CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2
Rick Graziani Cabrillo College Last Updated: Fall 2011

Materials Book: Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE Exam By Diane Teare Book ISBN-10: ISBN-13: eBook ISBN-10: ISBN-13:

Note There are 155+ slides in this presentation…
But we will only be covering the first 80 or so. 

Controlling Routing Update Traffic

Routing updates are critical but compete with user data for bandwidth and router resources.
To ensure that the network operates efficiently, you must control and tune routing updates. The following are some ways to control or prevent dynamic routing updates from being generated: Passive interface—Prevents routing updates from being sent out an interface. Default routes—Can limit or eliminate the need for other routes. Static routes—Can limit or eliminate the need for dynamically learned routes or give greater control for specific routes. Route maps—Complex access lists that allow conditions to be tested and actions taken to modify attributes of the packet or route. Distribute lists—A distribute list allows an access list to be applied to routing updates. Prefix lists—A prefix list is a specialized access list designed to filter routes.

Route Maps

Route Map Applications
Several of the more common applications for route maps are as follows: Route filtering during redistribution— distribute lists can be used for this purpose but route maps offer additional features. Policy-based routing (PBR)—Sophisticated static routes. NAT—Route maps can better control which private addresses are translated to public addresses BGP—Route maps are the primary tools for implementing BGP policy (later chapter)

Route maps are like complex access lists that allow some conditions to be tested against the packet or route in question using match commands. If the conditions match: Actions can be taken to modify attributes of the packet or route These actions are specified by set commands. BIG difference between route maps and ACLs: Route map can modify the packet or route using set commands

A route map consists of multiple route map statements.
Router(config)# route-map map-tag [permit | deny] [sequence-number] A route map consists of multiple route map statements. Processed top-down, similar to an access list. The first match found for a route is applied. Sequence number: Used for inserting or deleting specific route map statements in a specific place in the route map. The default for the route-map command is: permit sequence-number of 10

Permit everything else
Command: match condition Defines the condition to be checked. Command: set condition If there is a match and the action to be taken is permit … Then set defines the action to be followed The consequences of a deny action depend on how the route map is being used. Like an ACL there is an implicit deny any at the end of a route map. A route map statement without any match commands will be considered a match

If {(x or y or z) and (a) match} then {set b and c}
Else If q matches then set r Set nothing A single match statement may contain multiple conditions. At least one condition in the match statement must be true for that match statement to be considered a match Logical OR operation A route map statement may contain multiple match statements. All match statements in the route map statement must be considered true for the route map statement to be considered matched. Logical AND operation

Configuring Route Maps to Control Routing Updates
Redistributing into EIGRP redistribute protocol [process-id | as-number] [metric bw delay reliability load mtu ] [match {internal | nssa-external | external 1 | external 2}] [tag tag-value] [route-map map-tag] Redistributing into OSPF redistribute protocol [process-id | as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {internal | external 1 | external 2 | nssa-external}] [tag tag-value] [route-map map-tag] [subnets] The redistribute commands all have a route-map option with a map-tag parameter. When used with the redistribute command: A route map with permit indicates that the matched route will be redistributed. A route map with deny indicates that the matched route will NOT be redistributed.

The match condition commands are used to define the conditions to be checked.
Some of these commands are used for: BGP policy PBR Redistribution filtering.

Partial List The set condition changes or add characteristics, such as metrics, to any routes that have: met a match criterion the action to be taken is permit The consequences of a deny action depend on how the route map is being used.

Quick Introduction Policy Based Routing (PBR) Example Jeff Doyle, Routing TCP/IP Vol. I More later in Chapter 5 Using PBR is the best way to understand how route maps are configured, so here is a quick introduction… (more later on PBR in chapter 5) Policy routes are nothing more than sophisticated static routes. Static routes forward a packet to a specified next hop based on destination address of the packet. Policy routes can forward a packet to a specified next hop based on the source of the packet. Policy routes can also be linked to extended IP access lists so that routing may be based on protocol types and port numbers. Like a static route, policy route influences the routing only on the router on which it is configured.

Match Options (a sample)
Router(config-route-map)#match length min max Matches the Layer 3 length of the packet. Router(config-route-map)# match ip address {access-list-number | name} [...access-list-number | name] Matches the source and destination IP address that is permitted by one or more standard or extended access lists. If you do not specify a match command, the route map applies to all packets.

Set Options (a sample) Router(config-route-map)#set ip precedence [number | name] Sets precedence value in the IP header. You can specify either the precedence number or name. Router(config-route-map)#set ip next-hop ip-address [... ip-address] Sets next hop to which to route the packet (the next hop must be adjacent). Router(config-route-map)#set interface interface-type interface-number [... type number] Sets output interface for the packet. Router(config-route-map)#set ip default next-hop ip-address [...ip-address] Sets next hop to which to route the packet, if there is no explicit route for this destination. Router(config-route-map)#set default interface interface-type interface-number [... type ...number] Sets output interface for the packet, if there is no explicit route for this destination.

Jeff Doyle’s Peanuts Example Single interface example – source IP address
We want to implement a policy on Linus such that: Traffic from /24 subnet is forwarded to Lucy Traffic from /24 subnet is forwarded to Pigpen All other traffic is routed normally

Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 1 set ip next-hop route-map Sally permit 15 match ip address 2 set ip next-hop access-list 1 permit access-list 2 permit Any packets that do no match 15, such as from /24 are routed normally.

Jeff Doyle’s Peanuts Example Single interface example – destination IP address
Suppose we want to implement a policy on Linus such that: Traffic to host is forwarded to Lucy Traffic from to host is forwarded to Pigpen All other traffic is routed normally

Linus: Any packets that do no match 15 are routed normally. inter S0
ip policy route-map Sally route-map Sally permit 10 match ip address 101 set ip next-hop route-map Sally permit 15 match ip address 102 set ip next-hop access-list 101 permit ip any host access-list 102 permit ip host host Any packets that do no match 15 are routed normally.

Example RIPv2 OSPF /8 /16 metric=500 E1 /16 metric=500 E1 All other networks metric=5,000 E2 Redistribute RIP routes into OSPF with the following: /16 and /24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes /8 networks will not be redistributed All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes

Configuring Route Redistribution using Route Maps
router ospf 1 redistribute rip route-map redis-rip subnets route-map redis-rip permit 10 match ip address 23 29 set metric 500 set metric-type 1 route-map redis-rip deny 20 match ip address 37 route-map redis-rip permit 30 set metric 5000 set metric-type 2 access-list 23 permit access-list 29 permit access-list 37 permit /16 and /24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes /8 networks will not be redistributed into OSPF All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.

Using Route Maps to Avoid Route Feedback
RIPv2 OSPF A /24 0 E /24 C D B Multi-point boundary routers may cause suboptimal routing or routing loops. RIPv2 on Router C advertises network Routers A and B redistribute the network into OSPF. OSPF then advertises the route to its neighbor OSPF routers as an OSPF external route. The route passes through the OSPF AS and eventually makes its way back to the other edge router. Router B (or A) then redistributes from OSPF back into the original RIPv2 network; this is a routing feedback loop.

router ospf 10 redistribute rip subnets router rip redistribute ospf 10 route-map OSPF_into_RIP route-map OSPF_into_RIP deny 10 match ip address 1 route-map OSPF_into_RIP permit 20 access-list 1 permit /24 network will not be redistributed into RIP All other routes will be redistributed into RIP To prevent the routing feedback loop, a route map called OSPF_into_RIP has been applied to Routers A and B when redistributing OSPF routes into RIP. The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.

