RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route

From: Long Kwok (lkwok@ccieunix.com)
Date: Mon May 30 2005 - 13:20:34 GMT-3

• Next message: Bajo: "Re: 802.1q and ISL difference"
• Previous message: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Maybe in reply to: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Next in thread: Long Kwok: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks sean that's exactly what it is , you would think that anytime you
want to stop something it would be deny , but I am learning that
whenever you are using non protocol specific filtering tools you have to
permit so that this filtering tool says Ok I am allowed to filter the
stuff you say permit on.. Kind of counter intuitive but I am getting it
now

Tia , Long

-----Original Message-----
From: Sean C [mailto:Upp_and_Upp@hotmail.com]
Sent: Monday, May 30, 2005 8:16 AM
Cc: ccielab@groupstudy.com
Subject: Re: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route
from L1 internal routers

Agree with Ian.

Long - with your ACL, since you are denying '0.0.0.0 0.0.0.0', you are
not
allowing anything to match the distance command under the router
process.
You have to allow the default route to be permitted.

router isis
distance 255 0.0.0.0 255.255.255.255 10

access-list 10 permit 0.0.0.0 0.0.0.0

I know I've seen this is in a DoIT lab, one of the lower number labs
like -
lab 6, 7 or 8.

HTH, Sean
----- Original Message -----
From: "Ian Henderson" <ianh@chime.net.au>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "'Bob Sinclair'" <bsin@cox.net>; "'Long Kwok'" <lkwok@ccieunix.com>;

<ccielab@groupstudy.com>
Sent: Monday, May 30, 2005 10:30 AM
Subject: RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route
from
L1 internal routers

> On Mon, 30 May 2005, ccie2be wrote:
>
>> BTW, I don't see anything wrong with how Kwok used the distance
command.
>> Shouldn't that have worked?
>>
>> Router isis
>> Distance 255 0.0.0.0 255.255.255.255 1
>>
>> Access-list 1 deny 0.0.0.0 0.0.0.0
>
> 'access-list 1 permit 0.0.0.0 0.0.0.0' is what you're after here. This
> shows up as 'access-list 1 permit any' in the running config.
>
> Rack1R3#show run | inc access-list 1
> access-list 1 permit any
> Rack1R3#show ip route 0.0.0.0
> % Network not in table
> Rack1R3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1R3(config)#no access-list 1
> Rack1R3(config)#access-list 1 deny 0.0.0.0 0.0.0.0
> Rack1R3(config)#
> Rack1R3#show
> 6d05h: %SYS-5-CONFIG_I: Configured from console by console
> Rack1R3#show ip route 0.0.0.0
> Routing entry for 0.0.0.0/0, supernet
> Known via "isis", distance 115, metric 10, candidate default path,
type
> level-2
> Redistributing via isis
> Last update from 149.1.127.4 on FastEthernet0/0, 00:00:00 ago
> Routing Descriptor Blocks:
> * 149.1.127.4, from 149.1.254.4, via FastEthernet0/0
> Route metric is 10, traffic share count is 1
>
> Rack1R3#
>
>
> --
> Ian Henderson CCNA, CCNP
> Senior Network Engineer
>
> iiNet Limited
> Chime Communications Pty Ltd
>
>

• Next message: Bajo: "Re: 802.1q and ISL difference"
• Previous message: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Maybe in reply to: ccie2be: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Next in thread: Long Kwok: "RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3