Today I will check, what routes are redistributed from EIGRP. With default settings, it is quite obvious, that internal routes are redistributed, but what about EIGRP external routes?
Here we can see everything that is needed. Basically, R2 has EIGRP internal and external routes, next these routes are redistributed into OSPF and BGP:
R2#show ip route eigrp
D EX 100.0.0.0/8 [170/2474496] via 10.0.0.1, 00:11:07, Serial0/0
D 200.0.0.0/24 [90/2297856] via 10.0.0.1, 00:11:07, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
D EX 11.0.0.0 [170/2474496] via 10.0.0.1, 00:11:07, Serial0/0
And let's investigate routing tables from R3 and R4:
R3#show ip route
!Some lines omitted
O E2 100.0.0.0/8 [110/20] via 12.0.0.2, 00:10:20, Serial0/0
O E2 200.0.0.0/24 [110/20] via 12.0.0.2, 00:10:20, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
O E2 10.0.0.0 [110/20] via 12.0.0.2, 00:10:20, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
O E2 11.0.0.0 [110/20] via 12.0.0.2, 00:10:20, Serial0/0
12.0.0.0/30 is subnetted, 1 subnets
C 12.0.0.0 is directly connected, Serial0/0
R4#show ip route
!Some lines omitted
B 100.0.0.0/8 [200/2474496] via 10.0.0.1, 00:09:26
B 200.0.0.0/24 [200/2297856] via 10.0.0.1, 00:09:26
10.0.0.0/30 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 13.0.0.2, 00:09:31
11.0.0.0/30 is subnetted, 1 subnets
B 11.0.0.0 [200/2474496] via 10.0.0.1, 00:09:26
13.0.0.0/30 is subnetted, 1 subnets
C 13.0.0.0 is directly connected, Serial0/0
As we can see, EIGRP redistributes both routes, internal and external (with default settings). It is quite different behaviour as we saw in OSPF.
Hello and welcome. My name is Łukasz and I created this blog to share with you some personal thoughts about networking. I hope that you will find here some good tips and show up here from time to time.
Saturday, 4 June 2011
Tuesday, 24 May 2011
Redistribute command. From OSPF into EIGRP/BGP.
Do you know, which routes are redistributed by default? For instance, when redistributing from OSPF into EIGRP, you have 3 different routes: inter-area, intra-area and external. Let's find the answer:
On the picture above (click to enlarge) there is a simple topology, where a distribution between different routing protocol is applied. R1 is performing a mutual distribution between OSPF and BGP, R2 between EIGRP and OSPF. R4 is an OSPF ABR router between area 0 and 1. First, let's take a look into R1 routing table:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O E2 102.0.0.0/8 [110/20] via 10.0.0.1, 00:10:48, Serial0/0
100.0.0.0/24 is subnetted, 1 subnets
B 100.0.0.0 [200/0] via 14.0.0.2, 00:09:04
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
O 11.0.0.0 [110/128] via 10.0.0.1, 00:12:34, Serial0/0
12.0.0.0/30 is subnetted, 1 subnets
O 12.0.0.0 [110/128] via 10.0.0.1, 00:23:09, Serial0/0
13.0.0.0/30 is subnetted, 1 subnets
O IA 13.0.0.0 [110/192] via 10.0.0.1, 00:23:09, Serial0/0
14.0.0.0/30 is subnetted, 1 subnets
C 14.0.0.0 is directly connected, Serial0/1
15.0.0.0/30 is subnetted, 1 subnets
O E2 15.0.0.0 [110/20] via 10.0.0.1, 00:11:40, Serial0/0
Please be advised, that R1 learnt 3 different OSPF routes:
R1#show running-config | section bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute ospf 1
neighbor 14.0.0.2 remote-as 65000
no auto-summary
Finally, the routing table derived from R6:
R6#show ip route
!some lines omitted
100.0.0.0/24 is subnetted, 1 subnets
C 100.0.0.0 is directly connected, Loopback0
10.0.0.0/30 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 14.0.0.1, 00:24:42
11.0.0.0/30 is subnetted, 1 subnets
B 11.0.0.0 [200/128] via 10.0.0.1, 00:24:42
12.0.0.0/30 is subnetted, 1 subnets
B 12.0.0.0 [200/128] via 10.0.0.1, 00:24:42
13.0.0.0/30 is subnetted, 1 subnets
B 13.0.0.0 [200/192] via 10.0.0.1, 00:24:42
14.0.0.0/30 is subnetted, 1 subnets
C 14.0.0.0 is directly connected, Serial0/0
R6#
We can see, that only intra-area and inter-area routes are redistributed with default settings. External routes are ignored, to change this, we can add match external {1|2} to redistribute ospf command.
The same story is with R7, only inter-area and intra-area routes are redistributed from OSPF into EIGRP:
R7#show ip route
!some lines omitted
102.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 102.0.0.0/24 is directly connected, Loopback0
D 102.0.0.0/8 is a summary, 00:26:25, Null0
10.0.0.0/30 is subnetted, 1 subnets
D EX 10.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
D EX 11.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
12.0.0.0/30 is subnetted, 1 subnets
D EX 12.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
13.0.0.0/30 is subnetted, 1 subnets
D EX 13.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 15.0.0.0/30 is directly connected, Serial0/0
D 15.0.0.0/8 is a summary, 00:26:26, Null0
R7#
On the picture above (click to enlarge) there is a simple topology, where a distribution between different routing protocol is applied. R1 is performing a mutual distribution between OSPF and BGP, R2 between EIGRP and OSPF. R4 is an OSPF ABR router between area 0 and 1. First, let's take a look into R1 routing table:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O E2 102.0.0.0/8 [110/20] via 10.0.0.1, 00:10:48, Serial0/0
100.0.0.0/24 is subnetted, 1 subnets
B 100.0.0.0 [200/0] via 14.0.0.2, 00:09:04
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
O 11.0.0.0 [110/128] via 10.0.0.1, 00:12:34, Serial0/0
12.0.0.0/30 is subnetted, 1 subnets
O 12.0.0.0 [110/128] via 10.0.0.1, 00:23:09, Serial0/0
13.0.0.0/30 is subnetted, 1 subnets
O IA 13.0.0.0 [110/192] via 10.0.0.1, 00:23:09, Serial0/0
14.0.0.0/30 is subnetted, 1 subnets
C 14.0.0.0 is directly connected, Serial0/1
15.0.0.0/30 is subnetted, 1 subnets
O E2 15.0.0.0 [110/20] via 10.0.0.1, 00:11:40, Serial0/0
Please be advised, that R1 learnt 3 different OSPF routes:
- intra-area (O): 11.0.0.0/30, 12.0.0.0/30
- inter-area (IA): 13.0.0.0/30
- external (E2): 15.0.0.0/30, 102.0.0.0/24
R1#show running-config | section bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute ospf 1
neighbor 14.0.0.2 remote-as 65000
no auto-summary
Finally, the routing table derived from R6:
R6#show ip route
!some lines omitted
100.0.0.0/24 is subnetted, 1 subnets
C 100.0.0.0 is directly connected, Loopback0
10.0.0.0/30 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 14.0.0.1, 00:24:42
11.0.0.0/30 is subnetted, 1 subnets
B 11.0.0.0 [200/128] via 10.0.0.1, 00:24:42
12.0.0.0/30 is subnetted, 1 subnets
B 12.0.0.0 [200/128] via 10.0.0.1, 00:24:42
13.0.0.0/30 is subnetted, 1 subnets
B 13.0.0.0 [200/192] via 10.0.0.1, 00:24:42
14.0.0.0/30 is subnetted, 1 subnets
C 14.0.0.0 is directly connected, Serial0/0
R6#
We can see, that only intra-area and inter-area routes are redistributed with default settings. External routes are ignored, to change this, we can add match external {1|2} to redistribute ospf command.
