RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route

From: Long Kwok (lkwok@ccieunix.com)
Date: Mon May 30 2005 - 13:10:45 GMT-3

• Next message: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Previous message: ccie2be: "RE: RATE-LIMIT vs POLICE"
• Maybe in reply to: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Next in thread: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That was it Ian , those darn permit/deny and when to use them thingies
... I cannot remember when to use permit or deny for the life of me in
filtering situations such as this , another one that got me is the
unsupress-map feature you have to permit those networks that you want
blocked , then the first route-map must have a deny like from IE lab 2.
So yes that acl was correct just needed to permit it so that the
distance command would accept it , I then had to clear ip route * and
now I see all isis routes excepct for the default 0.0.0.0 Thanks Ian

Long

ip as-path access-list 1 permit _254$

route-map DENY-254 deny 10
  match as-path 1

route-map DENY-254 permit 20

router bgp 400
  neighbor 204.12.1.254 route-map DENY-254 out

-----Original Message-----
From: Ian Henderson [mailto:ianh@chime.net.au]
Sent: Monday, May 30, 2005 7:31 AM
To: ccie2be
Cc: 'Bob Sinclair'; Long Kwok; ccielab@groupstudy.com
Subject: RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route
from L1 internal routers

On Mon, 30 May 2005, ccie2be wrote:

> BTW, I don't see anything wrong with how Kwok used the distance
command.
> Shouldn't that have worked?
>
> Router isis
> Distance 255 0.0.0.0 255.255.255.255 1
>
> Access-list 1 deny 0.0.0.0 0.0.0.0

'access-list 1 permit 0.0.0.0 0.0.0.0' is what you're after here. This
shows up as 'access-list 1 permit any' in the running config.

Rack1R3#show run | inc access-list 1
access-list 1 permit any
Rack1R3#show ip route 0.0.0.0
% Network not in table
Rack1R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R3(config)#no access-list 1
Rack1R3(config)#access-list 1 deny 0.0.0.0 0.0.0.0
Rack1R3(config)#
Rack1R3#show
6d05h: %SYS-5-CONFIG_I: Configured from console by console
Rack1R3#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
  Known via "isis", distance 115, metric 10, candidate default path,
type
level-2
  Redistributing via isis
  Last update from 149.1.127.4 on FastEthernet0/0, 00:00:00 ago
  Routing Descriptor Blocks:
  * 149.1.127.4, from 149.1.254.4, via FastEthernet0/0
      Route metric is 10, traffic share count is 1

Rack1R3#

--
Ian Henderson CCNA, CCNP
Senior Network Engineer
iiNet Limited
Chime Communications Pty Ltd

• Next message: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Previous message: ccie2be: "RE: RATE-LIMIT vs POLICE"
• Maybe in reply to: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Next in thread: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3