1 / 80

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2 – Controlling Routing Updates

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2 – Controlling Routing Updates. Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2017. Note. There are 185+ slides in this presentation… But we will only be covering the first 80 or so. .

jlourdes
Download Presentation

CIS 185 CCNP ROUTE Ch. 4 Manipulating Routing Updates Part 2 – Controlling Routing Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 185 CCNP ROUTECh. 4 Manipulating Routing UpdatesPart 2 – Controlling Routing Updates Rick Graziani Cabrillo College graziani@cabrillo.edu Last Updated: Fall 2017

  2. Note • There are 185+ slides in this presentation… • But we will only be covering the first 80 or so. 

  3. Redistribution Techniques and Issues

  4. Seed Metric 501 RIP OSPF1 Largest metric is 500 501 router ospf 1 network 172.20.0.0 redistribute rip default-metric 501 or redistribute rip metric 501 • When redistributing information, the seed metric should be set to a value larger than the largest metric within the receiving autonomous system (aka the largest native metric). • This will help prevent suboptimal routing and routing loops.

  5. The default seed metric value for routes that are redistributed into each IP routing protocol. • A metric of infinity tells the router that the route is unreachable and, therefore, should not be advertised. • When redistributing routes into RIP, IGRP, and EIGRP, you must specify a seed metric, or the redistributed routes will not be advertised. • For OSPF, the redistributed routes have a default type 2 (E2) metric of 20, (except for redistributed BGP routes, which have a default type 2 metric of 1)

  6. One-Point Redistribution • One-point redistribution has only one router redistributing between two routing protocols. • A one-way redistribution issue that could occur…

  7. 10.0.0.0 via R1 has AD 170 (EX EIGRP) 10.0.0.0 via R2 has AD 110 (OSPF) So, I will choose (include in my routing table) the path via R2 (OSPF) • R2 and R3 are both running OSPF and EIGRP • Only R2 is redistributing from EIGRP into OSPF • R1 has an External Route 10.0.0.0 that it is redistributing into its EIGRP AS. • R1 is advertising (via EIGRP) this route to both R2 and R3. • R3 receives routing update information for the external route 10.0.0.0. directly from: • R1 via EIGRP (AD = 170) • R2 via OSPF (AD = 110) • Because the AD of OSPF (110)is lower than AD of external EIGRP routes (170), R3 selects the OSPF route. • Suboptimal routing • Instead of sending packets directly from router R3 to router R1, router R3 prefers the path via router R2, resulting in suboptimal routing. • Solution: Tag routes. • We will see how to do this later.

  8. Multipoint redistribution • Multipoint redistribution has two separate routers running both routing protocols. • Two possibilities exist: • Multipoint one-way redistribution • Multipoint two-way redistribution • Likely to introduce potential routing loops

  9. 10.0.0.0 via R1 has AD 170 (EX EIGRP) 10.0.0.0 via R3 has AD 110 (OSPF) So, I will choose (include in my routing table) the path via R3 (OSPF) 10.0.0.0 via R1 has AD 170 (EX EIGRP) 10.0.0.0 via R2 has AD 110 (OSPF) So, I will choose (include in my routing table) the path via R2 (OSPF) • A one-way multipoint redistribution issue. • R1 (EIGRP) is announcing routes, including the external route, to R2 and R3. • R2 and R3 are both running two routing protocols (EIGRP and OSPF) and redistributing EIGRP into OSPF. • Therefore, R2 and R3 receive routing update information for the external route 10.0.0.0: • via (internal) EIGRP from router R1 and • via (internal) OSPF from the other OSPF router (R2 from R3, and R3 from R2). • The AD of OSPF (110) is lower than AD of external EIGRP (170): • So R2 selects the OSPF route instead of sending packets directly to R1 • R2 prefers the OSPF route via router R3 • Routing Loop!