The same story is with R7, only inter-area and intra-area routes are redistributed from OSPF into EIGRP:
R7#show ip route
!some lines omitted
102.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 102.0.0.0/24 is directly connected, Loopback0
D 102.0.0.0/8 is a summary, 00:26:25, Null0
10.0.0.0/30 is subnetted, 1 subnets
D EX 10.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
11.0.0.0/30 is subnetted, 1 subnets
D EX 11.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
12.0.0.0/30 is subnetted, 1 subnets
D EX 12.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
13.0.0.0/30 is subnetted, 1 subnets
D EX 13.0.0.0 [170/2474496] via 15.0.0.1, 00:26:25, Serial0/0
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 15.0.0.0/30 is directly connected, Serial0/0
D 15.0.0.0/8 is a summary, 00:26:26, Null0
R7#
Thursday, 14 April 2011
The OSPF domain-id.
With MPLS technology, the ospf-area hierarchy was reorganized. Namely, Super-Backbone OSPF Area was introduced, which is now on the top level. With this concept, one fact is very interesting and unusual (as compared with 'normal' OSPF behaviour).
Before I will tell you, what I have in mind, just remember few things:
R7#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 101.0.0.1, 00:04:03, Serial0/0
175.0.0.0/32 is subnetted, 1 subnets
O IA 175.0.0.1 [110/129] via 101.0.0.1, 00:55:19, Serial0/0
Route from R6 is marked as external, and route from R5 is marked as inter-area.
R5#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 100.0.0.1, 00:06:51, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O IA 167.0.0.1 [110/129] via 100.0.0.1, 00:53:49, Serial0/0
Route from R6 is marked as external, and route from R7 is marked as inter-area.
R6#show ip route ospf
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 102.0.0.1, 00:27:30, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O E2 167.0.0.1 [110/65] via 102.0.0.1, 00:27:30, Serial0/0
Here we can see, that area-id is completely ignored (R5 and R6 are both in area 0, but routes between them are marked as external). However if the process-id match (R5 and R7), routes are marked as inter-area.
With the domain-id command, we can influence, how routes are redistributed. However with this post I would like to answer the question, in which direction this command works. For example, when we change domain-id on the R3 router, which routes will have this domain-id: these learned from MP-BGP (so learned from R1 and R4) or these learned from R7?
Basically, we can see the domain-id of the route using the following command:
R3#show ip bgp vpnv4 all 167.0.0.1
BGP routing table entry for 1:1:167.0.0.1/32, version 5
! some lines omitted
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:101.0.0.1:0
R3#show ip bgp vpnv4 all 154.0.0.1
BGP routing table entry for 1:1:154.0.0.1/32, version 19
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:102.0.0.1:0
R3#show ip bgp vpnv4 all 175.0.0.1
BGP routing table entry for 1:1:175.0.0.1/32, version 13
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:100.0.0.1:0
Now, let's change the domain-id on R3 and examine again routing tables from CE routers:
R3#configure t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1 vrf bank
R3(config-router)#domain-id 0.0.0.2
R5#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 100.0.0.1, 00:30:43, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O E2 167.0.0.1 [110/65] via 100.0.0.1, 00:01:01, Serial0/0
R7#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O IA 154.0.0.1 [110/129] via 101.0.0.1, 00:01:51, Serial0/0
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 101.0.0.1, 00:01:51, Serial0/0
R6#show ip route ospf
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 102.0.0.1, 00:31:48, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O IA 167.0.0.1 [110/129] via 102.0.0.1, 00:02:03, Serial0/0
And the output from R3:
R3#show ip bgp vpnv4 all 167.0.0.1
! some lines omitted
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:101.0.0.1:0
R3#show ip bgp vpnv4 all 154.0.0.1
BGP routing table entry for 1:1:154.0.0.1/32, version 19
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:102.0.0.1:0
R3#show ip bgp vpnv4 all 175.0.0.1
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:100.0.0.1:0
Here we can see, that after domain-id was changed on R3, this new domain-id was changed only for updates received from R7 (167.0.0.1) via CE-PE OSPF. The domain-id of updates received from MP-BGP was not altered. This means, that domain-id influences on updates that are redistributed from VPN site (so from CE-PE routing process) to MP-BGP. In other words, if we want to have on R5 routes from R6 marked as inter-area, we have to change the domain-id on R4 router, not on R1. Changing domain-id on R1, we will influence on the routes that are sent to R6.
Before I will tell you, what I have in mind, just remember few things:
- In fact, in OSPF Super-Backbone Area there might not be OSPF! Here packets are carried using MP-BGP rather than OSPF. OSPF can run in background, as a separate routing protocol and can be used to reach the BGP next-hop.
- On PE routers there is a mutual distribution between MP-BGP and PE-CE routing protocols.
- Under normal circumstances, when redistribute command is used under OSPF routing process, all redistributed routes automatically become external routes (E1 or E2).
On the picture (click to enlarge) we see a simple situation, where customer 'bank' has three sites. These sites are connected to each other using MPLS and MP-BGP. R1, R3 and R4 are PE routers, whereas R5-7 are CE routers and OSPF was chosen as CE-PE routing protocol for each sites. However there are different OSPF processes and different areas:
- R1-R5: process-id 1, area-id 0
- R3-R7: process-id 1, area-id 1
- R4-R6: process-id 2, area-id 0
R7#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 101.0.0.1, 00:04:03, Serial0/0
175.0.0.0/32 is subnetted, 1 subnets
O IA 175.0.0.1 [110/129] via 101.0.0.1, 00:55:19, Serial0/0
Route from R6 is marked as external, and route from R5 is marked as inter-area.
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 100.0.0.1, 00:06:51, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O IA 167.0.0.1 [110/129] via 100.0.0.1, 00:53:49, Serial0/0
Route from R6 is marked as external, and route from R7 is marked as inter-area.
R6#show ip route ospf
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 102.0.0.1, 00:27:30, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O E2 167.0.0.1 [110/65] via 102.0.0.1, 00:27:30, Serial0/0
Here we can see, that area-id is completely ignored (R5 and R6 are both in area 0, but routes between them are marked as external). However if the process-id match (R5 and R7), routes are marked as inter-area.
With the domain-id command, we can influence, how routes are redistributed. However with this post I would like to answer the question, in which direction this command works. For example, when we change domain-id on the R3 router, which routes will have this domain-id: these learned from MP-BGP (so learned from R1 and R4) or these learned from R7?
