BSCI Lab Portfolio, pg 299

jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
in CCNP
There is a challenge on this page that is making me scratch my head. I have researched it and believe I know the answer, but wouldn't mind some clarification, if at all possible.

The question states the following:

"On R1, configure a distribute list to filter 192.168.20.0/24 and 192.168.25.0/27 from inbound updates on R2. Pay special attention to the subnet masks. Do not filter out 192.168.25.0/24. Use an extended access list to accomplish this."

The route table on R2 is this:
Gateway of last resort is not set

O    192.168.30.0/24 [110/65] via 172.16.23.3, 00:00:11, Serial1/1
     192.168.25.0/24 is variably subnetted, 2 subnets, 2 masks
O E2    192.168.25.0/27 [110/20] via 172.16.23.3, 00:00:05, Serial1/1
O       192.168.25.0/24 [110/65] via 172.16.23.3, 00:00:11, Serial1/1
O    192.168.40.0/24 [110/65] via 172.16.23.3, 00:00:11, Serial1/1
     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.23.0 is directly connected, Serial1/1
C       172.16.12.0 is directly connected, Serial1/0
R       172.16.1.0 [120/1] via 172.16.12.1, 00:00:10, Serial1/0
C       172.16.2.0 is directly connected, Loopback0
O       172.16.3.0 [110/65] via 172.16.23.3, 00:00:11, Serial1/1
O    192.168.20.0/24 [110/65] via 172.16.23.3, 00:00:11, Serial1/1
O    192.168.35.0/24 [110/65] via 172.16.23.3, 00:00:11, Serial1/1

According to Internetwork CCIE's Blog: "Extended ACLs work with IGP protocols but you can not match on the subnet mask portion of the route. Extended ACLs are used with IGP protocols to match the network portion of the route and the IP address of the router that sent the route."

This ACL would work
access-list <ACL #> permit ip <network> <wildcard mask of network> <subnet mask> <wildcard mask of subnet mask>, but alas that appears to be only for BGP filtering.

My thoughts is that you would need to use a prefix-list like this on R1 inbound:
ip prefix-list RIP-IN seq 10 permit 192.168.25.0/24
ip prefix-list RIP-IN seq 20 deny 192.168.25.0/27
ip prefix-list RIP-IN seq 30 deny 192.168.20.0/24
ip prefix-list RIP-IN seq 40 permit 0.0.0.0/0 le 32

Is there something I am missing or is Cisco Press leading me astray...again. :D

Thanks all!
policy-map type inspect TACO
class type inspect BELL
drop log
· Share on FacebookShare on Twitter

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You can use a prefix-list but the question prohibits it. The question is an order of operations problem, don't worry about the different masks, just put the more specific entries in the access list first.

    Remember the second part of the ACL which is usually the source defines the router that sent the update.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Hey,

    From the question it looks as if they want you to apply the prefix list on R1 so that the subnets are permitted or denied based on the requirements from getting to R2's ingress port.

    You proposed an inbound prefix list on R1 which I think would permit/deny the respective subnets from incoming on R1 not R2.

    I think you would want to apply the prefix list as outbound on R1 under router config mode.

    Did you ever get through it?

    I must get me one of those lab portfolios.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
    · Share on FacebookShare on Twitter
  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    The routes are coming from R2 after being learned by R3. I know, I know. Complex topology. :D

    topology.jpg

    The question is:

    "On R1, configure a distribute list to filter 192.168.20.0/24 and 192.168.25.0/27 from inbound updates on R2. Pay special attention to the subnet masks. Do not filter out 192.168.25.0/24. Use an extended access list to accomplish this."

    I have figured a way to do it from R1 using a prefix-list.
    R1(config)#ip prefix-list RIP-IN seq 10 permit 192.168.25.0/24
R1(config)#ip prefix-list RIP-IN seq 20 deny 192.168.25.0/27
R1(config)#ip prefix-list RIP-IN seq 30 deny 192.168.20.0/24
R1(config)#ip prefix-list RIP-IN seq 40 permit 0.0.0.0/0 le 32

    I then applied this R1 inbound on S1/0 with the following:
    R1(config-router)#distribute-list prefix RIP-IN in Serial 1/0

    But, as dt mentioned, this is not answering the problem. Next idea...

    I can do it using an extended ACL on R2 by using a route-map in the redistribution process. I created the following ACL on R2:
    R2(config)#access-list 100 deny ip host 192.168.25.0 host 255.255.255.252
R2(config)#access-list 100 deny ip host 192.168.20.0 host 255.255.255.0
R2(config)#access-list 100 permit ip any any

    Good read on this process here.

    Made me a route-map:
    R2(config)#route-map RIP-OUT permit 10
R2(config-route-map)#match ip address 100

    Then I apply this under the RIP process:
    R2(config-router)#redistribute ospf 1 metric 4 route-map RIP-OUT

    Once again, this works, but not as the question intended. Either I am missing the obvious or it can't be done and if dt said it can be done, I won't doubt it can. :D
    policy-map type inspect TACO
    class type inspect BELL
    drop log
    · Share on FacebookShare on Twitter
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    The orginal post showed the 192.168.25.0/24 and 192.168.25.0/27 as OSPF routes and you;re labbing them up as RIP.
    R1(config)#router rip
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates

R1(config-router)#distribute-list 
% Incomplete command.

