From: Tom Nooning (t.nooning@insightbb.com)
Date: Mon May 30 2005 - 12:44:23 GMT-3
I think it's also important to keep in mind that the distance command is
looking to match on the originating source of the route, not the route
itself. So while the 'distance 255 0.0.0.0 255.255.255.255 1' commands
work, it's matching on every router advertising 0.0.0.0. And while this may
be exactly what you need, also know that the following more specific entry
will work as well:
FRS#s ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "isis", distance 115, metric 10, candidate default path, type
level-2
Redistributing via isis
Last update from 172.16.36.3 on Ethernet0/0, 00:03:45 ago
Routing Descriptor Blocks:
* 172.16.36.3, from 172.16.36.3, via Ethernet0/0
Route metric is 10, traffic share count is 1
FRS#conf t
Enter configuration commands, one per line. End with CNTL/Z.
FRS(config)#access-l 5 permit 0.0.0.0
FRS(config)#router isis
FRS(config-router)#distance 255 172.16.36.3 0.0.0.0 5
FRS(config-router)#end
FRS#clear ip route *
FRS#s ip route 0.0.0.0
% Network not in table
Picked this up from a Brian McGahan email dated 11/10/2004 with the subject
line "RE: OSPF : Commands Doubt.":
'The common problem is that the address you need to match is the
"from" address. In OSPF this is the router-id of the originating
router. It differs from protocol to protocol what the originator is
(EIGRP is the neighbor's interface address), but it's always the "from"
address in the show ip route output.'
----- Original Message -----
From: "Ian Henderson" <ianh@chime.net.au>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "'Bob Sinclair'" <bsin@cox.net>; "'Long Kwok'" <lkwok@ccieunix.com>;
<ccielab@groupstudy.com>
Sent: Monday, May 30, 2005 10:30 AM
Subject: RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route from
L1 internal routers
> On Mon, 30 May 2005, ccie2be wrote:
>
>> BTW, I don't see anything wrong with how Kwok used the distance command.
>> Shouldn't that have worked?
>>
>> Router isis
>> Distance 255 0.0.0.0 255.255.255.255 1
>>
>> Access-list 1 deny 0.0.0.0 0.0.0.0
>
> 'access-list 1 permit 0.0.0.0 0.0.0.0' is what you're after here. This
> shows up as 'access-list 1 permit any' in the running config.
>
> Rack1R3#show run | inc access-list 1
> access-list 1 permit any
> Rack1R3#show ip route 0.0.0.0
> % Network not in table
> Rack1R3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1R3(config)#no access-list 1
> Rack1R3(config)#access-list 1 deny 0.0.0.0 0.0.0.0
> Rack1R3(config)#
> Rack1R3#show
> 6d05h: %SYS-5-CONFIG_I: Configured from console by console
> Rack1R3#show ip route 0.0.0.0
> Routing entry for 0.0.0.0/0, supernet
> Known via "isis", distance 115, metric 10, candidate default path, type
> level-2
> Redistributing via isis
> Last update from 149.1.127.4 on FastEthernet0/0, 00:00:00 ago
> Routing Descriptor Blocks:
> * 149.1.127.4, from 149.1.254.4, via FastEthernet0/0
> Route metric is 10, traffic share count is 1
>
> Rack1R3#
>
>
> --
> Ian Henderson CCNA, CCNP
> Senior Network Engineer
>
> iiNet Limited
> Chime Communications Pty Ltd
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3