  10. 10.0.0.0 via R1 has AD 170 (EX EIGRP) 10.0.0.0 via R3 has AD 110 (OSPF) So, I will choose (include in my routing table) the path via R3 (OSPF) 10.0.0.0 via R1 has AD 170 (EX EIGRP) 10.0.0.0 via R2 has AD 110 (OSPF) So, I will choose (include in my routing table) the path via R2 (OSPF) • To prevent routing loops in multipoint redistribution scenario the following recommendations should be considered: • Tag routes in redistribution points and filter based on these tags when redistributing (later) • Modify the Administrative Distance of redistributed routes (extra) • Use default routes to avoid having to do two-way redistribution

  11. A multi-way multipoint redistribution issue • The best path between R1 and R4 is via R3 • But during redistribution from routing protocol B to routing protocol A, the metric is lost • Domain A doesn’t know about metrics in Domain B • R1 will send packets toward router R4 via router R2 (its best path outside its domain) • Resulting in suboptimal routing.

  12. Controlling Routing Update Traffic

  13. Routing updates are critical but compete with user data for bandwidth and router resources. • To ensure that the network operates efficiently, you must control and tune routing updates. • The following are some ways to control or prevent dynamic routing updates from being generated: • Passive interface—Prevents routing updates from being sent out an interface. • Default routes—Can limit or eliminate the need for other routes. • Static routes—Can limit or eliminate the need for dynamically learned routes or give greater control for specific routes. • Advanced Route Filtering • Route maps—Complex access lists that allow conditions to be tested and actions taken to modify attributes of the packet or route. • Distribute lists—A distribute list allows an access list to be applied to routing updates. • Prefix lists—A prefix list is a specialized access list designed to filter routes.

  14. Route Maps

  15. Route Map Applications • Several of the more common applications for route maps are as follows: • Route filtering during redistribution— distribute lists can be used for this purpose but route maps offer additional features. • Policy-based routing (PBR)—Sophisticated static routes. • NAT—Route maps can better control which private addresses are translated to public addresses • BGP—Route maps are the primary tools for implementing BGP policy (later chapter)

  16. Route maps are like complex access lists that allow some conditions to be tested against the packet or route in question using match commands. • If the conditions match: • Actions can be taken to modify attributes of the packet or route • These actions are specified by set commands. • BIG difference between route maps and ACLs: • Route map can modify the packet or route using set commands

  17. Router(config)# route-map map-tag [permit | deny] [sequence-number] • A route map consists of multiple route map statements. • Processed top-down, similar to an access list. • The first match found for a route is applied. • Sequence number: Used for inserting or deleting specific route map statements in a specific place in the route map. • The default for the route-map command is: • permit • sequence-number of 10

  18. Permit everything else • Command: match condition • Defines the condition to be checked. • Command: set condition • If there is a match and the action to be taken is permit … • Then set defines the action to be followed • The consequences of a deny action depend on how the route map is being used. • Like an ACL there is an implicit deny any at the end of a route map. • A route map statement without any match commands will be considered a match

  19. If {(x or y or z) and (a) match} then {set b and c} Else If q matches then set r Else Set nothing • A single match statement may contain multiple conditions. • At least one condition in the match statement must be true for that match statement to be considered a match • Logical OR operation • A route map statement may contain multiple match statements. • All match statements in the route map statement must be considered true for the route map statement to be considered matched. • Logical AND operation

  20. Configuring Route Maps to Control Routing Updates Redistributing into EIGRP redistributeprotocol [process-id | as-number] [metricbw delay reliability load mtu ] [match {internal | nssa-external | external 1| external 2}] [tagtag-value] [route-map map-tag] Redistributing into OSPF redistributeprotocol [process-id | as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {internal | external 1| external 2 | nssa-external}][tagtag-value] [route-map map-tag] [subnets] • The redistribute commands all have a route-map option with a map-tag parameter. • When used with the redistribute command: • A route map with permit indicates that the matched route will be redistributed. • A route map with deny indicates that the matched route will NOT be redistributed.