Using Route Maps With Tags
router eigrp 100 redistribute rip metric route-map into-eigrp route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route tag – A unitless 32-bit integer that most routing protocols can assign to any given route. Tag follows the route advertisement, even through the redistribution process. Another router may use an IOS tool such as route-maps to match routes with a given route tag to make a decision. Can be used to help to solve the domain loop problem.

RIPv2 EIGRP Tag 40 R1 Tag 20 Tag 40 /16 /8 R2 Tag 20 router eigrp 100 redistribute rip metric route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp permit 20 set tag 20 route-map into-rip permit 20 set tag 40 Routes redistributed into EIGRP are tagged with the value 20 Routes redistributed into RIP are tagged with the value 40 BUT BEFORE we tag and allow a route into the domain we want to deny any routes that the other router already tagged and allowed in from the other domain.

RIPv2 EIGRP Tag 40 R1 X Tag 40 Tag 40 /16 /8 /8 R2 X Tag 40 router eigrp 100 redistribute rip metric route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 40 are not allowed to go back into EIGRP All other updates get a tag 20 are allowed into EIGRP

X X RIPv2 EIGRP R1 172.16.0.0/16 10.0.0.0/8 R2 router eigrp 100
Tag 20 R1 Tag 20 X Tag 20 /16 /8 /8 R2 Tag 20 router eigrp 100 redistribute rip metric route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 20 are not allowed to go back into RIP All other updates get a tag 40 are allowed into RIP

R3 /8 Notice that the route tags do not appear on the routes within the R1 and R2 routers, because these routers learn about all routes from both RIP and EIGRP directly.

R3 /8 However, show ip route output from router R3, an internal router in the EIGRP network. Notice that router R3 does see network with a tag of 20; this tag is carried with the route as R3 advertises it to other routers in the EIGRP network, including R1 and R2. When routers R1 and R2 see the tag of 20, they do not redistribute the route back into RIP.

Using Distribute Lists

Distribute lists are another way to control routing updates.
Distribute list allow an access list to be applied to routing updates. distribute-list command allow updates to be filtered based on factors including the following: Incoming interface Outgoing interface Redistribution from another routing protocol

Configuring Distribute Lists to Control Routing Updates
An implementation plan when planning to configure distribute lists: Will it be used to permit or deny routes? Will it use an access list or a route map? Will it be applied to the inbound or outbound updates?

IP Route Filtering with Distribution List Configuration Example
RouterB router eigrp 1 network network distribute-list 7 out serial 0/0/0 access-list 7 permit distribute-list out command applies access list 7 to packets going out interface Serial 0/0/0. The access list allows only routing information about network to be distributed out Router B’s Serial 0/0/0 interface. The implicit deny any at the end of the access list prevents updates about any other networks from being advertised. As a result, network is hidden.

IP Route Filtering with Distribution List Configuration Example
RouterB router eigrp 1 network network distribute-list 7 out serial 0/0/0 access-list 7 deny access-list 7 permit any Same result. More efficient if there were multiple networks to redistribute but only the needed filtering.

Controlling Redistribution with Distribute Lists
RIPv2 OSPF s0/0/1 s0/0/3 /16 /16 /16 /16 /16 /16 /16 B A /30 /30 C D A distribute list helps prevent route feedback and routing loops. Router B redistributes networks to from RIPv2 into OSPF. Route feedback could occur when Router D redistributes those same networks back into RIP. We will use two access lists, one for each redistribution direction. Just to show two ways of doing the same thing we will use: an ACL with deny (one direction) and an ACL with a permit (the other direction)

RouterB (Router D would be similar)
Denies – All other networks permitted RouterB (Router D would be similar) router ospf 1 network area 0 redistribute rip subnets distribute-list 2 out rip router rip network version 2 passive-interface serial 0/0/3 redistribute ospf 1 metric 5 distribute-list 3 out ospf 1 access-list 2 deny access-list 2 permit any access-list 3 permit to , originated by OSPF, are not redistributed back into OSPF from RIPv2. All other routes are redistributed into OSPF. Denies the original OSPF routes ( through ) and permits all others

RouterD (Router B would be similar)
Permits – All other networks denied RouterD (Router B would be similar) router ospf 1 network area 0 redistribute rip subnets distribute-list 2 out rip router rip network version 2 passive-interface serial 0/0/3 redistribute ospf 1 metric 5 distribute-list 3 out ospf 1 access-list 2 deny access-list 2 permit any access-list 3 permit Only permits routes through to be redistributed into RIPv2. Permits OSPF networks ( through ) and denies all others

ACL Ranges Low end 10. 8. 0. 0 Wildcard mask + 0. 3.255.255
R3(config)# access-list 2 deny Low end Wildcard mask High end It’s easy! Start with the addresses in ACL which is the low end: Add the wildcard mask: The result is the high end of the range! ACL range: through

ACL Ranges Low end 10.17.32.0 Wildcard mask + 0. 0. 7.255
R3(config)# access-list 2 deny Low end Wildcard mask High end It’s easy! Start with the addresses in ACL which is the low end: Add the wildcard mask: The result is the high end of the range! ACL range: through

Using Prefix Lists

Route Filtering Distribute-List Route-map ACL Prefix-List
Distribute lists as route filters has several drawbacks, including: A subnet mask cannot be easily matched. Access-lists are evaluated sequentially for every IP prefix in the routing update. An extended access-lists can be cumbersome to configure. Note: Distribute-list with a route map is a special case for OSPF

Advantages of using prefix lists:
Significant performance improvement over access lists in loading and route lookup of large lists. (Uses a tree structure) Support for incremental modifications. You can add and remove individual lines without removing the entire list. A more user-friendly command-line interface. Greater flexibility. Routers can match network numbers in a routing update against the prefix-list using as many bits as indicated. Routers can specify the size of the subnet mask, or that the subnet mask must be in a specified range.

Prefix-list concepts ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value] The route prefix (the subnet address) The prefix length (the subnet mask) Each command has a permit or deny action Only used for matching routes. Not used for packet filtering. Just implies whether a route is matched (permit) or not (deny). Sequence numbers are used for the insertion and deletion of individual commands.

Prefix-list Concepts ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value] Prefix-list Logic: The route’s prefix must be within the range of addresses implied by the prefix-list command’s prefix/prefix-length parameters. The route’s prefix length must match the range of prefixes implied by the prefix-list command's prefix-length, ge, and le parameters. What???

Prefix-list concepts ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value] Examining the Prefix prefix/prefix-length – Prefix: Address to be used for matching. Prefix length: How much of the address must match. /8 Any number (address) whose first 8 bits (/8) match Examples coming soon!

Prefix-list concepts ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value] Examining the Prefix Length Blank: Exact match. ge ge-value: Subnet mask must be at least this length up to /32. le le-value: Subnet mask must be this length or less, but at least the length of the prefix-length. ge ge-value le le-value: Subnet mask must fall within this range The ge value must be larger than the configured prefix length in the base part of the command. ip prefix-list list1 permit /8 ge 7 would be rejected The ge value (7) is less than the configured prefix-length (/8). Examples coming next!

