rip: route-filtering based on advertising router (extended acls)

Hi!
Today I will lab a little topology with RIP. What I am going to do is to filter incoming routing updates based on the advertising router. In BGP for example it is quite easy to do that due to the neighbor statements that can be connected with route-maps. But in RIP there is a small pitfall one can run into when using ACLs in connection to route-filtering.

Here is the topology:

Setup:
– R1 is the HUB in the hub and spoke network, R2 and R3 are the spokes.
– R1-R3 are running RIP version 2 with auto-summary turned off on the serial links
– R1´s serial interface is configured with “no ip split-horizon” as it is a multipoint interface
– R1, R2, R3, have loopbacks 1.1.1.1/32, 2.2.2.2/32, and 3.3.3.3/32 which are redistributed into RIP
– R2 and R3 both redistribute the networks 192.168.100.0/24 and 192.168.101.0/24 into RIP.

Goal:
– disable the load-balancing of the networks accross the serial interfaces for R1 based on the neighbor address. One subnet should be used per serial link. Use an extended acl for that.

So lets first check the FIB of R1:


R1# sh ip route rip
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/1] via 172.16.0.2, 00:00:03, Serial0/0.1
3.0.0.0/32 is subnetted, 1 subnets
R 3.3.3.3 [120/1] via 172.16.0.3, 00:00:23, Serial0/0.1
R 192.168.100.0/24 [120/1] via 172.16.0.3, 00:00:23, Serial0/0.1
[120/1] via 172.16.0.2, 00:00:04, Serial0/0.1
R 192.168.101.0/24 [120/1] via 172.16.0.3, 00:00:23, Serial0/0.1
[120/1] via 172.16.0.2, 00:00:04, Serial0/0.1


We can see that the two networks are well received and that load-balancing will occur in a 1:1 fashion. So what we need to do now is to accept only network 192.168.100.0/24 from lets say R2 and 192.168.101.0/24 from neighbor R3 with a distribute-list that is consisting of an extended ACL.

We will see that using an extended ACL with RIP it will not be the same as in BGP or other routing protocols. When we use it for filtering then we gotta care. Here is what I mean.

When filtering under RIP the extended ACL is used like this:
– The first part is considered as the source in an E-ACL. The source here means with rip not the network but the router who actually gives us the routing update.
– The second part is considered as what network the advertising router is talking about.

So in our case we dont want the route of R3 to 192.168.100.0/24 get installed and we also dont want the route of R2 to 192.168.101.0/24 get installed in our routing table. So…

…forbid advertisement of 192.168.100.0/24 from R3
…forbid advertisement of 192.168.101.0/24 from R2


R1(config)#access-list 150 deny ip 172.16.0.3 0.0.0.0 192.168.100.0 0.0.0.255
R1(config)#access-list 150 deny ip 172.16.0.2 0.0.0.0 192.168.101.0 0.0.0.255
R1(config)#access-list 150 permit ip any any


Lets connect that acl to a distribute list:


R1(config)#router rip
R1(config-router)#distribute-list 150 in


Now we will wait 45 seconds and have a look at the FIB:


R1#sh ip route rip
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/1] via 172.16.0.2, 00:00:02, Serial0/0.1
3.0.0.0/32 is subnetted, 1 subnets
R 3.3.3.3 [120/1] via 172.16.0.3, 00:00:24, Serial0/0.1
R 192.168.100.0/24 [120/1] via 172.16.0.3, 00:00:52, Serial0/0.1
[120/1] via 172.16.0.2, 00:00:02, Serial0/0.1
R 192.168.101.0/24 [120/1] via 172.16.0.3, 00:00:24, Serial0/0.1
[120/1] via 172.16.0.2, 00:00:57, Serial0/0.1


Hm the routes are still there. But take a look at the time how long they are in the FIB. There are two routes that are longer that 30 seconds in the routing table which means they dont get updated. RIP refreshes the routes that it has learned every 30 seconds. So lets take a look at the RIP database of R1.