  21. The matchcondition commands are used to define the conditions to be checked. • Some of these commands are used for: • BGP policy • PBR • Redistribution filtering. • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml

  22. The setcondition changes or add characteristics, such as metrics, to any routes that have: • met a match criterion • the action to be taken is permit • The consequences of a deny action depend on how the route map is being used. • http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml Partial List

  23. Quick Introduction Policy Based Routing (PBR) ExampleJeff Doyle, Routing TCP/IP Vol. IMore later in Chapter 5 • Using PBR is the best way to understand how route maps are configured, so here is a quick introduction… (more later on PBR in chapter 5) • Policy routesare nothing more than sophisticated static routes. • Static routes forward a packet to a specified next hop based on destination address of the packet. • Policy routescan forward a packet to a specified next hop based on the source of the packet. • Policy routes can also be linked to extended IP access lists so that routing may be based on protocol types and port numbers. • Like a static route, policy route influences the routing only on the router on which it is configured.

  24. Jeff Doyle’s Peanuts ExampleSingle interface example – source IP address We want to implement a policy on Linus such that: • Traffic from 172.16.6.0/24 subnet is forwarded to Lucy • Traffic from 172.16.7.0/24 subnet is forwarded to Pigpen • All other traffic is routed normally

  25. Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 1 set ip next-hop 172.16.4.2 route-map Sally permit 15 match ip address 2 set ip next-hop 172.16.4.3 access-list 1 permit 172.16.6.0 0.0.0.255 access-list 2 permit 172.16.7.0 0.0.0.255 Any packets that do no match 15, such as from 172.16.8.0/24 are routed normally.

  26. Jeff Doyle’s Peanuts ExampleSingle interface example – destination IP address Suppose we want to implement a policy on Linus such that: • Traffic to host 172.16.1.1 is forwarded to Lucy • Traffic from 172.16.7.1 to host 172.16.1.2 is forwarded to Pigpen • All other traffic is routed normally

  27. Linus: inter S0 ip policy route-map Sally route-map Sally permit 10 match ip address 101 set ip next-hop 172.16.4.2 route-map Sally permit 15 match ip address 102 set ip next-hop 172.16.4.3 access-list 101 permit ip any host 172.16.1.1 access-list 102 permit ip host 172.16.7.1 host 172.16.1.2 Any packets that do no match 15 are routed normally.

  28. Example RIPv2 OSPF 10.0.0.0/8 10.1.0.0/16 metric=500 E1 172.16.0.0/16 metric=500 E1 All other networks metric=5,000 E2 Redistribute RIP routes into OSPF with the following: • 10.1.0.0/16 and 172.16.1.0/24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes • 10.0.0.0/8 networks will not be redistributed • All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes

  29. Configuring Route Redistribution using Route Maps router ospf 1 redistribute rip route-map redis-rip subnets route-map redis-rip permit 10 match ip address 23 29 set metric 500 set metric-type 1 route-map redis-rip deny 20 match ip address 37 route-map redis-rip permit 30 set metric 5000 set metric-type 2 access-list 23 permit 10.1.0.0 0.0.255.255 access-list 29 permit 172.16.0.0 0.0.255.255 access-list 37 permit 10.0.0.0 0.255.255.255 10.1.0.0/16 and 172.16.1.0/24 networks will be redistributed into OSPF with a metric of 500 and be E1 routes 10.0.0.0/8 networks will not be redistributed into OSPF All other routes will be redistributed into OSPF with a metric of 5000 and be E2 routes The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list.

  30. Using Route Maps to Avoid Route Feedback RIPv2 OSPF A 192.168.1.0/24 0 E2 192.168.1.0/24 C D B • Multi-point boundary routers may cause suboptimal routing or routing loops. • RIPv2 on Router C advertises network 192.168.1.0. • Routers A and B redistribute the network into OSPF. • OSPF then advertises the route to its neighbor OSPF routers as an OSPF external route. • The route passes through the OSPF AS and eventually makes its way back to the other edge router. • Router B (or A) then redistributes 192.168.1.0 from OSPF back into the original RIPv2 network; this is a routing feedback loop.