Match the Prefix List with the appropriate routes
/8 /9 /24 /24 /30 /30 /8 Routes matched: 1 Reason: Without ge or le configured, both the prefix ( ) and length (8) must be an exact match. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

/8 /9 /24 /24 /30 /30 /8 ge 9 Routes matched: 2 - 6 Reason: The /8 means “all routes whose first octet is 10”. The prefix length must be between 9 and 32, inclusive. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

/8 /9 /24 /24 /30 /30 /8 ge 24 le 24 Routes matched: 3, 4 Reason: The /8 means “all routes whose first octet is 10,” and the prefix range is 24 to 24 — meaning only routes with prefix length 24. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

/8 /9 /24 /24 /30 /30 /8 le 28 Routes matched: 1 - 4 Reason: The prefix length needs to be between 8 and 28, inclusive. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

/8 /9 /24 /24 /30 /30 /0 Routes matched: none Reason: /0 means “match all prefixes”. Because no le nor ge parameter is configured, the /0 also means that the prefix length must be exactly 0. Only a default route would match this prefix list. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

/8 /9 /24 /24 /30 /30 /0 le 32 Routes matched: All Reason: The range implied by /0 is all IPv4 addresses. The le 32 then implies any prefix length between 0 and 32, inclusive. This is the syntax for “match all” prefix list logic. ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length} [ge ge-value] [le le-value]

Filtering with Prefix Lists
ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value] We will use examples to see how this works! Whether a prefix is permitted or denied is based on the following rules: An empty prefix list permits all prefixes. If a prefix is permitted, the route is used. If a prefix is denied, the route is not used. Prefix lists consist of statements with sequence numbers. The router begins the search for a match at the top of the prefix list, which is the statement with the lowest sequence number. When a match occurs, the router does not need to go through the rest of the prefix list. For efficiency, you might want to put the most common matches (permits or denies) near the top of the list (lower sequence number). An implicit deny is assumed if a given prefix does not match any entries in a prefix list.

Configuring Prefix Lists
ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefix-length}[ge ge-value] [le le-value]

s0/0/0 Permit through to be redistributed from RIP into OSPF. Permit through to be redistributed from OSPF into RIP.

10.4.0.0 and higher would not be a match 00001010.000001xxx
/14 First 14 bits must be: xxx and higher would not be a match xxx s0/0/0 router ospf 1 network area 0 redistribute rip route-map intoOSPF subnets router rip network version 2 passive-interface serial 0/0/0 redistribute ospf 1 route-map intoRIP metric 5 route-map intoOSPF permit 10 match ip address prefix-list PFX1 route-map intoRIP permit 10 match ip address prefix-list PFX2 ip prefix-list PFX1 permit /14 ip prefix-list PFX2 permit /14 Uses prefix list PFX1; this permits /14, which includes through Uses prefix list PFX2; this permits /14, which includes through Network/Length must be an exact match

Two methods for controlling routing updates
You can apply a combination of prefix-lists, distribute-lists, and route-maps on incoming or outgoing information, or both.

R1 is redistributing EIGRP into OSPF R2 redistributing OSPF into EIGRP
/24 .1 .1 .1 /24 R1 .1 R3 /24 /24 .1 .2 .2 /24 /24 .1 R2 R1 is redistributing EIGRP into OSPF R2 redistributing OSPF into EIGRP Notice that there are links between R1 and R2, one in OSPF and one in EIGRP.

R3 injects 192.168.254.0 and 192.168.253.0 into EIGRP (AD 170)
Better Metric R3 injects and into EIGRP (AD 170) R1 translates those EIGRP advertisements into OSPF (AD 110), with a specified seed metric. These OSPF advertisements are translated back into EIGRP by router R2 (AD 170). However, as we shall see, the resulting metric is better than the one advertised by R3, so R1 determines that the best path to R3's loopback address is via R2. We shall also see that there is a routing loop in this network.

This is suboptimal routing..
AD 170 AD 170 Better Metric R1 is learning about this route from router R2, , instead of directly from router R3. This is suboptimal routing..

Notice the routing loop between R1 and R2.
AD 170 AD 170 Better Metric Notice the routing loop between R1 and R2. This network has a routing loop as well as suboptimal routing.

The metric via R2 (28160), is much lower than the metric via R3 (2297856).
This is why R1 chooses the path via R2 instead of via R3. However, the path via R2 is the redistributed route from OSPF, and the route was redistributed into OSPF by R1. The result is the routing loop and suboptimal routing.

We confirm this by examining R2's routing table entry for 192.168.254.0
Notice that this route is known by OSPF. Also notice that this route is being redistributed into EIGRP, and a seed metric of is specified. It seems that R1 views this seed metric as better than R3's metric for the network.

Tag 1000 AD 170 AD 170 X AD 170 Tag 1000 Goal: Have all EIGRP routers use R3 to forward traffic to the and networks Process: At R1/R2: Tag 1000 to and networks as they are redistributed into OSPF At R1/R2: Deny all routes with a Tag of 1000 as they are redistributed into EIGRP This will ensure that EIGRP routers only have the route to R3 for the and networks in their routing tables.

R1(config)# router ospf 1
SETTAG s0/0/0 s0/0/0 R1(config)# router ospf 1 R1(config-router)# redistribute eigrp 1 metric 4 subnets route-map SETTAG R1(config)# router eigrp 1 R1(config-router)# redistribute ospf 1 metric match external 1 external 2 route-map MATCHTAG R1(config)# route-map SETTAG permit 10 R1(config-route-map) match ip address prefix-list EXTERNAL R1(config-route-map) set tag 1000 R1(config-route-map) exit R1(config)# route-map SETTAG permit 20 R1(config)# route-map MATCHTAG deny 10 R1(config-route-map) match tag 1000 R1(config)# route-map MATCHTAG permit 20 R1(config)# ip prefix-list EXTERNAL seq 5 permit /24 le 32 R1(config)# ip prefix-list EXTERNAL seq 10 permit /24 le 32 MATCHTAG

Used two tags, one for each redistribution direction.
SETTAG Used two tags, one for each redistribution direction. s0/0/0 MATCHTAG R1(config)# router ospf 1 R1(config-router)# redistribute eigrp 1 metric 4 subnets route-map SETTAG R1(config)# router eigrp 1 R1(config-router)# redistribute ospf 1 metric match external 1 external 2 route-map MATCHTAG R1(config)# route-map SETTAG permit 10 R1(config-route-map) match ip address prefix-list EXTERNAL R1(config-route-map) set tag 1000 R1(config-route-map) exit R1(config)# route-map SETTAG permit 20 R1(config)# route-map MATCHTAG deny 10 R1(config-route-map) match tag 1000 R1(config)# route-map MATCHTAG permit 20 R1(config)# ip prefix-list EXTERNAL seq 5 permit /24 le 32 R1(config)# ip prefix-list EXTERNAL seq 10 permit /24 le 32

Verify

No Feasible Successor because the route was denied.
Didn’t even have a chance to try.

Type-5 LSA ( ) has a Tag of 1000

Notice the hit counts for each sequence number in the prefix list in the command output, indicating how many times the prefix list matched the networks.

X Alternative Approach
TAGS Tag 1000 AD 170 AD 170 Alternative Approach X AD 170 Tag 1000 s0/0/0 TAGS R1(config)# router ospf 1 R1(config-router)# redistribute eigrp 1 metric 4 subnets route-map TAGS R1(config)# router eigrp 1 R1(config-router)# redistribute ospf 1 metric route-map TAGS R1(config)# route-map TAGS deny 10 R1(config-route-map) match tag 1000 R1(config-route-map) exit R1(config)# route-map TAGS permit 20 R1(config-route-map) set tag 1000 An alternative, simpler, configuration for the R1 and R2 routers This configuration uses only one route map, TAGS, applied to both OSPF and EIGRP redistribution. The route map: Denies (does not redistribute) routes that are tagged Permits (redistributes) all other routes after setting their tag

Tag 1000 AD 170 AD 170 Alternative Approach X AD 170 Tag 1000 We solved the routing loop problem; however we still have suboptimal routing

Tag 1000 AD 170 AD 170 Alternative Approach X AD 170 Tag 1000 Comparing the routing tables of R1 and R2 for the network… Notice the administrative distance of the routes. R2 is learns the route from R1 with an administrative distance of 110 (from OSPF). R2 also learns the route from R3, just as R1 does, with an administrative distance of 170 (from external EIGRP). R2 chooses the route with the lowest administrative distance, and therefore chooses the route via R1

Tag 1000 AD 170 AD 170 Alternative Approach X AD 170 Tag 1000 The trace output confirms the route R2 is taking.