Basically, we can see the domain-id of the route using the following command:
R3#show ip bgp vpnv4 all 167.0.0.1
BGP routing table entry for 1:1:167.0.0.1/32, version 5
! some lines omitted
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:101.0.0.1:0
R3#show ip bgp vpnv4 all 154.0.0.1
BGP routing table entry for 1:1:154.0.0.1/32, version 19
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:102.0.0.1:0
R3#show ip bgp vpnv4 all 175.0.0.1
BGP routing table entry for 1:1:175.0.0.1/32, version 13
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:100.0.0.1:0
Now, let's change the domain-id on R3 and examine again routing tables from CE routers:
R3#configure t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1 vrf bank
R3(config-router)#domain-id 0.0.0.2
R5#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O E2 154.0.0.1 [110/65] via 100.0.0.1, 00:30:43, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O E2 167.0.0.1 [110/65] via 100.0.0.1, 00:01:01, Serial0/0
R7#show ip route ospf
154.0.0.0/32 is subnetted, 1 subnets
O IA 154.0.0.1 [110/129] via 101.0.0.1, 00:01:51, Serial0/0
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 101.0.0.1, 00:01:51, Serial0/0
R6#show ip route ospf
175.0.0.0/32 is subnetted, 1 subnets
O E2 175.0.0.1 [110/65] via 102.0.0.1, 00:31:48, Serial0/0
167.0.0.0/32 is subnetted, 1 subnets
O IA 167.0.0.1 [110/129] via 102.0.0.1, 00:02:03, Serial0/0
And the output from R3:
R3#show ip bgp vpnv4 all 167.0.0.1
! some lines omitted
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.1:2:0 OSPF ROUTER ID:101.0.0.1:0
R3#show ip bgp vpnv4 all 154.0.0.1
BGP routing table entry for 1:1:154.0.0.1/32, version 19
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000020200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:102.0.0.1:0
R3#show ip bgp vpnv4 all 175.0.0.1
Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000010200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:100.0.0.1:0
Here we can see, that after domain-id was changed on R3, this new domain-id was changed only for updates received from R7 (167.0.0.1) via CE-PE OSPF. The domain-id of updates received from MP-BGP was not altered. This means, that domain-id influences on updates that are redistributed from VPN site (so from CE-PE routing process) to MP-BGP. In other words, if we want to have on R5 routes from R6 marked as inter-area, we have to change the domain-id on R4 router, not on R1. Changing domain-id on R1, we will influence on the routes that are sent to R6.
Thursday, 7 April 2011
Switch port-security feature under investigation
When enabling port-security feature on a Cisco Switch, you can add switchport port-security mac-address sticky command under interface configuration mode. When this command is enabled, a switch will learn MAC address and put this address into running-config and CAM table. Without this command, MAC address will be put only into CAM table. Maybe this is quite obvious, consequences can be pretty interesting. I took one Switch, Cat3750, and one router to find out what will happen in different situations.
1) The same MAC address appears in different switch ports, however port-security feature is disabled on both ports.
SW1#
SW1#
We see, that first MAC address 0007.50fc.5880 was learned via Gi2/0/1, after switch received ping on the second port, Gi2/0/2, CAM table was updated. Finally another ping came again on Gi2/0/1, so again, CAM table was updated. This is a normal behavior. If you think, that after learning MAC address on one port, a switch is unable to learn the same MAC address on the second port, you are wrong, if you were right, for example Spanning Tree Protocols would be useless.
2) CAM table has static entry for a particular MAC address, next this address appears on different port. Port-security is disabled.
When a switch has a static entry for a particular MAC address, and this MAC address appears on the different port, CAM table is not updated. Thus, when the switch receives frames on the second port and try to send reply, the switch will use static (wrong!) entry from CAM table.
For the rest of this post, I will use 2 ports on my switch, Gi2/0/3 and Gi2/0/4.
3) Gi2/0/3 with port-security but without sticky learning, Gi2/0/4 without port-security
When Gi2/0/3 has port-security enabled, and Gi2/0/4 has port-security disabled, running-configuration is very simple:
With this settings, the same MAC address can first appear on Gi2/0/3, next on Gi2/0/4 and finally again on Gi2/0/3. Every time CAM table is updated and no violation occurred.
4) Gi2/0/3 and Gi2/0/4 have the same configuration, with port-security enabled, but without sticky learning.
Here results are the same as before. CAM table is updated, no violation occurred.
5)Gi2/0/3 has port-security enabled with sticky learning, Gi2/0/4 has port-security disabled
Here there is a new line in the running-configuration: switchport port-security mac-address sticky 0007.50fc.5880 vlan access. Interestingly, when this MAC address appears on the second port, the running-configuration is not change, however CAM is updated (remember, that Gi2/0/4 has port-security disabled). In addition to this, pings work to two ports (Gi2/0/3 and Gi2/0/4) and also no violation occurred:
1) The same MAC address appears in different switch ports, however port-security feature is disabled on both ports.
When the port-security feature is disabled, MAC address can show up on the one switch port, then can be moved to another one and so on. Every time a new frame arrived on the switch port, CAM table is updated:
SW1#debug ip icmp
ICMP packet debugging is on
SW1#
*Mar 1 00:37:13.148: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/1
SW1#
*Mar 1 00:37:40.444: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/2
SW1#
*Mar 1 00:37:55.737: ICMP: echo reply sent, src 10.0.0.2, dst 10.0.0.1
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/1
We see, that first MAC address 0007.50fc.5880 was learned via Gi2/0/1, after switch received ping on the second port, Gi2/0/2, CAM table was updated. Finally another ping came again on Gi2/0/1, so again, CAM table was updated. This is a normal behavior. If you think, that after learning MAC address on one port, a switch is unable to learn the same MAC address on the second port, you are wrong, if you were right, for example Spanning Tree Protocols would be useless.
2) CAM table has static entry for a particular MAC address, next this address appears on different port. Port-security is disabled.
When a switch has a static entry for a particular MAC address, and this MAC address appears on the different port, CAM table is not updated. Thus, when the switch receives frames on the second port and try to send reply, the switch will use static (wrong!) entry from CAM table.
For the rest of this post, I will use 2 ports on my switch, Gi2/0/3 and Gi2/0/4.
3) Gi2/0/3 with port-security but without sticky learning, Gi2/0/4 without port-security
When Gi2/0/3 has port-security enabled, and Gi2/0/4 has port-security disabled, running-configuration is very simple:
SW1#show running-config interface gi2/0/3
!
interface GigabitEthernet2/0/3
switchport mode access
switchport port-security
spanning-tree portfast
end
SW1#show running-config interface gi2/0/4
!
!
interface GigabitEthernet2/0/4
switchport mode access
spanning-tree portfast
end
With this settings, the same MAC address can first appear on Gi2/0/3, next on Gi2/0/4 and finally again on Gi2/0/3. Every time CAM table is updated and no violation occurred.
4) Gi2/0/3 and Gi2/0/4 have the same configuration, with port-security enabled, but without sticky learning.
Here results are the same as before. CAM table is updated, no violation occurred.
