 00:00:21, Serial0.1
R 172.25.1.0/24 [120/1] via 172.25.2.1, 00:00:21, Serial0.1
Router2#

The show ip protocol command shows which interfaces have inbound or outbound distribute lists:

Router2#show ip protocol
Routing Protocol is "rip"
 Sending updates every 30 seconds, next due in 27 seconds
 Invalid after 180 seconds, hold down 180, flushed after 240
 Outgoing update filter list for all interfaces is not set
 Incoming update filter list for all interfaces is not set
 Serial0.1 filtered by 10 (per-user), default is 10
 Redistributing: rip
 Default version control: send version 1, receive any version
 Interface Send Recv Triggered RIP Key-chain
 Ethernet0 1 1 2 
 Loopback0 1 1 2 
 Serial0.1 1 1 2 
 Automatic network summarization is in effect
 Maximum path: 4
 Routing for Networks:
 172.25.0.0
 192.168.30.0
 Routing Information Sources:
 Gateway Distance Last Update
 172.25.2.1 120 00:00:17
 Distance: (default is 120)

Router2#

This shows that the interface Serial0.1 uses access list number 10 to filter incoming routing information. You can then use the show access-list command to see what this affects.

Note that if you control both the sending and receiving routers, it is usually best to filter the routes before sending them instead of sending them across the network and then ignoring them. So inbound filtering is most common in situations when you are receiving routes from a device that you don't control. Since RIP frequently runs on end devices such as Unix servers, inbound filtering is fairly common.

You can use outbound filtering, on the other hand, for reducing the size of routing tables on access routers. For example, it is extremely useful in hub-and-spoke type WANs. In this case, each remote branch router cares only about its local segments and "everything else." It can reach all of the nonlocal routes via the hub router. So you can reduce unnecessary WAN bandwidth utilization as well as memory consumption on the branch router by configuring the hub router to send out only a single default route. In fact, when used in conjunction with the periodic updates discussed in Recipe 6.12, this makes a good WAN routing solution.

The second example in the Solution section of this recipe shows the configuration of the hub router so that it only sends the default route, 0.0.0.0/0. The routing table of the other router then becomes extremely simple:

Router2#show ip route rip
R* 0.0.0.0/0 [120/5] via 172.25.2.1, 00:00:02, Serial0.1
Router2#

The show ip protocol command shows the filter on the hub router:

Router1#show ip protocol
Routing Protocol is "rip"
 Sending updates every 30 seconds, next due in 9 seconds
 Invalid after 180 seconds, hold down 180, flushed after 240
 Outgoing update filter list for all interfaces is not set
 Serial0/0.2 filtered by 20 (per-user), default is 20
 Incoming update filter list for all interfaces is not set
 Redistributing: rip
 Default version control: send version 1, receive any version
 Interface Send Recv Triggered RIP Key-chain
 FastEthernet0/0.1 1 1 2 
 Serial0/0.2 1 1 2 
 FastEthernet0/1 1 1 2 
 Automatic network summarization is in effect
 Maximum path: 4
 Routing for Networks:
 172.22.0.0
 172.25.0.0
 Routing Information Sources:
 Gateway Distance Last Update
 172.25.1.7 120 00:00:23
 172.25.2.2 120 00:00:07
 172.22.1.4 120 00:00:19
 Distance: (default is 120)

Router1#

You can also configure the router to filter all interfaces simultaneously with a single rule:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 10 deny 192.168.20.0
Router2(config)#access-list 10 permit any 
Router2(config)#router rip
Router2(config-router)#distribute-list 10 in
Router2(config-router)#end
Router2#

This feature is rarely used because you usually want apply different filters to different interfaces, depending on what other devices are connected. But when you want to explicitly eliminate certain unwanted routes from your network, regardless of the interface you might learn them through, this is the easiest way to do it. With the show ip protocols command, you can see that access list number 10 has been applied to traffic coming in from all interfaces:

Router2#show ip protocols 
Routing Protocol is "rip"
 Sending updates every 30 seconds, next due in 0 seconds
 Invalid after 180 seconds, hold down 180, flushed after 240
 Outgoing update filter list for all interfaces is not set
 Incoming update filter list for all interfaces is 10
 Redistributing: rip
 Default version control: send version 1, receive any version
 Interface Send Recv Triggered RIP Key-chain
 Ethernet0 1 1 2 
 Loopback0 1 1 2 
 Serial0.1 1 1 2 
 Automatic network summarization is in effect
 Maximum path: 4
 Routing for Networks:
 172.25.0.0
 192.168.30.0
 Routing Information Sources:
 Gateway Distance Last Update
 172.25.2.1 120 00:00:03
 Distance: (default is 120)

Router2#

You can use global distribute lists together with interface specific distribute lists. The result actually combines the effects of both. Suppose, for example, that you have a global distribute list that blocks a particular network. Then if you apply another list that blocks another address to a particular interface, this interface will block both addresses.

See Also

Recipe 6.12

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net