Sunday, January 24, 2010

RIPv2 route filtering

Hi all,
this weekend I'm studying RIPv2.
With RIPv2 there are several methods to filter routes received and advertised to other neighbors.
Here a brief explaination of the different ways, I have considered as filters all the tricks that allows to control how to install prefixes in the routing tables, including:

-Filtering using passive interface
-Filtering using prefix-lists
-Filtering using Standard access-lists
-Filtering using Extended access-lists
-Filtering using Administrative Distance
-Filtering using Offset Lists

the topology I used to test all those features is simple:



Here the .net file I used on Dynagen ;-) and the initial configs:



############## rip.net file ###############à
[10.3.3.2:7200]
udp = 10000
workingdir = /tmp
[[7200]]
image = /opt/c7200-adventerprisek9-mz.124-11.T.bin
npe = npe-400
ram = 160
[[ROUTER R1]]
console = 20001
s1/0 = R2 s1/0
[[ROUTER R2]]
console = 20002
s1/1 = R3 s1/1

[10.3.3.2:7201]
udp = 15000
workingdir = /tmp
[[7200]]
image = /opt/c7200-adventerprisek9-mz.124-11.T.bin
npe = npe-400
ram = 160
[[ROUTER R3]]
console = 20003
################## end rip.net file ######################

!--- R1 initial config
hostname R1

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/0
desc R1 <-> R2
ip address 10.12.12.1 255.255.255.192
no shut

int lo 0
ip address 192.168.1.1 255.255.255.0
exit

router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!--- END R1 initial config

!--- R2 initial config
hostname R2

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/0
desc R1 <-> R2
ip address 10.12.12.2 255.255.255.192
no shut

int ser 1/1
desc R2 <-> R3
ip address 10.23.23.2 255.255.255.192
no shut

int lo 0
ip address 192.168.2.1 255.255.255.0
exit

router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!--- END R2 initial config

!--- R3 initial config
hostname R3

no ip domain-look
line con 0
logging sync
no exec-tim

int ser 1/1
desc R3 <-> R2
ip address 10.23.23.3 255.255.255.192
no shut

int lo 0
ip address 192.168.3.1 255.255.255.0

router rip
version 2
network 10.0.0.0
network 192.168.3.0
no auto-summary
!--- END R3 initial config



PASSIVE INTERFACE:
In RIP and RIPv2 the passive interface acts in a different way than the other routing protocols. In fact, with ospf and eigrp a passive interface doesn't send hellos and doesn't form any type of adjacency with neighbors.
Well, as RIP doesn't form a two way neighbor relationship, so the passive interface tells to the RIP process something like "don't send updates out this interface" but doesn't prevent to receive updates and process it.
In our topology, if you want to prevent R2 to receive R1's Lo0 route, simply configure R1 serial1/0 as passive interface. R1 will receive and install updates, but won't send anything out Ser 1/0.
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:09, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:09, Serial1/0
R 192.168.3.0/24 [120/2] via 10.12.12.2, 00:00:09, Serial1/0
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#passive-int ser 1/0
R1(config-router)#end

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:06, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:06, Serial1/0
R 192.168.3.0/24 [120/2] via 10.12.12.2, 00:00:06, Serial1/0
R1#

R1 still have all the routes, so he's processing the received updates, but R2, after a little while...

R2#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
C 10.23.23.0 is directly connected, Serial1/1
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.2.0/24 is directly connected, Loopback0
R 192.168.3.0/24 [120/1] via 10.23.23.3, 00:00:04, Serial1/1
R2#

It doesn't have the R1 Loopback0...
This is a drastic way to do route filtering... but it works ;-)

PREFIX LISTS:
Let's remove the previous configuration and try to do filtering using a prefix-list. Remember that RIP uses prefix lists nad access-lists to filter the received or sent updates, under the router rip process.
So, first place to go is the rip process and doing a question mark, just to look around :

