1.69k likes | 1.76k Views
CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2. Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2011. Materials. Book: Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE 642-902 Exam By Diane Teare Book
E N D
CIS 185 CCNP ROUTECh. 4 Manipulating Routing UpdatesPart 2 Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2011
Materials • Book: • Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE 642-902 Exam • By Diane Teare • Book • ISBN-10: 1-58705-882-0 • ISBN-13: 978-1-58705-882-0 • eBook • ISBN-10: 0-13-255033-4 • ISBN-13: 978-0-13-255033-8
Note • There are 155+ slides in this presentation… • But we will only be covering the first 80 or so.
Routing updates are critical but compete with user data for bandwidth and router resources. • To ensure that the network operates efficiently, you must control and tune routing updates. • The following are some ways to control or prevent dynamic routing updates from being generated: • Passive interface—Prevents routing updates from being sent out an interface. • Default routes—Can limit or eliminate the need for other routes. • Static routes—Can limit or eliminate the need for dynamically learned routes or give greater control for specific routes. • Route maps—Complex access lists that allow conditions to be tested and actions taken to modify attributes of the packet or route. • Distribute lists—A distribute list allows an access list to be applied to routing updates. • Prefix lists—A prefix list is a specialized access list designed to filter routes.
Route Map Applications • Several of the more common applications for route maps are as follows: • Route filtering during redistribution— distribute lists can be used for this purpose but route maps offer additional features. • Policy-based routing (PBR)—Sophisticated static routes. • NAT—Route maps can better control which private addresses are translated to public addresses • BGP—Route maps are the primary tools for implementing BGP policy (later chapter)
Route maps are like complex access lists that allow some conditions to be tested against the packet or route in question using match commands. • If the conditions match: • Actions can be taken to modify attributes of the packet or route • These actions are specified by set commands. • BIG difference between route maps and ACLs: • Route map can modify the packet or route using set commands
Router(config)# route-map map-tag [permit | deny] [sequence-number] • A route map consists of multiple route map statements. • Processed top-down, similar to an access list. • The first match found for a route is applied. • Sequence number: Used for inserting or deleting specific route map statements in a specific place in the route map. • The default for the route-map command is: • permit • sequence-number of 10
Permit everything else • Command: match condition • Defines the condition to be checked. • Command: set condition • If there is a match and the action to be taken is permit … • Then set defines the action to be followed • The consequences of a deny action depend on how the route map is being used. • Like an ACL there is an implicit deny any at the end of a route map. • A route map statement without any match commands will be considered a match
If {(x or y or z) and (a) match} then {set b and c} Else If q matches then set r Else Set nothing • A single match statement may contain multiple conditions. • At least one condition in the match statement must be true for that match statement to be considered a match • Logical OR operation • A route map statement may contain multiple match statements. • All match statements in the route map statement must be considered true for the route map statement to be considered matched. • Logical AND operation
Configuring Route Maps to Control Routing Updates Redistributing into EIGRP redistributeprotocol [process-id | as-number] [metricbw delay reliability load mtu ] [match {internal | nssa-external | external 1| external 2}] [tagtag-value] [route-map map-tag] Redistributing into OSPF redistributeprotocol [process-id | as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {internal | external 1| external 2 | nssa-external}][tagtag-value] [route-map map-tag] [subnets] • The redistribute commands all have a route-map option with a map-tag parameter. • When used with the redistribute command: • A route map with permit indicates that the matched route will be redistributed. • A route map with deny indicates that the matched route will NOT be redistributed.
The matchcondition commands are used to define the conditions to be checked. • Some of these commands are used for: • BGP policy • PBR • Redistribution filtering. • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml
The setcondition changes or add characteristics, such as metrics, to any routes that have: • met a match criterion • the action to be taken is permit • The consequences of a deny action depend on how the route map is being used. • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml Partial List
Quick Introduction Policy Based Routing (PBR) ExampleJeff Doyle, Routing TCP/IP Vol. IMore later in Chapter 5 • Using PBR is the best way to understand how route maps are configured, so here is a quick introduction… (more later on PBR in chapter 5) • Policy routesare nothing more than sophisticated static routes. • Static routes forward a packet to a specified next hop based on destination address of the packet. • Policy routescan forward a packet to a specified next hop based on the source of the packet. • Policy routes can also be linked to extended IP access lists so that routing may be based on protocol types and port numbers. • Like a static route, policy route influences the routing only on the router on which it is configured.