  31. router ospf 10 redistribute rip subnets router rip redistribute ospf 10 route-map OSPF_into_RIP route-map OSPF_into_RIP deny 10 match ip address 1 route-map OSPF_into_RIP permit 20 access-list 1 permit 192.168.1.0 0.0.0.255 192.168.1.0/24 network will not be redistributed into RIP • To prevent the routing feedback loop, a route map called OSPF_into_RIPhas been applied to Routers A and B when redistributing OSPF routes into RIP. • The decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. • This solution does not scale well. Let’s try tagging routes. All other routes will be redistributed into RIP

  32. Using Route Maps With Tags router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 • route tag – A unitless 32-bit integer that most routing protocols can assign to any given route. • Tag follows the route advertisement, even through the redistribution process. • Another router may use an IOS tool such as route-maps to match routes with a given route tag to make a decision. • Can be used to help to solve the domain loop problem.

  33. RIPv2 EIGRP Tag 40 20 40 R1 Tag 20 40 20 Tag 40 172.16.0.0/16 10.0.0.0/8 R2 Tag 20 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp permit 20 set tag 20 route-map into-rip permit 20 set tag 40 • Routes redistributed into EIGRP are tagged with the value 20 • Routes redistributed into RIP are tagged with the value 40 • BUT BEFORE we tag and allow a route into the domain we want to deny any routes that the other router already tagged and allowed in from the other domain.

  34. RIPv2 EIGRP Tag 40 20 40 R1 X Tag 40 40 20 Tag 40 172.16.0.0/16 11.0.0.0.0/8 10.0.0.0/8 R2 X Tag 40 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 40 are not allowed to go back into EIGRP All other updates get a tag 20 are allowed into EIGRP

  35. RIPv2 EIGRP X Tag 20 20 40 R1 Tag 20 20 40 X Tag 20 172.16.0.0/16 10.0.0.0/8 R2 11.0.0.0.0/8 Tag 20 router eigrp 100 redistribute rip metric 1000 100 255 1 1500 route-map into-eigrp router rip redistribute eigrp 100 metric 3 route-map into-rip route-map into-eigrp deny 10 match tag 40 route-map into-eigrp permit 20 set tag 20 route-map into-rip deny 10 match tag 20 route-map into-rip permit 20 set tag 40 Updates with the tag 20 are not allowed to go back into RIP All other updates get a tag 40 are allowed into RIP

  36. 40 20 R3 40 20 11.0.0.0.0/8 • Notice that the route tags do not appear on the routes within the R1 and R2 routers, because these routers learn about all routes from both RIP and EIGRP directly.

  37. 40 20 R3 40 20 11.0.0.0.0/8 • However, show ip route output from router R3, an internal router in the EIGRP network. • Notice that router R3 does see network 11.0.0.0 with a tag of 20; this tag is carried with the route as R3 advertises it to other routers in the EIGRP network, including R1 and R2. • When routers R1 and R2 see the tag of 20, they do not redistribute the 11.0.0.0 route back into RIP.

  38. Using Distribute Lists

  39. Distribute lists are another way to control routing updates. • Distribute list allow an access list to be applied to routing updates. • distribute-listcommand allow updates to be filtered based on factors including the following: • Incoming interface • Outgoing interface • Redistribution from another routing protocol

  40. Configuring Distribute Lists to Control Routing Updates • An implementation plan when planning to configure distribute lists: • Will it be used to permit or deny routes? • Will it use an access list or a route map? • Will it be applied to the inbound or outbound updates?

