Basic filtering question

You get a question that asks you to prevent network 10.1.3.0/24 entering the routing table.

Which will you use? give your order of preference.

1)
access-list 1 deny host 10.1.3.0
access-list 1 permit any
(igp)distribute-list 1 in

2)
access-list 1 deny 10.1.3.0 0.0.0.255
access-list 1 permit any
(igp)distribute-list 1 in

3)
ip prefix-list test deny 10.1.3.0/24
ip prefix-list test permit 0.0.0.0/0 le 32
(igp)distribute-list 1 in

My preference goes to (3) , i do find myself using (1) alot, most answers i've seen to this type of question give (2).
How should i interpret this type of question, should i be blocking longer masks that hit this access-list like /25,/26 as (2) would.

On the lab do you think points could be lost in choosing (1) over (3) ?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

cisco_trooper

I always go with two. I never use "host" in ACLs for route filtering simply for readability if nothing else. I've never gotten much in to prefix-lists because I always seem to have trouble with them...something I personally need to work on I guess.

EdTheLad

cisco_trooper wrote: »

I always go with two. I never use "host" in ACLs for route filtering simply for readability if nothing else. I've never gotten much in to prefix-lists because I always seem to have trouble with them...something I personally need to work on I guess.

1)
access-list 1 deny 10.1.3.0 0.0.0.0

2)
access-list 1 deny 10.1.3.0 0.0.0.255

Ok,now host is gone for clarity,same thing though.My issue with (2) is that it will block 10.1.3.x, so as an example it will block network 10.1.3.4/30.The only way to acturately get the correct mask is with the prefix-list.
If you were asked not to use prefix-lists,the best match should be (1) as all other subnets in 10.1.3.0 are allowed.
So i guess i always wonder when i'm asked to block a /24 network do they mean block the /24 and all subnets that fall into this range.

mikej412

EdTheLad wrote: »

when i'm asked to block a /24 network.

When they say block the /24 - I block the /24 only.

If they wanted more they should say so, or at least vaguely imply it in a subtle manner that makes you question everything you though you knew.

But that's one of those things you can use during the lab as an excuse to go chat up the proctors.

mgeorge

I typically find myself using option 3 as well.

But I'm guessing from the question that you're asking;

If one of the objectives ask you to block 10.1.3.0/24 from entering the routing table, should you also block any subnets that falls in the range of 10.1.3.0/24 such as 10.1.3.0/30 or 10.2.3.0/25.

When you're given an objective such as this, do not over examine the question. If it tells you to prevent 10.1.3.0/24 from entering the network then block that prefix and only that prefix by using a distribute list from within the igp process. If the question specifies to block any subnets that fall into the range of 10.1.3.0/24 prefix then you could use;

ip prefix-list test deny 10.1.3.0/24 le 32
ip prefix-list test permit 0.0.0.0/0 le 32
(igp)distribute-list 1 in

This would block any 10.1.3.x with a netmask of /24 or greater while permitting any other prefix that does not match the denied prefix range on the first line.

But also keep in mind; is this route being redistributed somewhere else in the network into a protocol other then the protocol you're applying the distribute list to on the local router if the local router is running multiple dynamic protocols? If you apply this prefix list to a single protocol, the same route could be coming from another protocol that redistributed this route therefore you're not completing the objective of "preventing such prefix from entering the routing table on router x".

Basically, if you're ask to filter a prefix and prevent it from being installed in the routing table, and later on once you've completed the redistribution section, the route appears back in the routing table and you may forget the previous objective of preventing that route from being injected into the routing table on a particular router then you lose points in the previous section because now the route is in the routing table.

I've created a paint drawing to demonstrate; yep paint ftw!

If you're objective is to block 10.1.3.0/24 from being injected into the routing table on R2, then at the given point of the exam you'll see that the route is learned via EIGRP. You use a distribute list on R2 under the EIGRP 100 process preventing 10.2.3.0 from being injected into the routing table and allow all other routes. You verify that its working and continue on.

Later you are required to configure mutual redistribution and on R1 between EIGRP and RIP. Now the 10.1.3.0/24 network is in RIP and this route is shared to R2 via R3 by RIP and the route is now back into the routing table. If you do not catch this then you may lose points for the previous objective.

This is a good example as to why you should read through the entire exam at least once exam prior to starting.

Ultimately, if the objectives do not explicitly state the requirements then don't make assumptions. If you have any questions relating to interpretation you can ask the proctor to clear up the confusion.

EdTheLad

Ok, its cleared up, i was right and the books were wrong