Being that this lab is already set (see previous post), my EIGRP routes are all showing on R2’s ABR R3 as shown below, I am going to write a couple of of Distribution lists. A main point again about Distribute-Lists:
- You can have more than one, but the more specific dist-list always takes precedence
So understanding the in / out portion of this, lets play with this and see what happens, first I’ll go kind of action by action, and show R2’s reaction to the table:
R1(config-router)#redist conn subnets metric-type 1
R1(config-router)#exit
R1(config)#access-list 22 deny 30.0.0.0 0.0.0.255
R1(config)#access-list 22 deny 33.33.33.0 0.0.0.255
R1(config)#router ospf 1
R1(config-router)#distribute-list 22 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#router eigrp 100
R1(config-router)#distr
R1(config-router)#distribute-list 22 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#distribute-list 22 in ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
<cr>
R1(config-router)#distribute-list 22 in serial0/1 (EIGRP INTERFACE)
R1(config-router)#
One very important thing to mention here is that when you use the filter option “in” instead of “out” you can only use an interface, where as “out” you can use an interface or a protocol (only protocol for OSPF).
So I was thinking filtered from inbound updates, so it must need to go on the EIGRP network, as that is where those routing updates are coming from, however I connected R1 to have lo30 with 30.1.1.1 in it’s OSPF network that I added to the ACL.
So a couple of questions, will it block 33.33.33.0/24 from R3, will it block 30.0.0.0 /24, will it block anything not being configured on in OSPF going ‘out’?
R2#sh ip route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.12.1, 00:28:31, Serial0/0
33.0.0.0/24 is subnetted, 1 subnets
O E1 33.33.33.0 [110/84] via 172.12.12.1, 00:28:31, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
O E1 3.3.3.0 [110/84] via 172.12.12.1, 00:28:31, Serial0/0
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.12.0 is directly connected, Serial0/0
O E1 172.12.13.0 [110/84] via 172.12.12.1, 00:08:23, Serial0/0
30.0.0.0/24 is subnetted, 1 subnets
O E1 30.0.0.0 [110/84] via 172.12.12.1, 00:08:23, Serial0/0
R2#
It didn’t do a thing, I think it needs to go on the OSPF interface, and I am not letting this go just yet. It seems like it either has to be issued on the protocol the routes are arriving on… or as OSPF loves to hate… the interface!
R1(config-router)#distribute-list 22 in s0/1
R1(config-router)#
ASR>2
[Resuming connection 2 to r2 … ]
R2#sh ip route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.12.1, 00:34:43, Serial0/0
33.0.0.0/24 is subnetted, 1 subnets
O E1 33.33.33.0 [110/84] via 172.12.12.1, 00:34:43, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
O E1 3.3.3.0 [110/84] via 172.12.12.1, 00:34:43, Serial0/0
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.12.0 is directly connected, Serial0/0
O E1 172.12.13.0 [110/84] via 172.12.12.1, 00:14:36, Serial0/0
30.0.0.0/24 is subnetted, 1 subnets
O E1 30.0.0.0 [110/84] via 172.12.12.1, 00:14:36, Serial0/0
R2#
This is getting old, I’m going to try using the interface point towards the OSPF domain to see if this does anything for it’s case, I am going back to out but not defining EIGRP:
R1(config-router)#distribute-list 22 out
R1(config-router)#
ASR>2
[Resuming connection 2 to r2 … ]
R2#
R2#
R2#show ip route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
172.12.0.0/24 is subnetted, 1 subnets
C 172.12.12.0 is directly connected, Serial0/0
R2#
It seems to have dropped all redistributed routes, OSPF and Connected included, lets see what on other R1 is thinking:
R1(config-router)#
R1(config-router)#do sh access-list 22
Standard IP access list 22
10 deny 30.0.0.0, wildcard bits 0.0.0.255 (1 match)
20 deny 33.33.33.0, wildcard bits 0.0.0.255 (1 match)
R1(config-router)#no distribute-list 22 out
R1(config-router)#distribute-list 22 out eigrp 100
R1(config-router)#
ASR>2
[Resuming connection 2 to r2 … ]
Gateway of last resort is not set
R2#show ip route
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.12.0 is directly connected, Serial0/0
O E1 172.12.13.0 [110/84] via 172.12.12.1, 00:00:41, Serial0/0
30.0.0.0/24 is subnetted, 1 subnets
O E1 30.0.0.0 [110/84] via 172.12.12.1, 00:00:41, Serial0/0
R2#
Do you already see the issue? This easy issue that could cause a lot of problems / exam points? There is no statement permit’ing the other EIGRP routes to propagate, so R2 is getting nothing because after the implicit deny at the end, our ACL is “deny any” at the moment as can be seen in the route table just above.