Match Options (a sample) • Router(config-route-map)#match length min max • Matches the Layer 3 length of the packet. • Router(config-route-map)# match ip address {access-list-number | name} [...access-list-number | name] • Matches the source and destination IP address that is permitted by one or more standard or extended access lists. • If you do not specify a match command, the route map applies to all packets.
Set Options (a sample) • Router(config-route-map)#set ip precedence [number | name] • Sets precedence value in the IP header. You can specify either the precedence number or name. • Router(config-route-map)#set ip next-hop ip-address [... ip-address] • Sets next hop to which to route the packet (the next hop must be adjacent). • Router(config-route-map)#set interface interface-type interface-number [... type number] • Sets output interface for the packet. • Router(config-route-map)#set ip default next-hop ip-address [...ip-address] • Sets next hop to which to route the packet, if there is no explicit route for this destination. • Router(config-route-map)#set default interface interface-type interface-number [... type ...number] • Sets output interface for the packet, if there is no explicit route for this destination.
Jeff Doyle’s Peanuts ExampleSingle interface example – source IP address We want to implement a policy on Linus such that: • Traffic from 172.16.6.0/24 subnet is forwarded to Lucy • Traffic from 172.16.7.0/24 subnet is forwarded to Pigpen • All other traffic is routed normally
Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 1 set ip next-hop 172.16.4.2 route-map Sally permit 15 match ip address 2 set ip next-hop 172.16.4.3 access-list 1 permit 172.16.6.0 0.0.0.255 access-list 2 permit 172.16.7.0 0.0.0.255 Any packets that do no match 15, such as from 172.16.8.0/24 are routed normally.
Jeff Doyle’s Peanuts ExampleSingle interface example – destination IP address Suppose we want to implement a policy on Linus such that: • Traffic to host 172.16.1.1 is forwarded to Lucy • Traffic from 172.16.7.1 to host 172.16.1.2 is forwarded to Pigpen • All other traffic is routed normally
Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 101 set ip next-hop 172.16.4.2 route-map Sally permit 15 match ip address 102 set ip next-hop 172.16.4.3 access-list 101 permit ip any host 172.16.1.1 access-list 102 permit ip host 172.16.7.1 host 172.16.1.2 Any packets that do no match 15 are routed normally.
Example RIPv2 OSPF 10.0.0.0/8 10.1.0.0/16 metric=500 E1 172.16.0.0/16 metric=500 E1 All other networks metric=5,000 E2 Redistribute RIP routes into OSPF with the following: • 10.1.0.0/16 and 172.16.1.0/24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes • 10.0.0.0/8 networks will not be redistributed • All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes
Configuring Route Redistribution using Route Maps router ospf 1 redistribute rip route-map redis-rip subnets route-map redis-rip permit 10 match ip address 23 29 set metric 500 set metric-type 1 route-map redis-rip deny 20 match ip address 37 route-map redis-rip permit 30 set metric 5000 set metric-type 2 access-list 23 permit 10.1.0.0 0.0.255.255 access-list 29 permit 172.16.1.0 0.0.0.255 access-list 37 permit 10.0.0.0 0.255.255.255 10.1.0.0/16 and 172.16.1.0/24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes 10.0.0.0/8 networks will not be redistributed into OSPF All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.
Using Route Maps to Avoid Route Feedback RIPv2 OSPF A 192.168.1.0/24 0 E2 192.168.1.0/24 C D B • Multi-point boundary routers may cause suboptimal routing or routing loops. • RIPv2 on Router C advertises network 192.168.1.0. • Routers A and B redistribute the network into OSPF. • OSPF then advertises the route to its neighbor OSPF routers as an OSPF external route. • The route passes through the OSPF AS and eventually makes its way back to the other edge router. • Router B (or A) then redistributes 192.168.1.0 from OSPF back into the original RIPv2 network; this is a routing feedback loop.
router ospf 10 redistribute rip subnets router rip redistribute ospf 10 route-map OSPF_into_RIP route-map OSPF_into_RIP deny 10 match ip address 1 route-map OSPF_into_RIP permit 20 access-list 1 permit 192.168.1.0 0.0.0.255 192.168.1.0/24 network will not be redistributed into RIP • To prevent the routing feedback loop, a route map called OSPF_into_RIPhas been applied to Routers A and B when redistributing OSPF routes into RIP. • The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. All other routes will be redistributed into RIP
Using Route Maps With Tags router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 • route tag – A unitless 32-bit integer that most routing protocols can assign to any given route. • Tag follows the route advertisement, even through the redistribution process. • Another router may use an IOS tool such as route-maps to match routes with a given route tag to make a decision. • Can be used to help to solve the domain loop problem.