R1#sh ip rip database
1.0.0.0/8 auto-summary
1.1.1.1/32 redistributed
[1] via 0.0.0.0,
2.0.0.0/8 auto-summary
2.2.2.2/32
[1] via 172.16.0.2, 00:00:01, Serial0/0.1
3.0.0.0/8 auto-summary
3.3.3.3/32
[1] via 172.16.0.3, 00:00:22, Serial0/0.1
172.16.0.0/16 auto-summary
172.16.0.0/24 directly connected, Serial0/0.1
192.168.100.0/24 auto-summary
192.168.100.0/24
[1] via 172.16.0.2, 00:00:01, Serial0/0.1
[1] via 172.16.0.3, 00:02:15, Serial0/0.1
192.168.101.0/24 auto-summary
192.168.101.0/24
[1] via 172.16.0.3, 00:00:22, Serial0/0.1
[1] via 172.16.0.2, 00:02:21, Serial0/0.1


Same thing here. But why are they still there? Lets take a look at the “show ip protocol”


R1#sh ip protocol
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 150
Sending updates every 30 seconds, next due in 5 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: connected, rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial0/0.1 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
172.16.0.2 120 00:00:01
172.16.0.3 120 00:00:20
Distance: (default is 120)


We can see that there is a timer called “invalid” which is set to 180 seconds. This timer means that routes, if they are not refreshed, are considered invalid after 180 seconds. Lets wait a little longer and take a look at the FIB again.


R1#sh ip route rip
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/1] via 172.16.0.2, 00:00:09, Serial0/0.1
3.0.0.0/32 is subnetted, 1 subnets
R 3.3.3.3 [120/1] via 172.16.0.3, 00:00:05, Serial0/0.1
R 192.168.100.0/24 [120/1] via 172.16.0.2, 00:00:09, Serial0/0.1
R 192.168.101.0/24 [120/1] via 172.16.0.3, 00:00:05, Serial0/0.1


There we go. We now send traffic destined to 192.168.100.0/24 via R2 and traffic destined to 192.168.101.0/24 to via R3.

This lab is just an example how to use the E-ACLs with RIP. I am clear that this is not a very sane configuration for a production network because if either R2 or R3 fails, on network cant be reached.

Regards!
Markus

Advertisements

About markus.wirth

Living near Limburg in Germany, working as a Network Engineer around Frankfurt am Main.
This entry was posted in ACL, RIP, Routing and tagged , , , , , , , , , . Bookmark the permalink.

6 Responses to rip: route-filtering based on advertising router (extended acls)

  1. sheno says:

    so great markos
    every day i see a new use for the acl

    WHAT A GREAT COMMAND

  2. sheno says:

    can you please put the configuration for R2 AND R3

  3. sheno says:

    R2

    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip address 192.168.100.2 255.255.255.0
    no snmp trap link-status
    !
    interface FastEthernet0/0.101
    encapsulation dot1Q 101
    ip address 192.168.101.2 255.255.255.0
    no snmp trap link-status

    interface Serial1/0
    ip address 172.16.0.2 255.255.0.0
    encapsulation frame-relay
    serial restart-delay 0
    no dce-terminal-timing-enable
    frame-relay interface-dlci 201

    router rip
    version 2
    network 0.0.0.0
    no auto-summary
    ===========================================

    R2

    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip address 192.168.100.3 255.255.255.0
    no snmp trap link-status
    !
    interface FastEthernet0/0.101
    encapsulation dot1Q 101
    ip address 192.168.101.3 255.255.255.0
    no snmp trap link-status
    !

    interface Serial1/0
    ip address 172.16.0.3 255.255.0.0
    encapsulation frame-relay
    serial restart-delay 0
    no dce-terminal-timing-enable
    frame-relay interface-dlci 301
    !

    router rip
    version 2
    network 0.0.0.0
    no auto-summary
    !
    ============================

  4. sheno says:

    thank u bro. i did the lab its great and i discovered also some thing
    first i try to make a named extended acl

    but the router rfused and said its not allowed to use named extended acl

    so i tried your method with nomber extended acl and its success
    thx

  5. markus.wirth says:

    Yeah that is also the reason why I used a numbered extended ACL. Named ones are not allowed…at least extended. Standard named ACLs are allowed.

    Regards!

  6. Pingback: Another RIP sample « Routed Hues

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s