R1(config-router)#
R1(config-router)#router ospf 1
R1(config-router)#
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

R1(config-router)#distribute-list route-map  <-------

    It may make all the difference in the world!
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • jezg76jezg76 Member Posts: 97 ■■□□□□□□□□
    Uggg...I do apologize. I was entirely too vague in the OP. R2 is doing the redistribution between RIP, which is being ran on R1, and OSPF, which is on R3. The routes in question are being learned, via OSPF by R2 and redistributed into RIP and onto R1.

    My bad. :)
    policy-map type inspect TACO
    class type inspect BELL
    drop log
    · Share on FacebookShare on Twitter
  • pickinpickin Member Posts: 1 ■□□□□□□□□□
    Hi Guys

    I don't think this is a question about distribution-lists i think its a question about OSPF packet types. When the question phrases routes coming from R2 it throws us off because in OSPF no routes are learned from each other they are all learned via LSA's. As such no routes from R3 come via R2 the LSA's might but the routes don't.

    With this in mind it think it is possible to filter out the two requested routes by specifying the router source and network. If the route source and network are matched then the sub-net will be explicitly matched also.

    I also notice that the original output the routes were learned at different times I.E 11 and 5 seconds. This also makes me think that they are originated from different routers within the same Area.

    As such my guess would be

    R1#access-list 100 deny ip host R3.R3.R3.R3 host 192.168.25.0
    R1#access-list 100 deny ip host R2.R2.R2.R2 host 192.168.20.0
    R1#access-list 100 permit ip any any

    R1#Router os 1
    er)#distribute-list 100 in

    Pick

    A copy of the OSPF database would help boil this out.
    · Share on FacebookShare on Twitter
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    I ran into that question a couple weeks ago while working on the lab portfolio. I remember doing something like

    access-list 101 deny ip any host 192.168.20.0
    access-list 101 deny ip any host 192.168.25.0
    access-list 101 permit any any

    for the extended access list. It is very similar to what pickin has. I am at work now so I can't post my configs, but if your question is still up in the air when I get home I will post what I have.
    I recognize the lion by his paw.
    --Jacob Bernoulli
    · Share on FacebookShare on Twitter
  • NeonNoodleNeonNoodle Member Posts: 92 ■■□□□□□□□□
    This is what I had for R1:
    R1#sh runn
Building configuration...

Current configuration : 1511 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
ip subnet-zero
!
!
!
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback48
 ip address 192.168.48.1 255.255.255.0
!
interface Loopback49
 ip address 192.168.49.1 255.255.255.0
!
interface Loopback50
 ip address 192.168.50.1 255.255.255.0
!
interface Loopback51
 ip address 192.168.51.1 255.255.255.0
!
interface Loopback70
 ip address 192.168.70.1 255.255.255.0
!
interface Ethernet0
 no ip address
 shutdown
!
interface Ethernet1
 no ip address
 shutdown
!
interface Serial0
 bandwidth 64
 ip address 172.16.12.1 255.255.255.0
 clock rate 64000
!         
interface Serial1
 no ip address
 shutdown
!
router rip
 version 2
 redistribute static
 passive-interface default
 no passive-interface Serial0
 network 172.16.0.0
 network 192.168.48.0
 network 192.168.49.0
 network 192.168.50.0
 network 192.168.51.0
 network 192.168.70.0
 distribute-list prefix RIP-OUT out Serial0
 distribute-list 101 in Serial0
 no auto-summary
!
ip classless
ip route 192.168.48.0 255.255.252.0 Null0
ip http server
ip pim bidir-enable
!
!
ip prefix-list RIP-OUT seq 5 permit 192.168.48.0/22
ip prefix-list RIP-OUT seq 10 deny 192.168.48.0/22 le 24
ip prefix-list RIP-OUT seq 15 deny 0.0.0.0/0 le 32
access-list 101 deny   ip any 192.168.20.0 0.0.0.255
access-list 101 deny   ip any 192.168.25.0 0.0.0.31
access-list 101 permit ip any any
!
!
line con 0
line aux 0
line vty 0 4
!
end

R1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

R    192.168.30.0/24 [120/3] via 172.16.12.2, 00:00:18, Serial0
R    192.168.40.0/24 [120/3] via 172.16.12.2, 00:00:18, Serial0
     172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
R       172.16.23.0/24 [120/1] via 172.16.12.2, 00:00:18, Serial0
C       172.16.12.0/24 is directly connected, Serial0
C       172.16.1.0/24 is directly connected, Loopback1
R       172.16.3.1/32 [120/3] via 172.16.12.2, 00:00:18, Serial0
R       172.16.2.0/24 [120/1] via 172.16.12.2, 00:00:18, Serial0
C    192.168.51.0/24 is directly connected, Loopback51
C    192.168.50.0/24 is directly connected, Loopback50
R    192.168.35.0/24 [120/3] via 172.16.12.2, 00:00:19, Serial0
C    192.168.49.0/24 is directly connected, Loopback49
C    192.168.70.0/24 is directly connected, Loopback70
C    192.168.48.0/24 is directly connected, Loopback48
S    192.168.48.0/22 is directly connected, Null0
R1#sh access-lists
Extended IP access list 101
    deny ip any 192.168.20.0 0.0.0.255 (10 matches)
    deny ip any 192.168.25.0 0.0.0.31 (7 matches)
    permit ip any any (65 matches)
    I recognize the lion by his paw.
    --Jacob Bernoulli
    · Share on FacebookShare on Twitter
Sign In or Register to comment.