TAGS Tag 1000 AD 180 AD 170 Alternative Approach X AD 170 Tag 1000 s0/0/0 TAGS R1(config)# router ospf 1 R1(config-router)# redistribute eigrp 1 metric 4 subnets route-map TAGS R1(config-router)# distance ospf external 180 R1(config)# router eigrp 1 R1(config-router)# redistribute ospf 1 metric route-map TAGS R1(config)# route-map TAGS deny 10 R1(config-route-map) match tag 1000 R1(config-route-map) exit R1(config)# route-map TAGS permit 20 R1(config-route-map) set tag 1000 distance ospf external 180 command in OSPF configuration mode results in the following, assuming all other AD values default: OSPF internal AD 110 < EIGRP external AD 180 EIGRP external AD 170 < EIGRP -> OSPF external AD 180 R2 to R3 is now the preferred route

A few more samples if you care to review the rest of the slides…

Note: This will also permit all other routes.
Prefixes Action /24 deny /25 /26 permit /27 /28 /29 /30 Option1: Match of the routes to be filtered (denied), using extended IP ACLs, using a deny action so the routes are filtered. Then use a permit clause with no match command to matching and allow all remaining routes to be redistributed. Note: This will also permit all other routes.

Match and Deny & Permit all
router eigrp 1 redistribute ospf 2 route-map option1 route-map option1 deny 10 match ip address match-101 route-map option1 deny 20 match ip address match route-map option1 permit 100 ip access-list extended match-101 permit ip host host ip access-list extended match permit ip host host permit ip host host Match and Deny & Permit all Extended ACL compares the source IP address parameter to the subnet number of the route, and the destination IP address to the subnet mask of the route. Could have used standard ACL: subnet and wildcard mask Could be a single route-map and single ACL Two statements because we will modify this later The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.

Redistribution from OSPF into EIGRP.
Prefixes Action Metric (Bandwidth, delay, reliability, load, MTU) permit Default: All others Redistribution from OSPF into EIGRP. This time all routes will be redistributed. But now the metrics of the allowed routes will be set differently as listed in the table . We will need at least three clauses: one for each set of routes for which the metric should differ.

router eigrp 1 default-metric redistribute ospf 1 route-map set-metric route-map set-metric permit 10 match ip address prefix-list match set metric route-map set-metric permit 20 match ip address prefix-list match set metric route-map set-metric permit 30 ip prefix-list match seq 5 permit /23 ge 25 le 26 ip prefix-list match seq 5 permit /23 ge 29 le 30 Match, Permit, Set Metric & Match, Permit, Set Metric & Permit All (default-metric)

All other routes default E2
When redistributing into OSPF, IOS automatically sets the external route type to external type 2 (E2). However, we want the /16 route to have the external type 2 (E2)

router ospf 1 redistribute eigrp 1 route-map set-external subnets route-map set-external 10 match ip address prefix-list match set metric-type type-1 route-map set-external 20 ip prefix-list match seq 5 permit /16 Permits all other routes but leaves external route type as the default E2. When redistributing into OSPF, IOS can set the type to E1 or E2 by using the set metric-type {type-1 | type-2} route-map subcommand.

We will end here but here are some additional examples for your enjoyment (FYI)

Highly Recommended This presentation is based on the approach from Wendell Odom’s book, BSCI Exam Certification Guide (Cisco Press). For anyone wishing to take this exam and/or get additional information, this book is highly recommended.

Distribute-list (review)

Distribute Lists and Prefix Lists
Route-Map ACL Prefix-List Prefix-list uses a distribute-list router subcommand. Another tool for matching routes. Can examine both the prefix (network address) and the prefix length (subnet mask). Or a range of ether ACLs matched only the prefix of the route (subnet number), IP prefix lists always examine both the prefix and prefix length.

Verifying - BEFORE Distribute List
R4# show ip route | include 10. /8 is variably subnetted, 8 subnets, 4 masks D /30 [90/ ] via , 00:06:28, Ser0/0 C /30 is directly connected, Serial0/0 D /30 [90/ ] via , 00:06:28, Ser0/0 D /30 [90/ ] via , 00:06:28, Ser0/0 D /25 [90/ ] via , 00:06:15, Ser0/0 D /24 [90/ ] via , 00:03:04, Ser0/0 D /23 [90/ ] via , 00:05:58, Ser0/0 D /26 [90/ ] via , 00:06:28, Ser0/0 D /26 [90/ ] via , 00:06:28,Ser0/0 Notice the option with the pipe!

Verifying – BEFORE Distribute List
R4# show ip route | include 10.17 D /25 [90/ ] via , 00:04:16, Ser0/0 D /24 [90/ ] via , 00:03:04, Ser0/0 D /23 [90/ ] via , 00:03:59, Ser0/0 D /26 [90/ ] via , 00:04:29, Ser0/0 D /26 [90/ ] via , 00:04:29,Ser0/0

Distribute List R3(config)# router eigrp 1
R3(config-router)# distribute-list 2 out ser 0/2 R3(config)# access-list 2 deny R3(config)# access-list 2 permit any 01:31:34: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/2) is down: route configuration changed 01:31:38: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/2) is up: new adjacency This distribute list filters all EIGRP updates for the LANs, through , going to R4.

Verifying Distribute List - AFTER
R4# show ip route /24 is subnetted, 2 subnets C is directly connected, FastEthernet0/0 C is directly connected, FastEthernet0/1 /30 is subnetted, 4 subnets D [90/ ] via , 00:01:26, Serial0/0 C is directly connected, Serial0/0 D [90/ ] via , 00:01:26, Serial0/0 D [90/ ] via , 00:01:26, Serial0/0 Only has serial “10” networks which were not in the range ACL range: through

Verifying Distribute List - AFTER
R4# show ip route | include 10.17 R4# R1# show ip route | include 10.17 D /25 [90/ ] via , 00:25:50, Ser0/0 C /24 is directly connected, FastEthernet0/1 C /23 is directly connected, FastEthernet0/0 D /26 [90/ ] via , 00:25:50, Ser0/1 D /26 [90/ ] via , 00:25:50,Ser0/1 R1# R4 does not have any of the “10.17” routes. R1 still has all the routes, including the “10.17” routes.

Redistribution into EIGRP

Our Topology R2-E-O is running: EIGRP for 172.30.0.0 network
OSPF 1 EIGRP 1 R2-E-O is running: EIGRP for network OSPF for network No longer using or , R2’s directly connected networks, from previous presentation. Additional networks on R4.

Redistribution – Part 1 Some cases:
R2 summary: router eigrp 1 redistribute connected redistribute ospf 1 network default-metric auto-summary ! router ospf 1 redistribute eigrp 1 subnets metric-type 1 network area 0 network area 0 Some cases: All routes need to be redistributed from one routing protocol to another. Same metrics Same external route type if applicable

Redistribution Other cases: Not all routes need to be redistributed.
E1 All other routes default E2 Other cases: Not all routes need to be redistributed. Different metrics for different routes Different external route types for different routes

Redistribution Redistribution into EIGRP Redistribution into OSPF
redistribute protocol [process-id | as-number] [metric bw delay reliability load mtu ] [match {internal | nssa-external | external 1 | external 2}] [tag tag-value] [route-map map-tag] Redistribution into OSPF redistribute protocol [process-id | as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {internal | external 1 | external 2 | nssa-external}] [tag tag-value] [route-map map-tag] [subnets] Route-maps Tool for identifying routes to be treated differently. Different metrics Different external route types Tagging a route to be used at another redistribution point Filtered

To identify routes, route-maps use the match subcommand:
route-map map-tag [permit | deny] [sequence-number] match … * Can reference multiple numbered and named ACLs on a single match command.

