From: Rohan Grover (rohang@cisco.com)
Date: Wed Jul 07 2004 - 03:26:38 GMT-3
Hi,
A related question.
If the specific redistribution scenario restricts the use of access-lists, would prefix-list be an alternative?
Or would route-tagging be the expected answer?
Thanks
Rohan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Mike Dickson
Sent: Wednesday, July 07, 2004 8:28 AM
To: group study
Subject: RE: Redistribution Methodology
RIP V2 supports tags. However, if you are working on your Security exam, be aware that the PIX will not accept RIP advertisements
if any of the advertised routes are tagged.
Mike Dickson
CCIE #12281, MCSE+Internet, MCDBA
Dickson Network Designs
(512) 422-3192 voice (512) 394-0320 fax
www.dicksonnetworks.com
-----Original Message-----
From: Richard Dumoulin [mailto:richard.dumoulin@vanco.es]
Sent: Tuesday, July 06, 2004 4:36 PM
To: Joseph D. Phillips; group study
Subject: RE: Redistribution Methodology
Hi Joseph,
Have you tested this route-map with RIP ? I believe it does not work ,
--Richard
-----Original Message-----
From: Joseph D. Phillips [mailto:josephdphillips@fastmail.us]
Sent: martes, 06 de julio de 2004 22:28
To: group study
Subject: RE: Redistribution Methodology
Well the advantage of using tags is that you don't need to specify which networks are which in an access list.
Let's say there are two routing protocols: OSPF and RIPv2
Your statement under router ospf would be something like:
redist rip sub metric-ty 1 metric 50 route-map r2o
Your statement under router rip would look something like:
redist ospf (process no.) metric 2 ma in ex route-map o2r
The route maps would look like:
route-map r2o deny 10
match tag 110 <----stop routes with tag 110 from coming in
route-map r2o perm 20
set tag 120 <-------accept RIP routes and tag them as 120
route-map o2r deny 10
match tag 120 <-----stop routes with tag 120 from coming in
route-map perm 20
set tag 110 <-----accept OSPF routes and tag them as 110
The numbers used to assign tags are arbitrary, but I like to associate them with administrative distance.
The purpose of the above route-maps is to prevent route feedback.
It seems to work rather well. I've had no problem with it.
----- Original message -----
From: "Rohan Grover" <rohang@cisco.com>
To: "'Joseph D. Phillips'" <josephdphillips@fastmail.us>, "'group study'" <ccielab@groupstudy.com>
Date: Wed, 7 Jul 2004 00:35:02 +0530
Subject: RE: Redistribution Methodology
Hi Joseph,
Can you give an example of how the scenario described below could be achieved with tags?
Thanks
Rohan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Joseph D. Phillips
Sent: Wednesday, July 07, 2004 12:23 AM
To: group study
Subject: Redistribution Methodology
Start doing it with tags. There's a good chance you will be asked to do that on the exam.
----- Original message -----
From: "Joe Rinehart" <jjrinehart@hotmail.com>
To: "'Group Study (E-mail)'" <ccielab@groupstudy.com>
Date: Tue, 6 Jul 2004 11:42:52 -0700
Subject: Redistribution Methodology
I have a question that has been bugging me for a little while and would like to see what the overall opinion is on the subject.
When redistributing routing protocols (I am speaking here mainly of IGP redistribution), I know that route feedback can be an issue,
especially where mutual redistribution is concerned. Something I have been doing in those instances is putting in filters and route
maps to prevent that.
Here is the basic methodology, per protocol:
1. Create an access list with the routes to be filtered (i.e., those already in that IGP that shouldnt be coming back in from
another source). This is a series of deny statements followed by a permit any statement.
2. Create a route map calling that access list.
3. Configure the redistribute statement under the target IGP calling that route map.
Here is an example below, you may recognize it from CPSV2: router eigrp 2003 redistribute ospf 1 route-map filter-eigrp redistribute
rip route-map filter-eigrp passive-interface default no passive-interface Serial0/0.103105 network 175.10.16.0 0.0.0.255 network
175.10.120.0 0.0.0.255 default-metric 1544 100 254 1 1500 no auto-summary no eigrp log-neighbor-changes ! router ospf 1
log-adjacency-changes area 0 authentication message-digest area 500 stub redistribute connected route-map CONNECTED redistribute
eigrp 2003 subnets route-map filter-ospf
redistribute rip subnets route-map filter-ospf network 10.1.1.0 0.0.0.255 area 500 network 192.168.1.0 0.0.0.255 area 100 network
192.168.2.0 0.0.0.255 area 0 ! router rip version 2 redistribute eigrp 2003 route-map filter-eigrp redistribute ospf 1 route-map
filter-eigrp passive-interface default no passive-interface Serial0/0.100 network 175.10.0.0 default-metric 5
no auto-summary
access-list 1 deny 175.10.1.0 0.0.0.255
access-list 1 deny 175.10.16.0 0.0.0.255
access-list 1 permit any
access-list 2 deny 175.10.0.0 0.0.63.255
access-list 2 permit any
access-list 3 deny 10.10.1.0 0.0.0.255
access-list 3 deny 10.10.2.0 0.0.0.255
access-list 3 deny 192.200.0.0 0.0.255.255
access-list 3 deny 192.168.0.0 0.0.31.255
access-list 3 permit any
dialer-list 1 protocol ip permit
route-map filter-ospf permit 10
match ip address 3
!
route-map filter-eigrp permit 10
match ip address 1
!
route-map filter-rip permit 10
match ip address 2
Here is my question. I KNOW that this approach works rather splendidly and can take pretty much everything into account as a
template overall, but is this the kind of thing that can cost you points on the exam? I know that the rules of thumb are if they
dont forbid something you are allowed to do it, and ultimately the other test is if it works, but I also know there is a subjective
aspect as well.
Thoughts?
Joe Rinehart
AT&T
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:48 GMT-3