5)Gi2/0/3 has port-security enabled with sticky learning, Gi2/0/4 has port-security disabled
Here there is a new line in the running-configuration: switchport port-security mac-address sticky 0007.50fc.5880 vlan access. Interestingly, when this MAC address appears on the second port, the running-configuration is not change, however CAM is updated (remember, that Gi2/0/4 has port-security disabled). In addition to this, pings work to two ports (Gi2/0/3 and Gi2/0/4) and also no violation occurred:
SW1#show run int gi2/0/3
!
interface GigabitEthernet2/0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0007.50fc.5880 vlan access
spanning-tree portfast
end
SW1#show run int gi2/0/4
!
interface GigabitEthernet2/0/4
switchport mode access
spanning-tree portfast
end
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0007.50fc.5880 DYNAMIC Gi2/0/4
6) Gi2/0/3 has port-security enabled and sticky learning, Gi2/0/4 has only port-security, without sticky learning:
Here, as soon as MAC address 0007.50fc.5880 appears on the second interface with port-security enabled, the second interface goes down into err-disable state:
SW1#
*Mar 1 00:36:04.436: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:36:05.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/3, changed state to down
SW1#
*Mar 1 00:36:06.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
SW1#
*Mar 1 00:36:06.441: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/3, changed state to down
SW1#
*Mar 1 00:36:08.362: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/4, changed state to up
*Mar 1 00:36:08.983: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/4, putting Gi2/0/4 in err-disable state
*Mar 1 00:36:08.983: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0007.50fc.5880 on port GigabitEthernet2/0/4.
SW1#
*Mar 1 00:36:08.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
SW1#show mac address-table address 0007.50fc.5880
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
SW1#show port-security interface gi2/0/3
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0007.50fc.5880:1
Security Violation Count : 0
SW1#show port-security interface gi2/0/4
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0007.50fc.5880:1
Security Violation Count : 1
So it is clear, that ping doesn't work. However when we switch the cable back into Gi2/0/3, CAM is updated again, and pings that are coming to Gi2/0/3 are accepted.
7) Both ports are configured with port-security and sticky MAC address learning
The same as the 6th case.
To sum up:
yes= the same MAC address is accepted on two different switch ports,
no= the same MAC address is not accepted on two different switch ports:
1st interface - port-security - sticky learning | 1st interface + port-security - sticky learning | 1st interface + port-security + sticky learning | |
2nd interface - port-security - sticky learning | yes | yes | yes |
2nd interface + port-security - sticky learning | yes | yes | no |
2nd interface + port-security + sticky learning | yes | no | no |
Sunday, 27 March 2011
MPLS-based VPNs
When I was learning about MPLS, I was a little bit confused about the fact, how BGP distributes vpn labels and how there are used.
On the picture (click to enlarge) we can see, that customer bank has 2 sites connected to an ISP, who is running BGP in AS 60 and provides an MPLS-based VPNs. The ISP has divided its AS into two sub-AS. Although I am using in my example confederations, in fact the same concept is behind an inter-provider MPLS-based VPNs. In addition to this, I am using a simple formula, that router Rn can distribute labels from range n00 to n99 (R3 sends labels with values between 300-399 and so on).
1) In the first scenario, I will merge OSPF1 and OSPF2 (assuming that the ISP is running only single IGP within the whole AS) and establish a single BGP session between R3 and R6. Next I will send ping from R3 to R2 (154.0.0.1).
In this case, R6 is responsible for assigning a vpn label for the 154.0.0.0/24 network and sending this label via MP-BGP to R3:
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
!Some lines omitted
609 706 12.0.0.0/30 0 Se0/0 point2point
610 707 11.0.0.0/30 0 Se0/0 point2point
611 Untagged 154.0.0.0/24[V] 0 Se0/1 point2point
We can see, that R6 has chosen label with value of 611 for this network. Next via MP-BGP this label was advertised to R3:
R3#show ip bgp vpnv4 all 154.0.0.0
BGP routing table entry for 1:1:154.0.0.0/24, version 17
! Some lines omitted
6.6.6.6 (metric 321) from 6.6.6.6 (6.6.6.6)
Origin incomplete, metric 1, localpref 100, valid, external, best
Extended Community: RT:1:1
mpls labels in/out nolabel/611
To see the whole stack of labels, which R3 will use to forward packets to 154.0.0.0/24, we can use:
R3#show ip cef vrf bank 154.0.0.0
154.0.0.0/24, version 14, epoch 0, cached adjacency to Serial0/1
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Se0/1, point2point, tags imposed: {405 611}
via 6.6.6.6, 0 dependencies, recursive
next hop 11.0.0.2, Serial0/1 via 6.6.6.6/32
valid cached adjacency
tag rewrite with Se0/1, point2point, tags imposed: {405 611}
And finally, the traceroute:
R3#traceroute vrf bank 154.0.0.1
Type escape sequence to abort.
Tracing the route to 154.0.0.1
1 11.0.0.2 [MPLS: Labels 405/611 Exp 0] 140 msec 80 msec 100 msec
2 12.0.0.2 [MPLS: Labels 509/611 Exp 0] 116 msec 180 msec 84 msec
3 13.0.0.2 [MPLS: Labels 801/611 Exp 0] 76 msec 112 msec 228 msec
4 14.0.0.1 [MPLS: Labels 701/611 Exp 0] 64 msec 148 msec 196 msec
5 16.0.0.2 [MPLS: Label 611 Exp 0] 64 msec 136 msec 36 msec
6 16.0.0.1 192 msec 232 msec *
In this scenario, we can see, that the vpn label is assigned by R6 (611) and is unchanged when packet traverses in the LSP. However the top label is swapped on every single router within the LSP. Next R7 pops the top label and sends the packet with only one label (only the vpn label: 611) to R6. Finally R6 exactly knows what to do with packets destined to 154.0.0.1.
2) In this scenario I assume, that each sub-AS is running a separate IGP (OSPF1 & OSPF2). In contrast to the 1st scenario, I establish three BGP sessions: R3-R5, R5-R8 and R8-R6. Moreover R5 and R8 are configured with next-hop-self, when sending updates to R3 and R6, respectively:
R3#traceroute vrf bank 154.0.0.1
Type escape sequence to abort.
Tracing the route to 154.0.0.1
1 11.0.0.2 [MPLS: Labels 400/504 Exp 0] 284 msec 144 msec 100 msec
2 13.0.0.1 [MPLS: Label 504 Exp 0] 216 msec 168 msec 268 msec
3 14.0.0.2 [MPLS: Label 805 Exp 0] 116 msec 212 msec 112 msec
4 14.0.0.1 [MPLS: Labels 701/611 Exp 0] 84 msec 244 msec 244 msec
5 16.0.0.2 [MPLS: Label 611 Exp 0] 208 msec 140 msec 140 msec
6 16.0.0.1 144 msec 148 msec *
Type escape sequence to abort.