Redistribution and Route-maps
redistribute protocol route-map map-tag route-map map-tag deny seq# deny action, the route is filtered (not redistributed) match [ACL | prefix-list] route-map map-tag permit seq# permit action, the route is redistributed [set is optional] match [ACL | prefix-list] set [metric | metric-type] ip access-list extended ACL permit ip prefix-list prefix-list A route-map referenced by the redistribute command always attempts to filter routes.

Redistribution and Route-maps
set Command Description set metric metric-value Sets the route’s metric for OSPF, RIP, and IS-IS set metric bandwidth delay reliability loading mtu Sets the EIGRP route’s metric and MTU values set metric-type {type-1 | type-2} Sets type of route for IS-IS and OSPF set tag tag-value Sets the unitless tag value in the route Optional set command – For routes not filtered by the route-map, the route-map can set other values like the route's metric.

Current R2 Current R2 Redistribution Same metrics
R2-E-O Redistribution router eigrp 1 redistribute ospf 1 network default-metric auto-summary ! router ospf 1 router-id log-adjacency-changes redistribute eigrp 1 subnets network area 0 Current R2 Redistribution Same metrics Same external route type (All EIGRP routes are E2 going into OSPF)

R1’s routing table R1-E# show ip route D EX /16 [170/ ] via , 00:30:57, Serial0/0 /16 is variably subnetted, 11 subnets, 7 masks D EX /30 [170/ ] via , 00:30:57, Serial0/0 D EX /30 [170/ ] via , 00:30:57, Serial0/0 D EX /24 [170/ ] via , 00:30:57, Serial0/0 D EX /24 [170/ ] via , 00:30:57, Serial0/0 D EX /27 [170/ ] via , 00:00:42, Serial0/0 D EX /28 [170/ ] via , 00:00:33, Serial0/0 D EX /29 [170/ ] via , 00:00:33, Serial0/0 D EX /30 [170/ ] via , 00:00:23, Serial0/0 D EX /24 [170/ ] via , 00:01:13, Serial0/0 D EX /25 [170/ ] via , 00:00:53, Serial0/0 D EX /26 [170/ ] via , 00:00:43, Serial0/0 C /16 is directly connected, Loopback31 /16 is variably subnetted, 6 subnets, 3 masks C /24 is directly connected, FastEthernet0/1 C /24 is directly connected, Loopback0 C /30 is directly connected, Serial0/0 D /16 is a summary, 00:43:01, Null0 C /24 is directly connected, FastEthernet0/0 C /24 is directly connected, Loopback1 All OSPF routes redistributed into EIGRP with the same metric.

R2’s routing table Participates in EIGRP and OSPF.
R2-E-O# show ip route O /16 [110/846] via , 00:01:03, Serial0/1 /16 is variably subnetted, 11 subnets, 7 masks O /30 [110/845] via , 00:01:03, Serial0/1 C /30 is directly connected, Serial0/1 O /24 [110/782] via , 00:01:03, Serial0/1 O /24 [110/846] via , 00:01:03, Serial0/1 O /27 [110/846] via , 00:01:03, Serial0/1 O /28 [110/846] via , 00:01:04, Serial0/1 O /29 [110/846] via , 00:01:04, Serial0/1 O /30 [110/846] via , 00:01:04, Serial0/1 O /24 [110/846] via , 00:01:04, Serial0/1 O /25 [110/846] via , 00:01:04, Serial0/1 O /26 [110/846] via , 00:01:04, Serial0/1 D /16 [90/ ] via , 00:43:40, Serial0/0 /16 is variably subnetted, 5 subnets, 2 masks D /24 [90/ ] via , 00:43:40, Serial0/0 D /24 [90/ ] via , 00:43:40, Serial0/0 C /30 is directly connected, Serial0/0 D /24 [90/ ] via , 00:43:40, Serial0/0 D /24 [90/ ] via , 00:43:40, Serial0/0 Participates in EIGRP and OSPF.

R3’s routing table R3-O# show ip route O /16 [110/65] via , 00:01:43, Serial0/2 /16 is variably subnetted, 11 subnets, 7 masks C /30 is directly connected, Serial0/2 C /30 is directly connected, Serial0/1 C /24 is directly connected, FastEthernet0/0 O /24 [110/65] via , 00:01:43, Serial0/2 O /27 [110/65] via , 00:01:43, Serial0/2 O /28 [110/65] via , 00:01:43, Serial0/2 O /29 [110/65] via , 00:01:44, Serial0/2 O /30 [110/65] via , 00:01:44, Serial0/2 O /24 [110/65] via , 00:01:44, Serial0/2 O /25 [110/65] via , 00:01:44, Serial0/2 O /26 [110/65] via , 00:01:44, Serial0/2 O E /16 [110/20] via , 00:01:45, Serial0/1 /16 is variably subnetted, 5 subnets, 2 masks O E /24 [110/20] via , 00:01:45, Serial0/1 O E /24 [110/20] via , 00:01:45, Serial0/1 O E /30 [110/20] via , 00:01:45, Serial0/1 O E /24 [110/20] via , 00:01:45, Serial0/1 O E /24 [110/20] via , 00:01:45, Serial0/1 All EIGRP routes redistributed into OSPF with the same metric and type E2.

R4’s routing table R4-0#show ip route C /16 is directly connected, FastEthernet0/1 /16 is variably subnetted, 11 subnets, 7 masks C /30 is directly connected, Serial0/0 O /30 [110/128] via , 00:02:38, Serial0/0 O /24 [110/65] via , 00:02:38, Serial0/0 C /24 is directly connected, FastEthernet0/0 C /27 is directly connected, Loopback104 C /28 is directly connected, Loopback105 C /29 is directly connected, Loopback106 C /30 is directly connected, Loopback107 C /24 is directly connected, Loopback101 C /25 is directly connected, Loopback102 C /26 is directly connected, Loopback103 O E /16 [110/20] via , 00:02:40, Serial0/0 /16 is variably subnetted, 5 subnets, 2 masks O E /24 [110/20] via , 00:02:40, Serial0/0 O E /24 [110/20] via , 00:02:40, Serial0/0 O E /30 [110/20] via , 00:02:40, Serial0/0 O E /24 [110/20] via , 00:02:40, Serial0/0 O E /24 [110/20] via , 00:02:40, Serial0/0 All EIGRP routes redistributed into OSPF with the same metric and type E2.

Configuring Route Filtering with Redistribution

Note: This will also permit all other routes.
Prefixes Action /24 deny /25 /26 permit /27 /28 /29 /30 Option1: Match of the routes to be filtered (denied), using extended IP ACLs, using a deny action so the routes are filtered. Then use a permit clause with no match command to matching and allow all remaining routes to be redistributed. Note: This will also permit all other routes.

Match and Deny & Permit all
router eigrp 1 redistribute ospf 2 route-map option1 route-map option1 deny 10 match ip address match-101 route-map option1 deny 20 match ip address match route-map option1 permit 100 ip access-list extended match-101 permit ip host host ip access-list extended match permit ip host host permit ip host host Match and Deny & Permit all Extended ACL compares the source IP address parameter to the subnet number of the route, and the destination IP address to the subnet mask of the route. Could be a single route-map and single ACL Two statements because we will modify this later The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.