Lets fix that, and confirm:
R1(config)#access-list 22 permit any
R1(config)#do sh access-list 22
Standard IP access list 22
10 deny 30.0.0.0, wildcard bits 0.0.0.255 (1 match)
20 deny 33.33.33.0, wildcard bits 0.0.0.255 (3 matches)
30 permit any (2 matches)
R1(config)#
ASR>2
[Resuming connection 2 to r2 … ]
R2#sh ip route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.12.1, 00:00:52, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
O E1 3.3.3.0 [110/84] via 172.12.12.1, 00:00:52, Serial0/0
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.12.0 is directly connected, Serial0/0
O E1 172.12.13.0 [110/84] via 172.12.12.1, 00:06:02, Serial0/0
30.0.0.0/24 is subnetted, 1 subnets
O E1 30.0.0.0 [110/84] via 172.12.12.1, 00:06:04, Serial0/0
R2#
I put R1’s directly connected route on the ACL to see if that would also be suppressed, but we specified EIGRP so that is what we got, but we need to suppress the static route as well so let’s see if duo-Dist-List’s can existing in a routing protocol:
R1(config)#access-list 23 deny 30.0.0.0 0.0.0.255
R1(config)#router ospf 1
R1(config-router)#dis
R1(config-router)#distri
R1(config-router)#distribute-list 23 out ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
bgp Border Gateway Protocol (BGP)
connected Connected
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
ospf Open Shortest Path First (OSPF)
R1(config-router)#distribute-list 23 out conn
R1(config-router)#distribute-list 23 out connected ?
<cr>
R1(config-router)#distribute-list 23 out connected
R1(config-router)#
ASR>2
[Resuming connection 2 to r2 … ]
R2#sh ip route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.12.1, 00:05:44, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
O E1 3.3.3.0 [110/84] via 172.12.12.1, 00:05:44, Serial0/0
172.12.0.0/24 is subnetted, 1 subnets
C 172.12.12.0 is directly connected, Serial0/0
R2#
It’s like the Jokers magical pencil trick, on a route, without using an eye socket to make it disappear (A Batman: The Dark Knight reference, get it?) – However to route is now gone!
So a quick reminder with some output to back it up:
[Resuming connection 1 to r1 … ]
distribute-list 23 out serial0/0
% Interface not allowed with OUT for OSPF
R1(config-router)#
***WITH OSPF DIST-LISTS YOU MUST SPECIFY A ROUTING PROTOCOL / DOMAIN, AND NOT AN INTERFACE TO FILTER ROUTES OUT OF, NO INTERFACE #’S FOR OSPF!!!!****
- Also wanted to point out that we can have several distribution-lists on a routing protocol for all our filtering needs, but like routes, if one is more specific it will ‘override’ the less specific ones in terms of filtering
So I will admit defeat here, I have found some good facts about dist-list’s and will just have to use them for outbound routing updates for now until I learn what the inbound is all about. I am going to setup the routers as they were when I made the rockin Myself Inc Topology showing Branch Offices, and we will get some of this going on there, as I’d like to start Route-Maps with a wider network of routers as well.
Going to re-cable and reconfigure, and start a new post to document my dramas about trying to get this to work on the network 🙂 Thee ya!
The DEVNET GRIND! 