Tracing the route to 154.0.0.1
1 11.0.0.2 [MPLS: Labels 400/504 Exp 0] 284 msec 144 msec 100 msec
2 13.0.0.1 [MPLS: Label 504 Exp 0] 216 msec 168 msec 268 msec
3 14.0.0.2 [MPLS: Label 805 Exp 0] 116 msec 212 msec 112 msec
4 14.0.0.1 [MPLS: Labels 701/611 Exp 0] 84 msec 244 msec 244 msec
5 16.0.0.2 [MPLS: Label 611 Exp 0] 208 msec 140 msec 140 msec
6 16.0.0.1 144 msec 148 msec *
Here we see three different vpn labels: 504, 805 and 611. Both R5 and R8 are swapping vpn labels:
BGP routing table entry for 1:1:154.0.0.0/24, version 17
Paths: (1 available, best #1, table bank)
Advertised to update-groups:
2
Local
6.6.6.6 (metric 129) from 6.6.6.6 (6.6.6.6)
Origin incomplete, metric 1, localpref 100, valid, internal, best
Extended Community: RT:1:1
mpls labels in/out 805/611
This behaviour is due to the fact, that routers in AS 65000 have no idea about routes in AS65001. The connectivity between them is provided only by the BGP session between R5 and R8. So when R3 is sending packets to R2:
- R3 imposes two labels: 504 as a vpn label assigned by R5, and 400 label assigned by R4 as a label to reach R5
- R4 only pops the top label (PHP) and send the packet with vpn label only, (504)
- R5 pops its vpn label (504) and sends packet to R8 with the new vpn label (805)
- R8 does the same thing as R5, (swaps the vpn label). R8 also pushes a new label (701) as a label to reach R6
- R7 pops the top label (PHP) and sends the packet with vpn label only, (611)
- Finally R6 receives packet with its own vpn label, so R6 pops all labels and sends the unlabelled packet to R2
R3#traceroute vrf bank 154.0.0.1
Type escape sequence to abort.
Tracing the route to 154.0.0.1
1 11.0.0.2 [MPLS: Labels 403/805 Exp 0] 188 msec 272 msec 168 msec
2 12.0.0.2 [MPLS: Labels 503/805 Exp 0] 160 msec 172 msec 80 msec
3 14.0.0.2 [MPLS: Label 805 Exp 0] 124 msec 288 msec 448 msec
4 14.0.0.1 [MPLS: Labels 701/611 Exp 0] 196 msec 272 msec 72 msec
5 16.0.0.2 [MPLS: Label 611 Exp 0] 96 msec 160 msec 132 msec
6 16.0.0.1 192 msec 172 msec *
In this example we see only two vpn labels: 805 and 611. Moreover, only R5 and R7 are performing PHP. In this scenario R3 uses R8 as a next hop (R3 has a route to R8, and R5 doesn't change the next-hop attribute in updates sending to R3) so R3 can use a vpn label directly assigned by R8 (this is the main difference between the previous scenario).
I hope that after reading this post, some of you have a basic idea how packets are forwarded when an MPLS-based VPNs are deployed.
Monday, 21 March 2011
Administrative Distance
Few days ago I heard quite interesting question: what will happen, if different routing protocols receive the same administrative distance (hereinafter only the AD). I have tried to find the answer, however there are few different scenarios, so it is a good place to share with you some of my researches.
I took 3 different routing protocols: EIGRP, OSPF, RIP (with AD equal to 90, 110, 120, respectively). When I was searching for some answers, I came across this link, however the explanations from this website are insufficient for me. We can speak about 2 different situations. In first scenario we choose 2 routing protocols and we are making AD for them equal, however we set AD for them to the "neutral value". In the second option, we set AD to the default value of the first (or second) routing protocol. In both cases we have to find out, which routing protocol will be preferred: this, which has lower default AD or this which has AD unchanged (this may work only for the second scenario). Or maybe this one, which had its AD set later?
I will use a simple topology with 2 routers, R1 and R2. R2 advertises few different networks to R1, as depicted in the following picture:
D 192.168.4.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
D 192.168.5.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [90/2681856] via 10.0.0.2, 00:05:43, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:12, Serial0/0
O 192.168.1.0/24 [110/128] via 10.0.0.2, 00:06:22, Serial0/0
D 192.168.2.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
O 192.168.3.0/24 [110/128] via 10.0.0.2, 00:06:23, Serial0/0
Now let's change AD to some "neutral values". Here I will focus also on the order in which AD of different routing protocols is changed. Let's make the following changes:
R1(config-router)#distance eigrp 97 170
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 97
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 97
R1#show ip route
Codes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
D 192.168.5.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
R 192.168.0.0/24 [97/1] via 10.0.0.2, 00:00:24, Serial0/0
O 192.168.1.0/24 [97/128] via 10.0.0.2, 00:01:18, Serial0/0
D 192.168.2.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
O 192.168.3.0/24 [97/128] via 10.0.0.2, 00:01:18, Serial0/0
R1(config-router)#distance 98
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 98
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 98 170
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
D 192.168.5.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
R 192.168.0.0/24 [98/1] via 10.0.0.2, 00:00:24, Serial0/0
O 192.168.1.0/24 [98/128] via 10.0.0.2, 00:01:06, Serial0/0
D 192.168.2.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
O 192.168.3.0/24 [98/128] via 10.0.0.2, 00:01:06, Serial0/0
R1(config-router)#distance 99
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 99 170
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 99
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
D 192.168.5.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
R 192.168.0.0/24 [99/1] via 10.0.0.2, 00:00:18, Serial0/0
O 192.168.1.0/24 [99/128] via 10.0.0.2, 00:02:00, Serial0/0
D 192.168.2.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
O 192.168.3.0/24 [99/128] via 10.0.0.2, 00:02:00, Serial0/0
In all cases, the outputs taken from R1 are the same. Metrics are totally ignored, and EIGRP wins with RIP and OSPF, whereas OSPF wins with RIP. So it looks like that default AD is taken into account (EIGRP < OSPF < RIP). Later we will check if it is correct for EIGRP external routes, where default AD is 170.
Now let's set the AD to default OSPF AD (AD = 110), next to default RIP AD (AD = 120):
R1(config-router)#distance 110
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 110 170
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
D 192.168.5.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
R 192.168.0.0/24 [110/1] via 10.0.0.2, 00:00:09, Serial0/0
O 192.168.1.0/24 [110/128] via 10.0.0.2, 00:01:33, Serial0/0
D 192.168.2.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
O 192.168.3.0/24 [110/128] via 10.0.0.2, 00:01:33, Serial0/0
R1(config-router)#distance eigrp 120 170
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 120
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [120/2681856] via 10.0.0.2, 00:00:50, Serial0/0
D 192.168.5.0/24 [120/2681856] via 10.0.0.2, 00:00:18, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [120/2681856] via 10.0.0.2, 00:00:18, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:23, Serial0/0
O 192.168.1.0/24 [120/128] via 10.0.0.2, 00:00:18, Serial0/0
D 192.168.2.0/24 [120/2681856] via 10.0.0.2, 00:00:50, Serial0/0
O 192.168.3.0/24 [120/128] via 10.0.0.2, 00:00:18, Serial0/0
In both cases, the outputs from R1 are the same. Still EIGRP is "the best" and OSPF is "better" than RIP.
Now let's modify slightly our example. R2 will redistribute all EIGRP networks and advertised these networks to R1 as external with default AD equal to 170. Here is the output from R1, when AD is not modified:
R1#show ip route
Codes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
R 192.168.4.0/24 [120/1] via 10.0.0.2, 00:00:16, Serial0/0
O 192.168.5.0/24 [120/128] via 10.0.0.2, 00:02:47, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
O 192.168.6.0/24 [120/128] via 10.0.0.2, 00:02:47, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:16, Serial0/0
O 192.168.1.0/24 [120/128] via 10.0.0.2, 00:08:03, Serial0/0
D EX 192.168.2.0/24 [170/2474496] via 10.0.0.2, 00:00:57, Serial0/0
O 192.168.3.0/24 [120/128] via 10.0.0.2, 00:08:03, Serial0/0
Now let's change AD of all protocols to 130 (first), and 102 (next).