R1(config)#router rip
R1(config-router)#distribute-list ?
<1-199> IP access list number
<1300-2699> IP expanded access list number
WORD Access-list name
gateway Filtering incoming updates based on gateway
prefix Filter prefixes in routing updates

If we want to use a prefix-list, we have to use the work "prefix" before the prefix-list name, or it will be considered as a named access-list (that's my usual mistake).
well, let's prepare the prefix-list, mybe we don't want to receive the 192.168.3.0/24 prefix on R1:

R1(config)#ip prefix-list no-R3-lo0 deny 192.168.3.0/24 !---deny the unwanted prefixes
R1(config)#ip prefix-list no-R3-lo0 permit 0.0.0.0/0 le 32 !---permit all the remaining
R1(config)#router rip
R1(config-router)#distribute-list prefix no-R3-lo0 in !--- this is too much general...
R1(config-router)#distribute-list prefix no-R3-lo0 in ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
XTagATM Extended Tag ATM interface


R1(config-router)#distribute-list prefix no-R3-lo0 in serial 1/0
R1(config-router)#end

R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is (prefix-list) no-R3-lo0
Serial1/0 filtered by (prefix-list) no-R3-lo0
Sending updates every 30 seconds, next due in 22 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 120 00:00:05
Distance: (default is 120)

!-- after a little while (holddown) or after a clear ip route *
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
R1#

So here we have filtered only the updates received from Ser1/0 with our prefix-list, that's pretty clean ;-)
Here the logic is "DENY the unwanted prefixes".

STANDARD ACCESS-LISTS:
we can archive the previous goal with standard access-lists too, with some small differences:
R1#sh run | sec access-list
access-list 1 deny 192.168.3.0 0.0.0.255
access-list 1 permit any

R1#sh run | sec router
router rip
version 2
network 10.0.0.0
network 192.168.1.0
distribute-list 1 in
no auto-summary

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:04, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:04, Serial1/0
R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 1
Sending updates every 30 seconds, next due in 23 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 120 00:00:09
Distance: (default is 120)

here we used a standard access-list, again the logic is "DENY unwanted prefixes", here we have to remember to put a permit any as last statement.
The "classic" use of access-lists is to filter odd/even prefixes ;-) we will talk about it in more depht this week.

EXTENDED ACCESS-LISTS

If we try to use extended access-lists, the logic is a little bit different: the "source" in the access-list is the ip of the advertising router, the "destination" is the prefix to permit or deny.
So let's try to configure an extended access-list on R3 to permit 192.168.1.0/24 only from R2:

R3#sh run | sec access-list
access-list 101 permit ip host 10.23.23.2 192.168.1.0 0.0.0.255

R3#sh run | sec router
router rip
version 2
network 10.0.0.0
network 192.168.3.0
distribute-list 101 in
no auto-summary

R3#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 1 subnets
C 10.23.23.0 is directly connected, Serial1/1
R 192.168.1.0/24 [120/2] via 10.23.23.2, 00:00:17, Serial1/1
C 192.168.3.0/24 is directly connected, Loopback0
R3#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 101
Sending updates every 30 seconds, next due in 28 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/1 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.3.0
Routing Information Sources:
Gateway Distance Last Update
10.23.23.2 120 00:00:22
Distance: (default is 120)

R3#

Ok it worked, here we don't have multiple sources for the same prefix, so we can't appreciate the difference between standard and extended access-lists for filtering.


OFFSET LISTS:
Another way to avoid the installation of prefixes in the routing table is playing with offset-lists, by the way applying a inaccessible metric to our unwanted prefixes (remember, inaccessible means 16 hops away for RIP).
Se let's try to filter out the 192.168.3.0/24 prefix on R1 without using distribute lists and without touching the R1 config.... woops, tricky one...