RIPv2 EIGRP Tag 40 R1 Tag 20 Tag 40 172.16.0.0/16 10.0.0.0/8 R2 Tag 20 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp permit 20 set tag 20 route-map into-rip permit 20 set tag 40 • Routes redistributed into EIGRP are tagged with the value 20 • Routes redistributed into RIP are tagged with the value 40 • BUT BEFORE we tag and allow a route into the domain we want to deny any routes that the other router already tagged and allowed in from the other domain.
RIPv2 EIGRP Tag 40 R1 X Tag 40 Tag 40 172.16.0.0/16 11.0.0.0.0/8 10.0.0.0/8 R2 X Tag 40 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 40 are not allowed to go back into EIGRP All other updates get a tag 20 are allowed into EIGRP
RIPv2 EIGRP X Tag 20 R1 Tag 20 X Tag 20 172.16.0.0/16 10.0.0.0/8 R2 11.0.0.0.0/8 Tag 20 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 20 are not allowed to go back into RIP All other updates get a tag 40 are allowed into RIP
R3 11.0.0.0.0/8 • Notice that the route tags do not appear on the routes within the R1 and R2 routers, because these routers learn about all routes from both RIP and EIGRP directly.
R3 11.0.0.0.0/8 • However, show ip route output from router R3, an internal router in the EIGRP network. • Notice that router R3 does see network 11.0.0.0 with a tag of 20; this tag is carried with the route as R3 advertises it to other routers in the EIGRP network, including R1 and R2. • When routers R1 and R2 see the tag of 20, they do not redistribute the 11.0.0.0 route back into RIP.
Distribute lists are another way to control routing updates. • Distribute list allow an access list to be applied to routing updates. • distribute-listcommand allow updates to be filtered based on factors including the following: • Incoming interface • Outgoing interface • Redistribution from another routing protocol
Configuring Distribute Lists to Control Routing Updates • An implementation plan when planning to configure distribute lists: • Will it be used to permit or deny routes? • Will it use an access list or a route map? • Will it be applied to the inbound or outbound updates?
IP Route Filtering with Distribution List Configuration Example 172.16.0.0 10.0.0.0 RouterB router eigrp 1 network 172.16.0.0 network 192.168.5.0 distribute-list 7 out serial 0/0/0 access-list 7 permit 172.16.0.0 0.0.255.255 • distribute-list out command applies access list 7 to packets going out interface Serial 0/0/0. • The access list allows only routing information about network 172.16.0.0 to be distributed out Router B’s Serial 0/0/0 interface. • The implicit deny any at the end of the access list prevents updates about any other networks from being advertised. • As a result, network 10.0.0.0 is hidden.
IP Route Filtering with Distribution List Configuration Example 172.16.0.0 10.0.0.0 RouterB router eigrp 1 network 172.16.0.0 network 192.168.5.0 distribute-list 7 out serial 0/0/0 access-list 7deny 10.0.0.0 0.0.0.255 access-list 7permit any • Same result. • More efficient if there were multiple networks to redistribute but only the 10.0.0.0 needed filtering.
Controlling Redistribution with Distribute Lists RIPv2 OSPF s0/0/1 s0/0/3 10.8.0.0/16 10.9.0.0/16 10.10.0.0/16 10.11.0.0/16 B 10.1.0.0/16 10.2.0.0/16 10.3.0.0/16 A 10.0.0.0/30 10.0.0.8/30 C D • A distribute list helps prevent route feedback and routing loops. • Router B redistributes networks 10.1.0.0 to 10.3.0.0 from RIPv2 into OSPF. • Route feedback could occur when Router D redistributes those same networks back into RIP. • We will use two access lists, one for each redistribution direction. • Just to show two ways of doing the same thing we will use: • an ACL with deny (one direction) • and • an ACL with a permit (the other direction)
Denies 10.8.0.0 – 10.11.0.0 All other networks permitted RouterB (Router D would be similar) router ospf 1 network 10.0.0.8 0.0.0.3 area 0 redistribute rip subnets distribute-list 2 out rip router rip network 10.0.0.0 version 2 passive-interface serial 0/0/3 redistribute ospf 1 metric 5 distribute-list 3 out ospf 1 access-list 2 deny 10.8.0.0 0.3.255.255 access-list 2 permit any access-list 3 permit 10.8.0.0 0.3.255.255 10.8.0.0 to 10.11.0.0, originated by OSPF, are not redistributed back into OSPF from RIPv2. All other routes are redistributed into OSPF. Denies the original OSPF routes (10.8.0.0 through 10.11.0.0) and permits all others
