Filtering Routes with RIP

Problem

You want to restrict what routing information is exchanged within RIP.

Solution

You can filter inbound RIP routes on a per interface basis with a distribute-list:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#access-list 10 deny 192.168.20.0 Router2(config)#access-list 10 permit any Router2(config)#router rip Router2(config-router)#distribute-list 10 in Serial 0.1 Router2(config-router)#network 172.25.0.0 Router2(config-router)#network 192.168.30.0 Router2(config-router)#exit Router2(config)#end Router2#

This configuration example shows how to filter outbound RIP-based routes on a per interface basis:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 20 permit 0.0.0.0 Router1(config)#access-list 20 deny any Router1(config)#router rip Router1(config-router)#distribute-list 20 out Serial0/0.2 Router1(config-router)#network 172.25.0.0 Router1(config-router)#exit Router1(config)#end Router1#

 

Discussion

The access list in the first configuration example of this recipe prevents this router from accepting any routing information about the network 192.168.20.0:

Router2(config)#access-list 10 deny 192.168.20.0 Router2(config)#access-list 10 permit any

You can see that this route, which was visible in Recipe 6.1, no longer appears in the routing table:

Router2#show ip route rip R 172.22.0.0/16 [120/1] via 172.25.2.1, 00:00:21, Serial0.1 R 172.25.1.0/24 [120/1] via 172.25.2.1, 00:00:21, Serial0.1 Router2#

The show ip protocol command shows which interfaces have inbound or outbound distribute lists:

Router2#show ip protocol Routing Protocol is "rip" Sending updates every 30 seconds, next due in 27 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Serial0.1 filtered by 10 (per-user), default is 10 Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain Ethernet0 1 1 2 Loopback0 1 1 2 Serial0.1 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 172.25.0.0 192.168.30.0 Routing Information Sources: Gateway Distance Last Update 172.25.2.1 120 00:00:17 Distance: (default is 120) Router2#

This shows that the interface Serial0.1 uses access list number 10 to filter incoming routing information. You can then use the show access-list command to see what this affects.

Note that if you control both the sending and receiving routers, it is usually best to filter the routes before sending them instead of sending them across the network and then ignoring them. So inbound filtering is most common in situations when you are receiving routes from a device that you don't control. Since RIP frequently runs on end devices such as Unix servers, inbound filtering is fairly common.

You can use outbound filtering, on the other hand, for reducing the size of routing tables on access routers. For example, it is extremely useful in hub-and-spoke type WANs. In this case, each remote branch router cares only about its local segments and "everything else." It can reach all of the nonlocal routes via the hub router. So you can reduce unnecessary WAN bandwidth utilization as well as memory consumption on the branch router by configuring the hub router to send out only a single default route. In fact, when used in conjunction with the periodic updates discussed in Recipe 6.12, this makes a good WAN routing solution.

The second example in the Solution section of this recipe shows the configuration of the hub router so that it only sends the default route, 0.0.0.0/0. The routing table of the other router then becomes extremely simple:

Router2#show ip route rip R* 0.0.0.0/0 [120/5] via 172.25.2.1, 00:00:02, Serial0.1 Router2#

The show ip protocol command shows the filter on the hub router:

Router1#show ip protocol Routing Protocol is "rip" Sending updates every 30 seconds, next due in 9 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Serial0/0.2 filtered by 20 (per-user), default is 20 Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain FastEthernet0/0.1 1 1 2 Serial0/0.2 1 1 2 FastEthernet0/1 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 172.22.0.0 172.25.0.0 Routing Information Sources: Gateway Distance Last Update 172.25.1.7 120 00:00:23 172.25.2.2 120 00:00:07 172.22.1.4 120 00:00:19 Distance: (default is 120) Router1#

You can also configure the router to filter all interfaces simultaneously with a single rule:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#access-list 10 deny 192.168.20.0 Router2(config)#access-list 10 permit any Router2(config)#router rip Router2(config-router)#distribute-list 10 in Router2(config-router)#end Router2#

This feature is rarely used because you usually want apply different filters to different interfaces, depending on what other devices are connected. But when you want to explicitly eliminate certain unwanted routes from your network, regardless of the interface you might learn them through, this is the easiest way to do it. With the show ip protocols command, you can see that access list number 10 has been applied to traffic coming in from all interfaces:

Router2#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is 10 Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain Ethernet0 1 1 2 Loopback0 1 1 2 Serial0.1 1 1 2 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 172.25.0.0 192.168.30.0 Routing Information Sources: Gateway Distance Last Update 172.25.2.1 120 00:00:03 Distance: (default is 120) Router2#

You can use global distribute lists together with interface specific distribute lists. The result actually combines the effects of both. Suppose, for example, that you have a global distribute list that blocks a particular network. Then if you apply another list that blocks another address to a particular interface, this interface will block both addresses.

See Also

Recipe 6.12

Категории