All routes still in routing table
R2-E-O# show ip route O /16 [110/846] via , 00:30:45, Serial0/1 /16 is variably subnetted, 11 subnets, 7 masks O /30 [110/845] via , 00:30:45, Serial0/1 C /30 is directly connected, Serial0/1 O /24 [110/782] via , 00:30:45, Serial0/1 O /24 [110/846] via , 00:30:45, Serial0/1 O /27 [110/846] via , 00:30:45, Serial0/1 O /28 [110/846] via , 00:30:47, Serial0/1 O /29 [110/846] via , 00:30:47, Serial0/1 O /30 [110/846] via , 00:30:47, Serial0/1 O /24 [110/846] via , 00:30:47, Serial0/1 O /25 [110/846] via , 00:30:47, Serial0/1 O /26 [110/846] via , 00:30:47, Serial0/1 D /16 [90/ ] via , 00:31:23, Serial0/0 /16 is variably subnetted, 5 subnets, 2 masks D /24 [90/ ] via , 00:31:23, Serial0/0 D /24 [90/ ] via , 00:31:23, Serial0/0 C /30 is directly connected, Serial0/0 D /24 [90/ ] via , 00:31:23, Serial0/0 D /24 [90/ ] via , 00:31:23, Serial0/0 All routes still in routing table

Denied routes not redistributed into EIGRP.
R2-E-O# show ip eigrp top <Non-redistributed routes omitted> P /30, 1 successors, FD is via Redistributed ( /0) P /30, 1 successors, FD is P /16, 1 successors, FD is P /24, 1 successors, FD is P /24, 1 successors, FD is P /29, 1 successors, FD is P /30, 1 successors, FD is P /25, 1 successors, FD is P /26, 1 successors, FD is Denied routes not redistributed into EIGRP.

R1-E#show ip route D EX /16 [170/ ] via , 00:32:19, Serial0/0 /16 is variably subnetted, 8 subnets, 5 masks D EX /30 [170/ ] via , 00:32:42, Serial0/0 D EX /30 [170/ ] via , 00:32:52, Serial0/0 D EX /24 [170/ ] via , 00:32:42, Serial0/0 D EX /24 [170/ ] via , 00:32:19, Serial0/0 D EX /29 [170/ ] via , 00:32:19, Serial0/0 D EX /30 [170/ ] via , 00:32:20, Serial0/0 D EX /25 [170/ ] via , 00:32:20, Serial0/0 D EX /26 [170/ ] via , 00:32:20, Serial0/0 C /16 is directly connected, Loopback31 /16 is variably subnetted, 6 subnets, 3 masks C /24 is directly connected, FastEthernet0/1 C /24 is directly connected, Loopback0 C /30 is directly connected, Serial0/0 D /16 is a summary, 00:32:59, Null0 C /24 is directly connected, FastEthernet0/0 C /24 is directly connected, Loopback1 Denied routes not redistributed into EIGRP.

R1-E#show ip eigrp top <Non-redistributed routes omitted> P /30, 1 successors, FD is via ( / ), Serial0/0 P /30, 1 successors, FD is P /16, 1 successors, FD is P /24, 1 successors, FD is P /24, 1 successors, FD is P /29, 1 successors, FD is P /30, 1 successors, FD is P /25, 1 successors, FD is P /26, 1 successors, FD is Denied routes not redistributed into EIGRP.

R2# show access-list Extended IP access list match-101 10 permit ip host host (1 match) Extended IP access list match 10 permit ip host host (1 match) 20 permit ip host host (1 match)

Then match routes to be filtered using prefix list with a deny action.
Prefixes Action /24 deny /25 /26 permit /27 /28 /29 /30 Option2: Match of the routes to be allowed (permitted), using prefix lists with a permit action. Then match routes to be filtered using prefix list with a deny action. Then use a permit clause with no match command to matching and allow all remaining routes to be redistributed. Note: This will also permit all other routes.

Match and Permit & Match and Deny & Permit All
router eigrp 1 redistribute ospf 1 route-map option2 route-map option2 permit 10 match ip address prefix-list match permit route-map option2 deny 20 match ip address prefix-list match deny route-map option2 permit 30 ip prefix-list match permit seq 5 permit /23 ge 25 le 26 ip prefix-list match permit seq 10 permit /23 ge 29 le 30 ip prefix-list match deny seq 5 permit /24 ip prefix-list match deny seq 10 permit /23 ge 27 le 28 Match and Permit & Match and Deny & Permit All The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. The first permit prefix is not needed because we do a match all permit at the end. But we created these permit prefixes because we will use this again later.

All routes in routing table
R2-E-O# show ip route O /16 [110/846] via , 00:06:08, Serial0/1 /16 is variably subnetted, 11 subnets, 7 masks O /30 [110/845] via , 00:06:08, Serial0/1 C /30 is directly connected, Serial0/1 O /24 [110/782] via , 00:06:08, Serial0/1 O /24 [110/846] via , 00:06:08, Serial0/1 O /27 [110/846] via , 00:06:08, Serial0/1 O /28 [110/846] via , 00:06:09, Serial0/1 O /29 [110/846] via , 00:06:09, Serial0/1 O /30 [110/846] via , 00:06:09, Serial0/1 O /24 [110/846] via , 00:06:09, Serial0/1 O /25 [110/846] via , 00:06:09, Serial0/1 O /26 [110/846] via , 00:06:09, Serial0/1 D /16 [90/ ] via , 00:06:42, Serial0/0 /16 is variably subnetted, 5 subnets, 2 masks D /24 [90/ ] via , 00:06:42, Serial0/0 D /24 [90/ ] via , 00:06:42, Serial0/0 C /30 is directly connected, Serial0/0 D /24 [90/ ] via , 00:06:42, Serial0/0 D /24 [90/ ] via , 00:06:42, Serial0/0 All routes in routing table

R2-E-O#show ip eigrp top <Non-redistributed routes omitted> P /30, 1 successors, FD is via Redistributed ( /0) P /30, 1 successors, FD is P /24, 1 successors, FD is P /16, 1 successors, FD is P /24, 1 successors, FD is P /29, 1 successors, FD is P /30, 1 successors, FD is P /25, 1 successors, FD is P /26, 1 successors, FD is Denied routes not redistributed into EIGRP.

R1-E#show ip route D EX /16 [170/ ] via , 00:02:01, Serial0/0 /16 is variably subnetted, 8 subnets, 5 masks D EX /30 [170/ ] via , 00:02:01, Serial0/0 D EX /30 [170/ ] via , 00:02:01, Serial0/0 D EX /24 [170/ ] via , 00:02:01, Serial0/0 D EX /24 [170/ ] via , 00:02:01, Serial0/0 D EX /29 [170/ ] via , 00:06:58, Serial0/0 D EX /30 [170/ ] via , 00:06:59, Serial0/0 D EX /25 [170/ ] via , 00:06:59, Serial0/0 D EX /26 [170/ ] via , 00:06:59, Serial0/0 C /16 is directly connected, Loopback31 /16 is variably subnetted, 6 subnets, 3 masks C /24 is directly connected, FastEthernet0/1 C /24 is directly connected, Loopback0 C /30 is directly connected, Serial0/0 D /16 is a summary, 00:07:39, Null0 C /24 is directly connected, FastEthernet0/0 C /24 is directly connected, Loopback1 Denied routes not redistributed into EIGRP.

R1-E#show ip eigrp top <Non-redistributed routes omitted> P /30, 1 successors, FD is via ( / ), Serial0/0 P /30, 1 successors, FD is P /24, 1 successors, FD is P /16, 1 successors, FD is P /24, 1 successors, FD is P /29, 1 successors, FD is P /30, 1 successors, FD is P /25, 1 successors, FD is P /26, 1 successors, FD is Denied routes not redistributed into EIGRP.