R1(config-router)#distance eigrp 130 130
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 130
R1(config)#router ospf 1
R1(config-router)#distance 130
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
D EX 192.168.4.0/24 [130/2474496] via 10.0.0.2, 00:00:49, Serial0/0
D EX 192.168.5.0/24 [130/2474496] via 10.0.0.2, 00:00:14, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D EX 192.168.6.0/24 [130/2474496] via 10.0.0.2, 00:00:14, Serial0/0
R 192.168.0.0/24 [130/1] via 10.0.0.2, 00:00:26, Serial0/0
O 192.168.1.0/24 [130/128] via 10.0.0.2, 00:00:14, Serial0/0
D EX 192.168.2.0/24 [130/2474496] via 10.0.0.2, 00:00:49, Serial0/0
O 192.168.3.0/24 [130/128] via 10.0.0.2, 00:00:14, Serial0/0
R1(config-router)#distance 102
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 102
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 90 102
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
D EX 192.168.4.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
D EX 192.168.5.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D EX 192.168.6.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
R 192.168.0.0/24 [102/1] via 10.0.0.2, 00:00:04, Serial0/0
O 192.168.1.0/24 [102/128] via 10.0.0.2, 00:00:10, Serial0/0
D EX 192.168.2.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
O 192.168.3.0/24 [102/128] via 10.0.0.2, 00:00:10, Serial0/0
Here we can see quite interesting thing. Still EIGRP wins with RIP and OSPF, and routes delivered by EIGRP are installed in the routing table, even if these routes are external with default AD of 170. So it looks like EIGRP is always preferred.
I also made some other tests. For example, eBGP is preferred than EIGRP (eBGP has AD = 20):
Above we can see that the 192.168.2.0/24 is received via BGP and EIGRP. The AD of them (both BGP and EIGRP) is set to 56. IOS picked up the route received via BGP. Even iBGP (default AD = 200) is preferred than EIGRP:
R1#show ip bgp
BGP table version is 4, local router ID is 10.0.0.1
Status codes: * valid, > best, i - internal,
Network Next Hop Metric LocPrf Weight Path
*>i192.168.2.0 10.0.0.2 0 100 0 i
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF, B - BGP,
D 192.168.4.0/24 [56/2681856] via 10.0.0.2, 00:01:05, Serial0/0
D 192.168.5.0/24 [56/2681856] via 10.0.0.2, 00:01:05, Serial0/0
B 192.168.2.0/24 [56/0] via 10.0.0.2, 00:01:05
However each time I have changed the AD for BGP (external or internal) after changing the AD for EIGRP, I had to prompt clear ip bgp * or clear ip route * so BGP could kick off the existing route which have been delivered via EIGRP (in other words, if AD of BGP was changed first, EIGRP didn't have any chance to install its routes to RIB, however if AD of EIGRP was changed before AD of BGP, and it was a lower value than the default AD of BGP, one of these two commands was required).
To sum up, it looks like the default AD is the tie-breaker. However IOS doesn't take into account default AD of external EIGRP nor iBGP, it just takes default AD equal to 90 and 20, respectively.
I took 3 different routing protocols: EIGRP, OSPF, RIP (with AD equal to 90, 110, 120, respectively). When I was searching for some answers, I came across this link, however the explanations from this website are insufficient for me. We can speak about 2 different situations. In first scenario we choose 2 routing protocols and we are making AD for them equal, however we set AD for them to the "neutral value". In the second option, we set AD to the default value of the first (or second) routing protocol. In both cases we have to find out, which routing protocol will be preferred: this, which has lower default AD or this which has AD unchanged (this may work only for the second scenario). Or maybe this one, which had its AD set later?
I will use a simple topology with 2 routers, R1 and R2. R2 advertises few different networks to R1, as depicted in the following picture:
Basically, with all default settings, nothing suspicious can be observed:
R1#show ip route
Codes: C - connected, R - RIP, D - EIGRP, O - OSPF,
Codes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
D 192.168.5.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [90/2681856] via 10.0.0.2, 00:05:43, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:12, Serial0/0
O 192.168.1.0/24 [110/128] via 10.0.0.2, 00:06:22, Serial0/0
D 192.168.2.0/24 [90/2681856] via 10.0.0.2, 00:06:37, Serial0/0
O 192.168.3.0/24 [110/128] via 10.0.0.2, 00:06:23, Serial0/0
Now let's change AD to some "neutral values". Here I will focus also on the order in which AD of different routing protocols is changed. Let's make the following changes:
- AD = 97, EIGRP, OSPF, RIP:
R1(config-router)#distance eigrp 97 170
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 97
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 97
R1#show ip route
Codes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
D 192.168.5.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
R 192.168.0.0/24 [97/1] via 10.0.0.2, 00:00:24, Serial0/0
O 192.168.1.0/24 [97/128] via 10.0.0.2, 00:01:18, Serial0/0
D 192.168.2.0/24 [97/2681856] via 10.0.0.2, 00:01:48, Serial0/0
O 192.168.3.0/24 [97/128] via 10.0.0.2, 00:01:18, Serial0/0
- AD = 98, RIP, OSPF, EIGRP:
R1(config-router)#distance 98
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 98
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 98 170
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
D 192.168.5.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
R 192.168.0.0/24 [98/1] via 10.0.0.2, 00:00:24, Serial0/0
O 192.168.1.0/24 [98/128] via 10.0.0.2, 00:01:06, Serial0/0
D 192.168.2.0/24 [98/2681856] via 10.0.0.2, 00:00:35, Serial0/0
O 192.168.3.0/24 [98/128] via 10.0.0.2, 00:01:06, Serial0/0
- AD = 99, OSPF, EIGRP, RIP:
R1(config-router)#distance 99
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 99 170
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 99
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
D 192.168.5.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
R 192.168.0.0/24 [99/1] via 10.0.0.2, 00:00:18, Serial0/0
O 192.168.1.0/24 [99/128] via 10.0.0.2, 00:02:00, Serial0/0
D 192.168.2.0/24 [99/2681856] via 10.0.0.2, 00:01:08, Serial0/0
O 192.168.3.0/24 [99/128] via 10.0.0.2, 00:02:00, Serial0/0
In all cases, the outputs taken from R1 are the same. Metrics are totally ignored, and EIGRP wins with RIP and OSPF, whereas OSPF wins with RIP. So it looks like that default AD is taken into account (EIGRP < OSPF < RIP). Later we will check if it is correct for EIGRP external routes, where default AD is 170.
