Using distribute-list to filter RIP updates
Written by jlgaddis on July 6, 2009 – 10:45 pm -Now that we have RIP authentication working, let’s take a look at how we can use the “distribute-list” to suppress network advertisements.
In this lab, we have three routers. R1 and R2 are connected via their serial 0/0 interfaces, and R2 and R3 are connected over their fast ethernet 0/1 interfaces:
R1 will have four loopback interfaces that we’ll use to simulate connected networks:
- 10.1.1.1/24
- 10.1.2.1/24
- 10.1.3.1/24
- 10.1.4.1/24
We’ll just use s0/0 and fa0/1 on R2 and fa0/1 on R3.
Let’s bring up R1 and R2’s serial interfaces…
R1# configure terminal R1(config)# interface serial 0/0 R1(config-if)# ip address 172.16.12.1 255.255.255.0 R1(config-if)# no shutdown
R2# configure terminal R2(config)# interface serial 0/0 R2(config-if)# ip address 172.16.12.2 255.255.255.0 R2(config-if)# no shutdown
…and the fast ethernet interfaces on R2 and R3…
R2(config-if)# interface fastethernet 0/1 R2(config-if)# ip address 172.16.23.2 255.255.255.0 R2(config-if)# no shutdown
R3# configure terminal R3(config)# interface fastethernet 0/1 R3(config-if)# ip address 172.16.23.3 255.255.255.0 R3(config-if)# no shutdown
On R2, let’s verify we can ping both R1 and R3:
R2(config-if)# do ping 172.16.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R2(config-if)# do ping 172.16.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
Excellent, now let’s bring up those four loopback interfaces on R1:
R1(config-if)# interface loopback 1 R1(config-if)# ip address 10.1.1.1 255.255.255.0 R1(config-if)# interface loopback 2 R1(config-if)# ip address 10.1.2.1 255.255.255.0 R1(config-if)# interface loopback 3 R1(config-if)# ip address 10.1.3.1 255.255.255.0 R1(config-if)# interface loopback 4 R1(config-if)# ip address 10.1.4.1 255.255.255.0
Let’s go ahead and configure RIP (version 2) on R2 and R3:
R2(config-if)# router rip R2(config-router)# version 2 R2(config-router)# no auto-summary R2(config-router)# network 172.16.0.0
R3(config-if)# router rip R3(config-router)# version 2 R3(config-router)# no auto-summary R3(config-router)# network 172.16.0.0
Let’s take a look at R3’s RIP routing table before we go any further:
R3(config-router)# do sh ip route rip
172.16.0.0/24 is subnetted, 2 subnets
R 172.16.12.0 [120/1] via 172.16.23.2, 00:00:05, FastEthernet0/1
As you can see, we’re receiving the route for 172.16.12.0/24 from R2. Let’s configure RIP on R1 now:
R1(config-if)# router rip R1(config-router)# version 2 R1(config-router)# no auto-summary R1(config-router)# network 172.16.0.0 R1(config-router)# network 10.0.0.0
Now we should see something like this on R3:
R3(config-router)# do sh ip route rip
172.16.0.0/24 is subnetted, 2 subnets
R 172.16.12.0 [120/1] via 172.16.23.2, 00:00:13, FastEthernet0/1
10.0.0.0/24 is subnetted, 4 subnets
R 10.1.3.0 [120/2] via 172.16.23.2, 00:00:13, FastEthernet0/1
R 10.1.2.0 [120/2] via 172.16.23.2, 00:00:13, FastEthernet0/1
R 10.1.1.0 [120/2] via 172.16.23.2, 00:00:13, FastEthernet0/1
R 10.1.4.0 [120/2] via 172.16.23.2, 00:00:13, FastEthernet0/1
Now let’s say that, for whatever reason, we:
- do want R1 to advertise all the 10.1.x.0/24 networks to R2, but
- don’t want R3 to receive the route for 10.1.3.0/24
How would we accomplish that? “distribute-list out”, of course!
Okay, so the first thing we need to do is create an access-list. Since we simply want to block 10.1.3.0/24 from being advertised, we can accomplish this fairly easily:
R2(config-router)# exit R2(config)# access-list 3 deny 10.1.3.0 0.0.0.255 R2(config)# access-list 3 permit any
Here, our access list just deny’s the 10.1.3.0/24 network and allows all others (note that we could use prefix-lists, too). Now we need to tell R2 to suppress the affected networks from being advertised:
R2(config)# router rip R2(config-router)# distribute-list 3 out
Easy, right!? Let’s take a quick look at R3’s routes again:
R3(config-router)# do sh ip route rip
172.16.0.0/24 is subnetted, 2 subnets
R 172.16.12.0 [120/1] via 172.16.23.2, 00:00:09, FastEthernet0/1
10.0.0.0/24 is subnetted, 4 subnets
R 10.1.3.0 [120/2] via 172.16.23.2, 00:00:36, FastEthernet0/1
R 10.1.2.0 [120/2] via 172.16.23.2, 00:00:09, FastEthernet0/1
R 10.1.1.0 [120/2] via 172.16.23.2, 00:00:09, FastEthernet0/1
R 10.1.4.0 [120/2] via 172.16.23.2, 00:00:09, FastEthernet0/1
Look at the route for 10.1.3.0/24. Note that it’s been 36 seconds since R3 received an update for this network. Let’s give it a few minutes (four, by default) for the “flush” timer to expire, then check out R3’s routes again:
R3(config-router)# do sh ip route rip
172.16.0.0/24 is subnetted, 2 subnets
R 172.16.12.0 [120/1] via 172.16.23.2, 00:00:00, FastEthernet0/1
10.0.0.0/24 is subnetted, 3 subnets
R 10.1.2.0 [120/2] via 172.16.23.2, 00:00:00, FastEthernet0/1
R 10.1.1.0 [120/2] via 172.16.23.2, 00:00:00, FastEthernet0/1
R 10.1.4.0 [120/2] via 172.16.23.2, 00:00:00, FastEthernet0/1
See that the route for 10.1.3.0/24 has disappeared? Is it still on R2? It certainly is:
R2(config-router)# do sh ip route rip
10.0.0.0/24 is subnetted, 4 subnets
R 10.1.3.0 [120/1] via 172.16.12.1, 00:00:12, Serial0/0
R 10.1.2.0 [120/1] via 172.16.12.1, 00:00:12, Serial0/0
R 10.1.1.0 [120/1] via 172.16.12.1, 00:00:12, Serial0/0
R 10.1.4.0 [120/1] via 172.16.12.1, 00:00:12, Serial0/0
It seems that our distribute-list is doing the job we wanted it to do. Just for good measure, let’s make sure that we can ping 10.1.3.1 from R2, but not from R3:
R2(config-router)# do ping 10.1.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3(config-router)# do ping 10.1.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
All of the other 10.1.x.1 addresses are, of course, still reachable from R3:
R3(config-router)# do ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3(config-router)# do ping 10.1.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R3(config-router)# do ping 10.1.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.4.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Note that there’s also a “distribute-list in” command that we could have used on R3 instead of “distribute-list out” on R2. If, for example, there was another interface on R2, we may not have wanted to filter out the updates going out that interface. In that case, we would have two options: we could use “distribute-list in” on R3, or we could have specified an interface with “distribute-list out”, such as this:
R2(config-router)# no distribute-list 3 out R2(config-router)# distribute-list 3 out fastethernet 0/1
Tags: ccnp, cisco, labs, networking | No Comments »