R2-E-O# show ip prefix-list detail match-101-104-105-deny
ip prefix-list match deny: count: 2, range entries: 1, sequences: , refcount: 3 seq 5 permit /24 (hit count: 1, refcount: 2) seq 10 permit /23 ge 27 le 28 (hit count: 2, refcount: 1) R2-E-O#

Setting Metrics when Redistributing

Redistribution from OSPF into EIGRP.
Prefixes Action Metric (Bandwidth, delay, reliability, load, MTU) deny N/A permit All others Redistribution from OSPF into EIGRP. This time all routes will be redistributed. But now the metrics of the allowed routes will be set differently as listed in the table . We will need at least three clauses: one for each set of routes for which the metric should differ.

router eigrp 1 default-metric redistribute ospf 1 route-map set-metric route-map set-metric permit 10 match ip address prefix-list match set metric route-map set-metric permit 20 match ip address prefix-list match set metric route-map set-metric permit 30 ip prefix-list match seq 5 permit /23 ge 25 le 26 ip prefix-list match seq 5 permit /23 ge 29 le 30 Match, Permit, Set Metric & Match, Permit, Set Metric & Permit All (default-metric)

R2-E-O# show ip eigrp top /24 IP-EIGRP (AS 1): Topology entry for /24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is Routing Descriptor Blocks: , from Redistributed, Send flag is 0x0 Composite metric is ( /0), Route is External Vector metric: Minimum bandwidth is 1500 Kbit Total delay is 100 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 External data: Originating router is (this system) AS number of route is 1 External protocol is OSPF, external metric is 846 Administrator tag is 0 (0x ) Note: Redistribute command configures Delay in units of tens-of microseconds.

R2-E-O# show ip eigrp top 172.16.102.0/25
R2-E-O# show ip eigrp top /25 IP-EIGRP (AS 1): Topology entry for /25 State is Passive, Query origin flag is 1, 1 Successor(s), FD is Routing Descriptor Blocks: , from Redistributed, Send flag is 0x0 Composite metric is ( /0), Route is External Vector metric: Minimum bandwidth is 1000 Kbit Total delay is 440 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 External data: Originating router is (this system) AS number of route is 1 External protocol is OSPF, external metric is 846 Administrator tag is 0 (0x )

R2-E-O# show ip eigrp top 172.16.106.0/29
R2-E-O# show ip eigrp top /29 IP-EIGRP (AS 1): Topology entry for /29 State is Passive, Query origin flag is 1, 1 Successor(s), FD is Routing Descriptor Blocks: , from Redistributed, Send flag is 0x0 Composite metric is ( /0), Route is External Vector metric: Minimum bandwidth is 100 Kbit Total delay is microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 1500 Hop count is 0 External data: Originating router is (this system) AS number of route is 1 External protocol is OSPF, external metric is 846 Administrator tag is 0 (0x )

R1-E#show ip route D EX /16 [170/ ] via , 00:06:34, Serial0/0 /16 is variably subnetted, 11 subnets, 7 masks D EX /30 [170/ ] via , 00:06:34, Serial0/0 D EX /30 [170/ ] via , 00:06:34, Serial0/0 D EX /24 [170/ ] via , 00:06:34, Serial0/0 D EX /24 [170/ ] via , 00:06:34, Serial0/0 D EX /27 [170/ ] via , 00:06:34, Serial0/0 D EX /28 [170/ ] via , 00:06:35, Serial0/0 D EX /29 [170/ ] via , 00:07:42, Serial0/0 D EX /30 [170/ ] via , 00:07:42, Serial0/0 D EX /24 [170/ ] via , 00:06:35, Serial0/0 D EX /25 [170/ ] via , 00:07:44, Serial0/0 D EX /26 [170/ ] via , 00:07:44, Serial0/0 C /16 is directly connected, Loopback31 /16 is variably subnetted, 6 subnets, 3 masks C /24 is directly connected, FastEthernet0/1 C /24 is directly connected, Loopback0 C /30 is directly connected, Serial0/0 D /16 is a summary, 01:49:13, Null0 C /24 is directly connected, FastEthernet0/0 C /24 is directly connected, Loopback1 Metric (Feasible Distance) now varies depending upon the route-map and related prefix list.

Setting the External Route Type

When redistributing into OSPF, IOS automatically sets the external route type to external type 2 (E2). However, we want the /16 route to have the external type 2 (E2)

router ospf 1 redistribute eigrp 1 route-map set-external subnets route-map set-external 10 match ip address prefix-list match set metric-type type-1 route-map set-external 20 ip prefix-list match seq 5 permit /16 Permits all other routes but leaves external route type as the default E2. When redistributing into OSPF, IOS can set the type to E1 or E2 by using the set metric-type {type-1 | type-2} route-map subcommand.

C 172.17.0.0/16 is directly connected, FastEthernet0/1
All other routes default E2 E1 R4-0# show ip route C /16 is directly connected, FastEthernet0/1 /16 is variably subnetted, 11 subnets, 7 masks C /30 is directly connected, Serial0/0 O /30 [110/128] via , 02:57:07, Serial0/0 O /24 [110/65] via , 02:57:07, Serial0/0 C /24 is directly connected, FastEthernet0/0 C /27 is directly connected, Loopback104 C /28 is directly connected, Loopback105 C /29 is directly connected, Loopback106 C /30 is directly connected, Loopback107 C /24 is directly connected, Loopback101 C /25 is directly connected, Loopback102 C /26 is directly connected, Loopback103 O E /16 [110/148] via , 00:01:06, Serial0/0 /16 is variably subnetted, 5 subnets, 2 masks O E /24 [110/20] via , 00:00:10, Serial0/0 O E /24 [110/20] via , 00:00:10, Serial0/0 O E /30 [110/20] via , 00:00:10, Serial0/0 O E /24 [110/20] via , 00:00:10, Serial0/0 O E /24 [110/20] via , 00:00:10, Serial0/0

Issues With Multiple Redistribution Points

Multiple Redistribution Points
Routing Domain 1 Routing Domain 2 Multiple Redistribution Points 10 100 /16 10 10 or 100? My best path is through R3! A single router to redistribute routes means that a single point of failure Most redistribution designs call for a minimum of two routers performing redistribution But this introduces some complexity and possible problems Situation: A route in one domain could be advertised into another domain, and then back into the original routing domain Problem: If the twice-redistributed route for a network is redistributed back into the original domain with a lower metric. The twice-redistributed network is a better route than what was advertised internal to that routing domain.

Preventing Routing Domain Loops with Higher Metrics
RIP OSPF Metric 500 (bw) Metric 5 (hops) Metric 500 (bw) Metric 5 (hops) One easy method of preventing the domain loop problem is to assign purposefully-high metric values when redistributing routes. Assign OSPF metric 500 when redistributing routes into OSPF Assign RIP metric 5 when redistributing routes into RIP.

RIP OSPF Metric 5 (hops) Metric 1 (hop) Metric 5 (hops) RIP All routes redistributed from RIP into OSPF, and then back into RIP, will at least have a metric of 5. These routes should always have less desirable metrics than the RIP advertisements from within the RIP domain.

RIP E1 or E2 OSPF Metric 500 (bw) Internal Routes Metric 10 (bw) OSPF Routes from the OSPF domain redistributed into RIP and then re-advertised back into the OSPF domain – but with a metric that begins at 500. The higher metric of 500 will defeat the domain loop problem Note that OSPF actually defeats the domain loop problem without using the higher metrics. OSPF always prefers internal routes over E1 routes, and E1 routes over E2 routes, before even considering the metrics.

Preventing Routing Domain Loops with Administrative Distance

AD A routing protocol’s administrative distance rates its trustworthiness as a source of routing information. AD is a local setting on a router, and cannot be advertised to neighboring routers.