R2#sh run | sec access-list
access-list 1 permit 192.168.3.0 0.0.0.255
R2#sh run | sec router
router rip
version 2
offset-list 1 out 16 Serial1/0
network 10.0.0.0
network 192.168.2.0
no auto-summary
R2#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Outgoing routes in Serial1/0 will have 16 added to metric if on list 1
Sending updates every 30 seconds, next due in 22 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Serial1/1 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.2.0
Routing Information Sources:
Gateway Distance Last Update
10.23.23.3 120 00:00:19
10.12.12.1 120 00:00:01
Distance: (default is 120)

!--- check on R1
R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:13, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:13, Serial1/0

R1#debug ip rip
RIP protocol debugging is on
R1#
*Jan 25 12:38:21.347: RIP: received v2 update from 10.12.12.2 on Serial1/0
*Jan 25 12:38:21.351: 10.23.23.0/26 via 0.0.0.0 in 1 hops
*Jan 25 12:38:21.355: 192.168.2.0/24 via 0.0.0.0 in 1 hops
*Jan 25 12:38:21.359: 192.168.3.0/24 via 0.0.0.0 in 16 hops (inaccessible)

ok it worked, R1 has received the correct update and isn't installing the 192.168.3.0/24 prefix because it's marked as inaccessible.

ADMINISTRATIVE DISTANCE:

Administrative distance is useful to filter out routes too, it works mainly setting the AD to 255 and avoiding to install a prefix in the routing table. Also keep in mind that rip doesn't advertise prefixes that aren't in the routing table...
Let's try with our R1, eg filtering out the 192.168.3.0/24 prefix.


R1#sh run | sec access-list
access-list 1 permit 192.168.3.0 0.0.0.255

R1#sh run | sec router
router rip
version 2
passive-interface default
network 10.0.0.0
network 192.168.1.0
distance 255 0.0.0.0 255.255.255.255 1
no auto-summary

R1#debug ip rip
RIP protocol debugging is on
R1#
*Jan 25 16:24:23.131: RIP: received v2 update from 10.12.12.2 on Serial1/0
*Jan 25 16:24:23.131: 10.23.23.0/26 via 0.0.0.0 in 1 hops
*Jan 25 16:24:23.135: 192.168.2.0/24 via 0.0.0.0 in 1 hops
*Jan 25 16:24:23.139: 192.168.3.0/24 via 0.0.0.0 in 2 hops

R1#sh ip proto
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 4 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2
Loopback0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
10.12.12.2 255 00:00:03
Distance: (default is 120)
Address Wild mask Distance List
0.0.0.0 255.255.255.255 255 1

R1#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/26 is subnetted, 2 subnets
R 10.23.23.0 [120/1] via 10.12.12.2, 00:00:20, Serial1/0
C 10.12.12.0 is directly connected, Serial1/0
C 192.168.1.0/24 is directly connected, Loopback0
R 192.168.2.0/24 [120/1] via 10.12.12.2, 00:00:20, Serial1/0

R1#sh ip rip database 192.168.3.0 255.255.255.0
%Route not in database
R1#sh ip rip database 192.168.2.0 255.255.255.0
192.168.2.0/24
[1] via 10.12.12.2, 00:00:16, Serial1/0
R1#

Note: when you use the "distance" command under rip process, you have to specifiy the source of the prefix to filter and an acl standard or extended for the prefixes.
So the "distance 255 0.0.0.0 255.255.255.255 1" means:
distance 255 <- set the route as unreachable/out of the maximum admin distance
0.0.0.0 255.255.255.255 <- is the route source, here means "any source"
1 <- is the acl number (or you can use named acls...)


for the readers, here is an extra exercise (but no solution provided) ;-)



main goal here: without configure filtering on R1 and R5, the traffic from R1 to R5 loopbacks and from R5 to R1 loopbacks must flow through R3 to reach Loopback3, through R2 to reach Lo2 and through R4 to reach Lo4.
If one of R2-3-4 fails, all loopbacks have to be reachable through an alternate path, it's acceptable that in normal condition R2 uses suboptimal paths to reach the various Loopbacks.
Have Phun ;-)
Marco

No comments: