(The title may be misleading as ACL’s will only be used for Distribute-List configuration)
As seen above I have though out how to keep all the route tagging that will need to occur straight in my mind, so the route tags for EIGRP will be their AS #’s, and OSPF / RIP will be using their domains. The authentication lab (Part 2) took so long I was unable to really get to anything else, so what I want to focus on right now is R1 and R5.
I am hoping to configure and cover in detail the following concepts:
- Route-Tagging in 2-way Redistribution via Route-Maps
- Distribute-List configurations illustrated and covered in detail
So lets gets it started with our first topic!
2-way Redistribution with Route tagging via Route-maps
For tagging via route-maps no ACL’s are needed, as the tags / permits / denies are all set in the route-map clauses. In this next example I will demonstrate the configuration of the route-maps, and apply them to the Redistribution, and take a look at how routes propagate:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#route-map EIGRP2OSPF permit 10
R1(config-route-map)#set tag 100
R1(config-route-map)#exit
R1(config)#route-map OSPF2EIGRP deny 10
R1(config-route-map)#match tag 100
R1(config-route-map)#route-map OSPF2EIGRP permit 20
So this is the creation of the route-map, simply setting a tag for EIGRP traffic going out into OSPF land, and a second list denying that tagged traffic back in, finishing with a catch all clause permitting all other non-tagged traffic to be redistributed back into EIGRP.
- EIGRP2OSPF = Only tagging EIGRP redistributed routes with tag 100 as of now
- OSPF2EIGRP = Denying any traffic tagged as 100, allowing all other traffic
I first worked with EIGRP, and set the default-metric so I wouldn’t need to add that with redistribution going forward:
R1(config)#router eigrp 100
R1(config-router)#default-metric ?
<1-4294967295> Bandwidth in Kbits per second
R1(config-router)#default-metric 1544 ?
<0-4294967295> Delay metric, in 10 microsecond units
R1(config-router)#default-metric 1544 10 ?
<0-255> Reliability metric where 255 is 100% reliable
R1(config-router)#default-metric 1544 10 255 ?
<1-255> Effective bandwidth metric (Loading) where 255 is 100% loaded
R1(config-router)#default-metric 1544 10 255 1 ?
<1-65535> Maximum Transmission Unit metric of the path
R1(config-router)#default-metric 1544 10 255 1 1500
These are the defaults I always use, now the tricky part (and I mean that), applying the correct map to the correct protocol. On labs this can always be fixed and adjusted, but during the exam it may not be, so you must really think about what your route map is doing to the protocol being redistributed into the network protocol your configuring:
R1(config-router)#redistribute ospf 1 route-map OSPF2EIGRP
R1(config-router)#router ospf 1
R1(config-router)#redistribute eigrp 100 route-map EIGRP2OSPF subnets
I removed a lot of ? output, but essentially looked at the route-maps, and I am applying OSPF2EIGRP as it is blocking traffic with the tag of 100 and permitting all other traffic to be redistributed, and the second line is the simple tag 100 route-map for EIGRP routes going into OSPF.
So let’s look at how routers are seeing this traffic:
R5#show ip route eigrp
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
D EX 1.1.1.1 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D EX 3.3.3.3 [170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
D 11.11.11.0 [90/156160] via 172.12.15.1, 03:48:23, FastEthernet0/1
100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D 100.0.0.0/13 is a summary, 03:48:28, Null0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.12.123.0/24
[170/1662976] via 172.12.15.1, 02:00:11, FastEthernet0/1
R5#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via “eigrp 100”, distance 170, metric 1662976, type external
Redistributing via eigrp 100
Last update from 172.12.15.1 on FastEthernet0/1, 02:00:23 ago
Routing Descriptor Blocks:
* 172.12.15.1, from 172.12.15.1, 02:00:23 ago, via FastEthernet0/1
Route metric is 1662976, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
R5#
As can be seen highlighted I did an extended show ip route on a redistributed route, and it has no tag (yet), but Redistribution is definitely working. Lets take a look in the OSPF domain on R2 to see what it shows:
R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 172.12.123.1, 02:01:03, Serial0/0
100.0.0.0/13 is subnetted, 1 subnets
O E2 100.0.0.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 172.12.123.3, 02:01:03, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O E2 5.5.5.5 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
172.12.0.0/24 is subnetted, 4 subnets
O E2 172.12.15.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
11.0.0.0/24 is subnetted, 1 subnets
O E2 11.11.11.0 [110/20] via 172.12.123.1, 02:01:03, Serial0/0
R2#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
Known via “ospf 1”, distance 110, metric 20
Tag 100, type extern 2, forward metric 64
Last update from 172.12.123.1 on Serial0/0, 02:01:14 ago
Routing Descriptor Blocks:
* 172.12.123.1, from 11.11.11.1, 02:01:14 ago, via Serial0/0
Route metric is 20, traffic share count is 1
Route tag 100
Now to finish this off, I would like to deny traffic in the EIGRP domain from leaking back out into OSPF as well by adding another sequence or two to that route-map here, but first lets take a look at what we have already in place:
R1#sh route-map
route-map EIGRP2OSPF, permit, sequence 10
Match clauses:
Set clauses:
tag 100
Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
Match clauses:
tag 100
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R1#
Now the rule of thumb is that the deny must come before the tag on a route-map, otherwise the traffic will be tagged and off it goes, so the placement of the deny and set tags is important for both maps and should be done as shown below:
R1(config)#route-map EIGRP2OSPF deny 5
R1(config-route-map)#match tag 110
R1(config)#route-map OSPF2EIGRP permit 15
R1(config-route-map)#set tag 110
R1(config)#no route-map OSPF2EIGRP permit 20
R1(config-route-map)#exit
R1(config)#
R1#
*Mar 1 21:00:01.949: %SYS-5-CONFIG_I: Configured from console by console
R1#
ASR#5
[Resuming connection 5 to r5 … ]
R5#show ip route 2.2.2.2
Routing entry for 2.2.2.2/32
Known via “eigrp 100”, distance 170, metric 1662976
Tag 110, type external
Redistributing via eigrp 100
Last update from 172.12.15.1 on FastEthernet0/1, 00:00:41 ago
Routing Descriptor Blocks:
* 172.12.15.1, from 172.12.15.1, 00:00:41 ago, via FastEthernet0/1
Route metric is 1662976, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Route tag 110
R5#
So as can be seen, I’ve put the deny match tag 110 before the set tag 100 on the EIGRP2OSPF route-map, and set the tag 110 after the deny sequence on OSPF2EIGRP – However I also removed the catch-all clause on sequence 20 permitting all traffic.
Once I set the tag 110 for OSPF, it is permitting all traffic through anyways and tagging it as 110, which I want to happen so it doesn’t leak back out to OSPF. Now just one last confirmation down on R2 that nothing changed there:
R5#
ASR#2
[Resuming connection 2 to r2 … ]
R2#sh ip route 5.5.5.5
Routing entry for 5.5.5.5/32
Known via “ospf 1”, distance 110, metric 20
Tag 100, type extern 2, forward metric 64
Last update from 172.12.123.1 on Serial0/0, 00:24:51 ago
Routing Descriptor Blocks:
* 172.12.123.1, from 11.11.11.1, 00:24:51 ago, via Serial0/0
Route metric is 20, traffic share count is 1
Route tag 100
R2#
Good to go. So the big take-away from this is that deny’s matching tag #’s must come before permit’s setting tag #’s to stop route-leaks, and that a catch-all clause is not necessary as the tagging itself is acting as a sort of catch-all (for Redistribution).
ONE MORE THING IMPORTANT THING TO ADD TO ROUTE-MAPPING!