Now let's set the AD to default OSPF AD (AD = 110), next to default RIP AD (AD = 120):
- AD = 110
R1(config-router)#distance 110
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 110 170
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
D 192.168.5.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
R 192.168.0.0/24 [110/1] via 10.0.0.2, 00:00:09, Serial0/0
O 192.168.1.0/24 [110/128] via 10.0.0.2, 00:01:33, Serial0/0
D 192.168.2.0/24 [110/2681856] via 10.0.0.2, 00:00:07, Serial0/0
O 192.168.3.0/24 [110/128] via 10.0.0.2, 00:01:33, Serial0/0
- AD = 120
R1(config-router)#distance eigrp 120 170
R1(config-router)#exit
R1(config)#router ospf 1
R1(config-router)#distance 120
R1#show ip routeCodes: C - connected, R - RIP, D - EIGRP, O - OSPF,
D 192.168.4.0/24 [120/2681856] via 10.0.0.2, 00:00:50, Serial0/0
D 192.168.5.0/24 [120/2681856] via 10.0.0.2, 00:00:18, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D 192.168.6.0/24 [120/2681856] via 10.0.0.2, 00:00:18, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:23, Serial0/0
O 192.168.1.0/24 [120/128] via 10.0.0.2, 00:00:18, Serial0/0
D 192.168.2.0/24 [120/2681856] via 10.0.0.2, 00:00:50, Serial0/0
O 192.168.3.0/24 [120/128] via 10.0.0.2, 00:00:18, Serial0/0
In both cases, the outputs from R1 are the same. Still EIGRP is "the best" and OSPF is "better" than RIP.
Now let's modify slightly our example. R2 will redistribute all EIGRP networks and advertised these networks to R1 as external with default AD equal to 170. Here is the output from R1, when AD is not modified:
R1#show ip route
Codes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
R 192.168.4.0/24 [120/1] via 10.0.0.2, 00:00:16, Serial0/0
O 192.168.5.0/24 [120/128] via 10.0.0.2, 00:02:47, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
O 192.168.6.0/24 [120/128] via 10.0.0.2, 00:02:47, Serial0/0
R 192.168.0.0/24 [120/1] via 10.0.0.2, 00:00:16, Serial0/0
O 192.168.1.0/24 [120/128] via 10.0.0.2, 00:08:03, Serial0/0
D EX 192.168.2.0/24 [170/2474496] via 10.0.0.2, 00:00:57, Serial0/0
O 192.168.3.0/24 [120/128] via 10.0.0.2, 00:08:03, Serial0/0
Now let's change AD of all protocols to 130 (first), and 102 (next).
- AD = 130, EIGRP first, next RIP, last OSPF:
R1(config-router)#distance eigrp 130 130
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 130
R1(config)#router ospf 1
R1(config-router)#distance 130
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
D EX 192.168.4.0/24 [130/2474496] via 10.0.0.2, 00:00:49, Serial0/0
D EX 192.168.5.0/24 [130/2474496] via 10.0.0.2, 00:00:14, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D EX 192.168.6.0/24 [130/2474496] via 10.0.0.2, 00:00:14, Serial0/0
R 192.168.0.0/24 [130/1] via 10.0.0.2, 00:00:26, Serial0/0
O 192.168.1.0/24 [130/128] via 10.0.0.2, 00:00:14, Serial0/0
D EX 192.168.2.0/24 [130/2474496] via 10.0.0.2, 00:00:49, Serial0/0
O 192.168.3.0/24 [130/128] via 10.0.0.2, 00:00:14, Serial0/0
- AD = 102, OSPF first, then RIP, EIGRP last:
R1(config-router)#distance 102
R1(config-router)#exit
R1(config)#router rip
R1(config-router)#distance 102
R1(config-router)#exit
R1(config)#router eigrp 1
R1(config-router)#distance eigrp 90 102
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF,
D EX 192.168.4.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
D EX 192.168.5.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial0/0
D EX 192.168.6.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
R 192.168.0.0/24 [102/1] via 10.0.0.2, 00:00:04, Serial0/0
O 192.168.1.0/24 [102/128] via 10.0.0.2, 00:00:10, Serial0/0
D EX 192.168.2.0/24 [102/2474496] via 10.0.0.2, 00:00:09, Serial0/0
O 192.168.3.0/24 [102/128] via 10.0.0.2, 00:00:10, Serial0/0
Here we can see quite interesting thing. Still EIGRP wins with RIP and OSPF, and routes delivered by EIGRP are installed in the routing table, even if these routes are external with default AD of 170. So it looks like EIGRP is always preferred.
I also made some other tests. For example, eBGP is preferred than EIGRP (eBGP has AD = 20):
R1#show ip route
Codes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF, B - BGP,
D 192.168.4.0/24 [56/2681856] via 10.0.0.2, 00:00:17, Serial0/0
D 192.168.5.0/24 [56/2681856] via 10.0.0.2, 00:00:17, Serial0/0
B 192.168.2.0/24 [56/0] via 10.0.0.2, 00:00:30
! Some lines omitted
D 192.168.4.0/24 [56/2681856] via 10.0.0.2, 00:00:17, Serial0/0
D 192.168.5.0/24 [56/2681856] via 10.0.0.2, 00:00:17, Serial0/0
B 192.168.2.0/24 [56/0] via 10.0.0.2, 00:00:30
! Some lines omitted
Above we can see that the 192.168.2.0/24 is received via BGP and EIGRP. The AD of them (both BGP and EIGRP) is set to 56. IOS picked up the route received via BGP. Even iBGP (default AD = 200) is preferred than EIGRP:
R1#show ip bgp
BGP table version is 4, local router ID is 10.0.0.1
Status codes: * valid, > best, i - internal,
Network Next Hop Metric LocPrf Weight Path
*>i192.168.2.0 10.0.0.2 0 100 0 i
R1#show ip routeCodes: Codes: C - connected, R - RIP, D - EIGRP, EX - EIGRP external, O - OSPF, B - BGP,
D 192.168.4.0/24 [56/2681856] via 10.0.0.2, 00:01:05, Serial0/0
D 192.168.5.0/24 [56/2681856] via 10.0.0.2, 00:01:05, Serial0/0
B 192.168.2.0/24 [56/0] via 10.0.0.2, 00:01:05
However each time I have changed the AD for BGP (external or internal) after changing the AD for EIGRP, I had to prompt clear ip bgp * or clear ip route * so BGP could kick off the existing route which have been delivered via EIGRP (in other words, if AD of BGP was changed first, EIGRP didn't have any chance to install its routes to RIB, however if AD of EIGRP was changed before AD of BGP, and it was a lower value than the default AD of BGP, one of these two commands was required).
To sum up, it looks like the default AD is the tie-breaker. However IOS doesn't take into account default AD of external EIGRP nor iBGP, it just takes default AD equal to 90 and 20, respectively.
Monday, 14 March 2011
The power of access-lists
Today let's talk about access-lists. In many books we can easily find the statements, that prefix-lists are much convenient than access-lists. With prefix-lists, using ge and/or le gives more flexibility. For example imagine, that you have 5 networks: 10.0.0.0/24, 10.0.1.0/25, 10.0.1.128/25, 10.0.2.0/26, 10.0.2.128/25. Next, you want to permit only these networks with prefix length of 25. You can use a simple prefix-list command:
ip prefix-list FILTER permit 10.0.0.0/16 ge 25 le 25
whereas you need to use 3 (or 2) different lines with access-list:
access-list 1 permit 10.0.1.0 0.0.0.127
access-list 1 permit 10.0.1.128 0.0.0.127
access-list 1 permit 10.0.2.128 0.0.0.127
or
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.128 0.0.0.127
In this example the difference is small, but with more than 50 lines, using standard access-lists can be daunting. However extended access-lists are much more powerful.