  41. R3(config)# ip access-list standard ROUTE-FILTER R3(config-std-nacl)# remark Outgoing Route Filter used with Distribute List R3(config-std-nacl)# permit 10.10.11.0 0.0.0.255 R3(config-std-nacl)# permit 10.10.12.0 0.0.0.255 R3(config-std-nacl)# exit R3(config)# router ospf 10 R3(config-router)# redistribute eigrp 100 metric 40 subnets R3(config-router)# distribute-list ROUTE-FILTER out eigrp 100 • R3 must redistribute EIGRP routes into the OSPF domain with a metric of 40. • Only permit 10.10.11.0/24 and10.10.12.0/24 routes to be propagated. • All other routes should not be permitted.

  42. Using Prefix Lists

  43. Advantages of using prefix lists: • Significant performance improvement over access lists in loading and route lookup of large lists. (Uses a tree structure) • Support for incremental modifications. • You can add and remove individual lines without removing the entire list. • A more user-friendly command-line interface. • Greater flexibility. • Routers can match network numbers in a routing update against the prefix-list using as many bits as indicated. • Routers can specify the size of the subnet mask, or that the subnet mask must be in a specified range.

  44. Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] • The route prefix (the subnet address) • The prefix length (the subnet mask) • Each command has a permit or deny action • Only used for matching routes. • Not used for packet filtering. • Just implies whether a route is matched (permit) or not (deny). • Sequence numbers are used for the insertion and deletion of individual commands.

  45. Prefix-list Concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] • Prefix-list Logic: • The route’s prefix must be within the range of addresses implied by the prefix-list command’s prefix/prefix-lengthparameters. • The route’s prefix length must match the range of prefixes implied by the prefix-listcommand's prefix-length, ge, and le parameters. • What???

  46. Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] Examining the Prefix • prefix/prefix-length – • Prefix: Address to be used for matching. • Prefix length: How much of the address must match. • 10.0.0.0/8 • Any number (address) whose first 8 bits (/8) match 10.0.0.0. • Examples coming soon!

  47. Prefix-list concepts ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length}[gege-value] [lele-value] Examining the Prefix Length • Blank: Exact match. • gege-value: Subnet mask must be at least this length up to /32. • lele-value: Subnet mask must be this length or less, but at least the length of the prefix-length. • gege-valuelele-value: Subnet mask must fall within this range • The ge value must be larger than the configured prefix length in the base part of the command. • ip prefix-list list1 permit 1.0.0.0/8 ge 7 would be rejected • The ge value (7) is less than the configured prefix-length (/8). • Examples coming next!

  48. Match the Prefix List with the appropriate routes 1. 10.0.0.0/8 2. 10.128.0.0/9 3. 10.1.1.0/24 4. 10.1.2.0/24 5. 10.128.10.4/30 6. 10.128.10.8/30 10.0.0.0/8 • Routes matched: 1 • Reason: Without ge or le configured, both the prefix (10.0.0.0) and length (8) must be an exact match. ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length} [gege-value] [lele-value]

  49. Match the Prefix List with the appropriate routes 1. 10.0.0.0/8 2. 10.128.0.0/9 3. 10.1.1.0/24 4. 10.1.2.0/24 5. 10.128.10.4/30 6. 10.128.10.8/30 10.0.0.0/8 ge 9 • Routes matched: 2 - 6 • Reason: The 10.0.0.0/8 means “all routes whose first octet is 10”. The prefix length must be between 9 and 32, inclusive. ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length} [gege-value] [lele-value]

  50. Match the Prefix List with the appropriate routes 1. 10.0.0.0/8 2. 10.128.0.0/9 3. 10.1.1.0/24 4. 10.1.2.0/24 5. 10.128.10.4/30 6. 10.128.10.8/30 10.0.0.0/8 ge 24 le 24 • Routes matched: 3, 4 • Reason: The 10.0.0.0/8 means “all routes whose first octet is 10,” and the prefix range is 24 to 24 — meaning only routes with prefix length 24. ip prefix-listlist-name [seqseq-value] {deny | permitprefix/prefix-length} [gege-value] [lele-value]

More Related