Permits 10.8.0.0 – 10.11.0.0 All other networks denied RouterD (Router B would be similar) router ospf 1 network 10.0.0.8 0.0.0.3 area 0 redistribute rip subnets distribute-list 2 out rip router rip network 10.0.0.0 version 2 passive-interface serial 0/0/3 redistribute ospf 1 metric 5 distribute-list 3 out ospf 1 access-list 2 deny 10.8.0.0 0.3.255.255 access-list 2 permit any access-list 3 permit 10.8.0.0 0.3.255.255 Only permits routes 10.8.0.0 through 10.11.0.0 to be redistributed into RIPv2. Permits OSPF networks (10.8.0.0 through 10.11.0.0) and denies all others
ACL Ranges R3(config)# access-list 2 deny 10.8.0.0 0.3.255.255 Low end 10. 8. 0. 0 Wildcard mask + 0. 3.255.255 ---------------- High end 10.11.255.255 • It’s easy! • Start with the addresses in ACL which is the low end: 10.8.0.0 • Add the wildcard mask: 0.3.255.255 • The result is the high end of the range! • ACL range: 10.11.255.255 through 10.11.255.255
ACL Ranges R3(config)# access-list 2 deny 10.17.32.00.0.7.255 Low end 10.17.32.0 Wildcard mask + 0. 0. 7.255 -------------- High end 10.17.39.255 • It’s easy! • Start with the addresses in ACL which is the low end: 10.17.32.0 • Add the wildcard mask: 0.0.7.255 • The result is the high end of the range! • ACL range: 10.17.32.0 through 10.17.39.255
Route Filtering Distribute-List Route-map ACL Prefix-List • Distribute lists as route filters has several drawbacks, including: • A subnet mask cannot be easily matched. • Access-lists are evaluated sequentially for every IP prefix in the routing update. • An extended access-lists can be cumbersome to configure. • Note: Distribute-list with a route map is a special case for OSPF • http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html
Advantages of using prefix lists: • Significant performance improvement over access lists in loading and route lookup of large lists. (Uses a tree structure) • Support for incremental modifications. • You can add and remove individual lines without removing the entire list. • A more user-friendly command-line interface. • Greater flexibility. • Routers can match network numbers in a routing update against the prefix-list using as many bits as indicated. • Routers can specify the size of the subnet mask, or that the subnet mask must be in a specified range.
Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] • The route prefix (the subnet address) • The prefix length (the subnet mask) • Each command has a permit or deny action • Only used for matching routes. • Not used for packet filtering. • Just implies whether a route is matched (permit) or not (deny). • Sequence numbers are used for the insertion and deletion of individual commands.
Prefix-list Concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] • Prefix-list Logic: • The route’s prefix must be within the range of addresses implied by the prefix-list command’s prefix/prefix-lengthparameters. • The route’s prefix length must match the range of prefixes implied by the prefix-listcommand's prefix-length, ge, and le parameters. • What???
Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] Examining the Prefix • prefix/prefix-length – • Prefix: Address to be used for matching. • Prefix length: How much of the address must match. • 10.0.0.0/8 • Any number (address) whose first 8 bits (/8) match 10.0.0.0. • Examples coming soon!
Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] Examining the Prefix Length • Blank: Exact match. • gege-value: Subnet mask must be at least this length up to /32. • lele-value: Subnet mask must be this length or less, but at least the length of the prefix-length. • gege-valuelele-value: Subnet mask must fall within this range • The ge value must be larger than the configured prefix length in the base part of the command. • ip prefix-list list1 permit 1.0.0.0/8 ge 7 would be rejected • The ge value (7) is less than the configured prefix-length (/8). • Examples coming next!
Match the Prefix List with the appropriate routes 1. 10.0.0.0/8 2. 10.128.0.0/9 3. 10.1.1.0/24 4. 10.1.2.0/24 5. 10.128.10.4/30 6. 10.128.10.8/30 10.0.0.0/8 • Routes matched: 1 • Reason: Without ge or le configured, both the prefix (10.0.0.0) and length (8) must be an exact match. ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length} [gege-value] [lele-value]
Match the Prefix List with the appropriate routes 1. 10.0.0.0/8 2. 10.128.0.0/9 3. 10.1.1.0/24 4. 10.1.2.0/24 5. 10.128.10.4/30 6. 10.128.10.8/30 10.0.0.0/8 ge 9 • Routes matched: 2 - 6 • Reason: The 10.0.0.0/8 means “all routes whose first octet is 10”. The prefix length must be between 9 and 32, inclusive. ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length} [gege-value] [lele-value]