EIGRP Default AD Defeats Loop from EIGRP to OSPF to EIGRP
/16 Internal EIGRP /16 External OSPF /16 /16 External OSPF /16 Internal EIGRP AD 90 to my left and AD 110 to my right? The default AD settings for EIGRP actually take care of the domain loop problem when redistributing between EIGRP and OSPF. R2 learns about a route for /16 as an internal EIGRP route (default AD 90) on the left. R2 also learns about the subnet as an external OSPF route on the right (default AD 110). As a result, RD2 : R2 considers the internal EIGRP route as the best route, because of the lower AD, and adds that route to its routing table. And another point…

EIGRP Default AD Defeats Loop from EIGRP to OSPF to EIGRP
/16 Internal EIGRP /16 External OSPF /16 /16 External OSPF /16 Internal EIGRP AD 90 to my left and AD 110 to my right? R2 does not need to rely on Administrative Distance R2 does not redistribute a route for /16, from OSPF back to EIGRP, because R2 does not have an OSPF route for /16. Routers use the IP routing table as the basis for route redistribution. Both R1 and R2 redistribute routes in both directions between both routing domains. However, before a route can be redistributed it must be in the routing table. R2's routing table lists /16 as an EIGRP route So, R2's redistribution from OSPF into EIGRP will not redistribute am EIGRP route for /16. Because R2 will not advertise a route for /16 from OSPF back into EIGRP, the domain loop has been prevented.

EIGRP Default AD Defeats Loop from OSPF to EIGRP to OSPF
/16 External EIGRP /16 Internal OSPF /16 /16 Internal OSPF 11.0.0/16 External EIGRP AD 170 to my left and AD 110 to my right? Routes from OSPF, redistributed into EIGRP, and then redistributed back into OSPF. Note: Because R2 does not have an EIGRP route for /16, R2 will not redistribute a route for /16 from EIGRP into OSPF (regardless of AD this will defeat the domain loop problem). But the default EIGRP AD settings still defeat the domain loop issue. R2 learns about /16 as an external EIGRP route (default AD 170) as well as an internal OSPF route (default AD 110). So, R2 selects the OSPF internal route as the best route and adds it to it routing table.

Setting AD per Route Source for Internal and External Routes
The reason that the default EIGRP AD settings work well can be summarized generically as follows: EIGRP and OSPF EIGRP internal AD 90 < OSPF external AD 110 OSPF internal AD 110 < EIGRP external AD 170 EIGRP and RIP EIGRP internal AD 90 < RIP external AD 120 RIP internal AD 120 < EIGRP external AD 170 RIP does not have a concept of internal and external routes; the above references refer to internal routes as routes that exist inside the RIP domain, and external as routes that exist outside the RIP domain.

OSPF and RIP Routing Protocol Command RIP distance ad-value EIGRP distance eigrp internal-ad external-ad OSPF distance ospf {external ad-value} {intra-area ad-value} {inter-area ad-value} When redistributing between OSPF and RIP, the default AD settings do not defeat the domain loop problem. OSPF and RIP (doesn’t help) OSPF internal AD 110 < RIP external AD 120 (This is fine.) RIP internal AD 120 (not)< OSPF external AD 110 (Nope!) OSPF External will look like a better route than RIP internal Administrative distance can be modified if needed.

OSPF and RIP Both routers router rip redistribute ospf 1 network ! router ospf 1 redistribute rip subnets network area 0 distance ospf external 130 distance ospf external 130 command in OSPF configuration mode results in the following, assuming all other AD values default: OSPF internal AD 110 < RIP external AD 120 RIP internal AD 120 < OSPF external AD 130

Preventing Domain Loops by Filtering on Route-tag Using Distribute Lists

Route-tags OSPF Company 1 Tag 1 only OSPF Company 1 Tag 1 EIGRP OSPF Company 2 OSPF Company 2 Tag 2 only Tag 2 route tag – A unitless 32-bit integer that most routing protocols can assign to any given route. Tag follows the route advertisement, even through the redistribution process. Another router may use an IOS tool such as route-maps to match routes with a given route tag to make a decision. Can be used to help to solve the domain loop problem.

Route-tags OSPF Company 1 Tag 1 only OSPF Company 1 Tag 1 EIGRP OSPF Company 2 OSPF Company 2 Tag 2 only Tag 2 A large surfboard manufacturer uses EIGRP (middle) has bought two smaller companies, both of whom use OSPF. The large surfboard manufacturer wants to connect both small companies into the larger network, but they want to prevent hosts in the two smaller companies from knowing routes to the other smaller company. (One makes longboards and the other makes shortboards.) Only showing left-to-right advertisements to keep it simple.

Notice a rare case of 2 OSPF processes on R3
router eigrp 1 redistribute ospf 1 metric route-map set-tag-1 route-map set-tag-1 permit 10 set tag 1 R1 A route-map clause with no match commands matches all routes R2 router eigrp 1 redistribute ospf 2 metric route-map set-tag-2 route-map set-tag-2 permit 10 set tag 2 router ospf 1 redistribute eigrp 1 subnets route-map stop-tag-2 router ospf 2 redistribute eigrp 1 subnets route-map stop-tag-1 route-map stop-tag-2 deny 10 match tag 2 route-map stop-tag-2 permit 20 route-map stop-tag-1 deny 10 match tag 1 route-map stop-tag-1 permit 20 R3

Another Policy Routing Example Jeff Doyle, Routing TCP/IP Vol. I
Policy routes are nothing more than sophisticated static routes. Static routes forward a packet to a specified next hop based on destination address of the packet. Policy routes forward a packet to a specified next hop based on the source of the packet. Policy routes can also be linked to extended IP access lists so that routing may be based on protocol types and port numbers. Like a static route, policy route influences the routing only of the router on which it is configured.

Match Options (a sample)
Router(config-route-map)#match length min max Matches the Layer 3 length of the packet. Router(config-route-map)# match ip address {access-list-number | name} [...access-list-number | name] Matches the source and destination IP address that is permitted by one or more standard or extended access lists. If you do not specify a match command, the route map applies to all packets.

Set Options (a sample) Router(config-route-map)#set ip precedence [number | name] Sets precedence value in the IP header. You can specify either the precedence number or name. Router(config-route-map)#set ip next-hop ip-address [... ip-address] Sets next hop to which to route the packet (the next hop must be adjacent). Router(config-route-map)#set interface interface-type interface-number [... type number] Sets output interface for the packet. Router(config-route-map)#set ip default next-hop ip-address [...ip-address] Sets next hop to which to route the packet, if there is no explicit route for this destination. Router(config-route-map)#set default interface interface-type interface-number [... type ...number] Sets output interface for the packet, if there is no explicit route for this destination.

Set and Match Options CCO:

Jeff Doyle’s Peanuts Example Single interface example – source IP address
We want to implement a policy on Linus such that: Traffic from /24 subnet is forwarded to Lucy Traffic from /24 subnet is forwarded to Pigpen All other traffic is routed normally

Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 1 set ip next-hop route-map Sally permit 15 match ip address 2 set ip next-hop access-list 1 permit access-list 2 permit Any packets that do no match 15, such as from /24 are routed normally.

Jeff Doyle’s Peanuts Example Single interface example – destination IP address
Suppose we want to implement a policy on Linus such that: Traffic to host is forwarded to Lucy Traffic from to host is forwarded to Pigpen All other traffic is routed normally

Linus: Any packets that do no match 15 are routed normally. inter S0
ip policy route-map Sally route-map Sally permit 10 match ip address 101 set ip next-hop route-map Sally permit 15 match ip address 102 set ip next-hop access-list 101 permit ip any host access-list 102 permit ip host host Any packets that do no match 15 are routed normally.

End of additional slides 
CIS 185 Advanced Routing Rick Graziani Cabrillo College

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2
Rick Graziani Cabrillo College

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2

Similar presentations

Presentation on theme: "CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2

Similar presentations

Presentation on theme: "CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2"— Presentation transcript:

Similar presentations

About project

Feedback