I saw on R2 that our OSPF external routes are E2 with the default metric going on, and I don’t want the seed metric of 20 for all routes, so I jumped back onto sequence # 10 where I tagged the traffic as 100 and configured another setting:
R1(config)#route-map EIGRP2OSPF permit 10
R1(config-route-map)#set metric-type type-1
R1#sh route-map
route-map EIGRP2OSPF, deny, sequence 5
Match clauses:
tag 110
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, permit, sequence 10
Match clauses:
Set clauses:
metric-type type-1 <- Hooray!
tag 100
Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
Match clauses:
tag 100
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 15
Match clauses:
Set clauses:
tag 110
Policy routing matches: 0 packets, 0 bytes
R1#
And then of course to verify quickly I jump over to R2 aaaaaand:
R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 172.12.123.1, 00:07:00, Serial0/0
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 172.12.123.3, 00:07:00, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O E1 5.5.5.5 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
172.12.0.0/24 is subnetted, 4 subnets
O E1 172.12.15.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
11.0.0.0/24 is subnetted, 1 subnets
O E1 11.11.11.0 [110/84] via 172.12.123.1, 00:04:41, Serial0/0
So instead of just having one objective with Route-maps, you can add in clauses on the route-maps in the correct sequence order to adjust a lot of things in the network, this is just an example of how great they work with Redistribution. Now on to Distribute-Lists!
Configuration of a Distribute-List’s with Redistribution
This is such a tricky set of commands to get right, as for some reason this just does not seem like correct syntax to block the routes from going into certain protocols. I will post a snip of the above Topology with traffic flow that we are blocking, followed by the exact configurations – Including the error you get when trying to use an interface with OSPF.
So to filter router 5.5.5.5 in the EIGRP AS 100 domain from redistributing into the OSPF domain, you will start the configuration in OSPF router configuration as illustrated here with the exact commands, as well as the OSPF route table of R2 before and after issuing the commands:
R2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 172.12.123.1, 01:20:20, Serial0/0
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 172.12.123.3, 01:20:20, Serial0/0
5.0.0.0/32 is subnetted, 1 subnets
O E1 5.5.5.5 [110/84] via 172.12.123.1, 00:20:04, Serial0/0
172.12.0.0/24 is subnetted, 4 subnets
O E1 172.12.15.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
11.0.0.0/24 is subnetted, 1 subnets
O E1 11.11.11.0 [110/84] via 172.12.123.1, 00:42:15, Serial0/0
R2#
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 permit any
R1(config)#router ospf 1
R1(config-router)#distribute-list 5 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#distribute-list 5 out s0/0
% Interface not allowed with OUT for OSPF <- No interfaces for OSPF Distribute-Lists
R1(config-router)#distribute-list 5 out eigrp 100
R1(config-router)#
When we are denying a route in the EIGRP domain from outgoing updates being sent, my brain wants to configure it in EIGRP router configuration, with the outgoing protocol to be “ospf 1” but it isn’t as can be seen here after applying the command:
ASR#2
[Resuming connection 2 to r2 … ]
R2#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/65] via 172.12.123.1, 01:32:43, Serial0/0
100.0.0.0/13 is subnetted, 1 subnets
O E1 100.0.0.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/65] via 172.12.123.3, 01:32:43, Serial0/0
172.12.0.0/24 is subnetted, 4 subnets
O E1 172.12.15.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
11.0.0.0/24 is subnetted, 1 subnets
O E1 11.11.11.0 [110/84] via 172.12.123.1, 00:54:37, Serial0/0
R2#
So for OSPF you must enter the router configuration commands in OSPF, and define an ACL denying / permitting the other protocols networks, as well as the other protocol in OSPF router configuration mode.