For this example, I will use 2 routers directly connected with EIGRP:
R2 has 10 loopbacks with different networks which are being advertised to R1 via EIGRP:
R2#show ip interface | include 192
Internet address is 192.168.0.1/24
Internet address is 192.168.1.1/25
Internet address is 192.168.1.129/25
Internet address is 192.168.2.1/26
Internet address is 192.168.2.65/27
Internet address is 192.168.2.129/27
Internet address is 192.168.3.1/28
Internet address is 192.168.3.65/28
Internet address is 192.168.3.129/29
Internet address is 192.168.3.161/29
R1#show ip route eigrp
D 192.168.0.0/24 [90/2297856] via 10.0.0.1, 00:01:08, Serial0/0
192.168.1.0/25 is subnetted, 2 subnets
D 192.168.1.0 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.1.128 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 1 9 720 1280
We see, that everything works. Now we would like to send to R1 only these prefixes with network length of 27 or more. We will do this using either the prefix-list or extended ACL, and in each case we will use one single matching-command!
First, let's do this using prefix-list:
R2#conf t
R2(config)#ip prefix-list PREF1 permit 192.168.0.0/16 ge 27
R2(config)#route-map PREFOUT1 permit 10
R2(config-route-map)#match ip address prefix-list PREF1
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT1 out
And on R1 we've got:
R1#show ip route eigrp
192.168.2.0/27 is subnetted, 2 subnets
D 192.168.2.64 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.2.128 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 6 432 768
Now, let's do the same using ACL:
R2#conf t
R2(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 255.255.255.224 0.0.0.31
R2(config)#route-map ACLOUT1 permit 10
R2(config-route-map)#match ip address 100
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT1 out
And what we get on R1? The same!
R1#show ip route eigrp
192.168.2.0/27 is subnetted, 2 subnets
D 192.168.2.64 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.2.128 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 6 432 768
Now let's permit only these prefixes, that have the length of 26 to 28. First we can use the prefix-list solution:
R2#configure t
R2(config)#ip prefix-list PREF2 permit 192.168.0.0/16 ge 26 le 28
R2(config)#route-map PREFOUT2 permit 10
R2(config-route-map)#match ip address prefix-list PREF2
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT2 out
On R1:
R1#show ip route eigrp
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:02:27, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
192.168.3.0/28 is subnetted, 2 subnets
D 192.168.3.64 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D 192.168.3.0 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 5 360 640
Now we will use the ACL logic:
R2#configure t
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 255.255.255.192 0.0.0.48
R2(config)#route-map ACLOUT2 permit 10
R2(config-route-map)#match ip address 101
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT2 out
Let's go back to R1:
R1#show ip route eigrp
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:09:49, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
192.168.3.0/28 is subnetted, 2 subnets
D 192.168.3.64 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D 192.168.3.0 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 5 360 640
Again, we have done the same thing with the ACL that with the prefix-list! And we used the same number of commands!
Here, I tried to prove, that both of them are provide the similar level of flexibility. However prefix-lists have more user-friendly CLI and provide higher performance (use less CPU cycles) and that should be the main motivation to use them.
ip prefix-list FILTER permit 10.0.0.0/16 ge 25 le 25
whereas you need to use 3 (or 2) different lines with access-list:
access-list 1 permit 10.0.1.0 0.0.0.127
access-list 1 permit 10.0.1.128 0.0.0.127
access-list 1 permit 10.0.2.128 0.0.0.127
or
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.128 0.0.0.127
In this example the difference is small, but with more than 50 lines, using standard access-lists can be daunting. However extended access-lists are much more powerful.
For this example, I will use 2 routers directly connected with EIGRP:
R2 has 10 loopbacks with different networks which are being advertised to R1 via EIGRP:
R2#show ip interface | include 192
Internet address is 192.168.0.1/24
Internet address is 192.168.1.1/25
Internet address is 192.168.1.129/25
Internet address is 192.168.2.1/26
Internet address is 192.168.2.65/27
Internet address is 192.168.2.129/27
Internet address is 192.168.3.1/28
Internet address is 192.168.3.65/28
Internet address is 192.168.3.129/29
Internet address is 192.168.3.161/29
R1#show ip route eigrp
D 192.168.0.0/24 [90/2297856] via 10.0.0.1, 00:01:08, Serial0/0
192.168.1.0/25 is subnetted, 2 subnets
D 192.168.1.0 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.1.128 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:00:48, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 1 9 720 1280
We see, that everything works. Now we would like to send to R1 only these prefixes with network length of 27 or more. We will do this using either the prefix-list or extended ACL, and in each case we will use one single matching-command!
First, let's do this using prefix-list:
R2#conf t
R2(config)#ip prefix-list PREF1 permit 192.168.0.0/16 ge 27
R2(config)#route-map PREFOUT1 permit 10
R2(config-route-map)#match ip address prefix-list PREF1
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT1 out
And on R1 we've got:
R1#show ip route eigrp
192.168.2.0/27 is subnetted, 2 subnets
D 192.168.2.64 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.2.128 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:04:30, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 6 432 768
Now, let's do the same using ACL:
R2#conf t
R2(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 255.255.255.224 0.0.0.31
R2(config)#route-map ACLOUT1 permit 10
R2(config-route-map)#match ip address 100
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT1 out
And what we get on R1? The same!
R1#show ip route eigrp
192.168.2.0/27 is subnetted, 2 subnets
D 192.168.2.64 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.2.128 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
192.168.3.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.3.64/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.0/28 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.160/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
D 192.168.3.128/29 [90/2297856] via 10.0.0.1, 00:12:49, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 6 432 768
Now let's permit only these prefixes, that have the length of 26 to 28. First we can use the prefix-list solution:
R2#configure t
R2(config)#ip prefix-list PREF2 permit 192.168.0.0/16 ge 26 le 28
R2(config)#route-map PREFOUT2 permit 10
R2(config-route-map)#match ip address prefix-list PREF2
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map PREFOUT2 out
On R1:
R1#show ip route eigrp
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:02:27, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
192.168.3.0/28 is subnetted, 2 subnets
D 192.168.3.64 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
D 192.168.3.0 [90/2297856] via 10.0.0.1, 00:17:22, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 5 360 640
Now we will use the ACL logic:
R2#configure t
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.255.255 255.255.255.192 0.0.0.48
R2(config)#route-map ACLOUT2 permit 10
R2(config-route-map)#match ip address 101
R2(config-route-map)#exit
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map ACLOUT2 out
Let's go back to R1:
R1#show ip route eigrp
192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks
D 192.168.2.64/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D 192.168.2.0/26 [90/2297856] via 10.0.0.1, 00:09:49, Serial0/0
D 192.168.2.128/27 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
192.168.3.0/28 is subnetted, 2 subnets
D 192.168.3.64 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
D 192.168.3.0 [90/2297856] via 10.0.0.1, 00:24:44, Serial0/0
R1#show ip route summary | include eigrp
eigrp 1 0 5 360 640
Again, we have done the same thing with the ACL that with the prefix-list! And we used the same number of commands!
Here, I tried to prove, that both of them are provide the similar level of flexibility. However prefix-lists have more user-friendly CLI and provide higher performance (use less CPU cycles) and that should be the main motivation to use them.
Subscribe to:
Posts (Atom)