*** A good metaphor would be to think of OSPF as the current US Trump Presidency telling other countries to keep their citizens in their own boarders, which is actually almost a perfect metaphor to remember that by, very sadly.***
So lets see if EIGRP wants to build a wall between itself and OSPF as well here, this time I’ll use an interface, I assume I will need to specify Serial0/0 at the end as that defines the OSPF domain:
R5#sh ip route eigrp
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
D EX 1.1.1.1 [170/1662976] via 172.12.15.1, 02:05:03, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/1662976] via 172.12.15.1, 02:02:52, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D EX 3.3.3.3 [170/1662976] via 172.12.15.1, 02:02:52, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
D 11.11.11.0 [90/156160] via 172.12.15.1, 02:05:03, FastEthernet0/1
100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D 100.0.0.0/13 is a summary, 02:05:08, Null0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.12.123.0/24
[170/1662976] via 172.12.15.1, 02:05:03, FastEthernet0/1
R5#
R1(config)#access-list 3 deny host 3.3.3.3
R1(config)#access-list 3 permit any
R1(config)#router eigrp 100
R1(config-router)#distribute-list 3 out s0/0
R1(config-router)#
It is a legal command, it is pointing to the route in the OSPF domain, and the interface that is in the OSPF domain so let’s see if R5 managed to keep 3.3.3.3 out:
R5#sh ip route eigrp
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
D EX 1.1.1.1 [170/1662976] via 172.12.15.1, 02:08:27, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/1662976] via 172.12.15.1, 02:06:16, FastEthernet0/1
3.0.0.0/32 is subnetted, 1 subnets
D EX 3.3.3.3 [170/1662976] via 172.12.15.1, 02:06:16, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
D 11.11.11.0 [90/156160] via 172.12.15.1, 02:08:27, FastEthernet0/1
100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D 100.0.0.0/13 is a summary, 02:08:32, Null0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.12.123.0/24
[170/1662976] via 172.12.15.1, 02:08:27, FastEthernet0/1
R5#
Nope, not at all, and this is what is so confusing with the configurations with Distribute-Lists. For OSPF you are configuring outgoing updates be denied to the domain they reside in (EIGRP), however in EIGRP I am defining the network from OSPF and the OSPF enabled interface but it doesn’t work.
So naturally let’s slap Fa0/1 on there and see what happens:
R1(config-router)#no distribute-list 3 out s0/0
R1(config-router)#distribute-list 3 out fa0/1
R1(config-router)#
ASR#5
[Resuming connection 5 to r5 … ]
R5#sh ip route eigrp
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
D EX 1.1.1.1 [170/1662976] via 172.12.15.1, 02:16:12, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
D EX 2.2.2.2 [170/1662976] via 172.12.15.1, 02:14:01, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
D 11.11.11.0 [90/156160] via 172.12.15.1, 02:16:12, FastEthernet0/1
100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D 100.0.0.0/13 is a summary, 02:16:17, Null0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX 172.12.123.0/24
[170/1662976] via 172.12.15.1, 02:16:12, FastEthernet0/1
R5#
And this just makes no sense to me why the command is written this way, but it keeps with the Trump Metaphor, we don’t want to see your routes behind our wall (interface) or lets see if you can keep the route in your domain:
R1(config-router)#no distribute-list 3 out fa0/1
R1(config-router)#distribute-list 3 out ospf 1
R1(config-router)#
*Mar 1 19:21:02.324: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.15.5 (FastEthernet0/1) is resync: route configuration changed
R1(config-router)#
ASR#5
[Resuming connection 5 to r5 … ]
*Feb 3 08:00:22.479: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is resync: peer graceful-restart
R5#s
*Feb 3 08:00:32.015: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is resync: peer graceful-restart
R5#sh ip route 3.3.3.3
% Network not in table
R5#
I confirmed the lazy way this time with sh ip route 3.3.3.3 and we have confirmed that you can keep your routes in your domain, or we will stop them at our interface. Not to drag politics into technical studies, but that is literally (and again sadly) a perfect metaphor for Distribute-Lists is our current President’s foreign policy on immigration – Our extensive screening consists of ACL’s and Distribute-Lists.
That is it for tonight, I really have a good concept on these as of right now, and will continue to use them wherever possible to keep the metaphor alive in my head 🙂
Going to go let brain defrag before bed, until next lab session fellow CCNP candidates!
The DEVNET GRIND! 