From: Long Kwok (lkwok@ccieunix.com)
Date: Mon May 30 2005 - 13:23:39 GMT-3
Good one Tom, Thanks as I agree anytime we outright blanket filter we
are asking for problems , so you are saying anytime you want to know the
source of a routing update you do a show ip route 1.1.1.x on it , and
the from address is the source you can put in your distance filter to be
accurate and not screw up possibly other routers ...
TIA , Long
-----Original Message-----
From: Tom Nooning [mailto:t.nooning@insightbb.com]
Sent: Monday, May 30, 2005 8:44 AM
To: Ian Henderson; ccie2be
Cc: Long Kwok; ccielab@groupstudy.com
Subject: Re: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route
from L1 internal routers
I think it's also important to keep in mind that the distance command is
looking to match on the originating source of the route, not the route
itself. So while the 'distance 255 0.0.0.0 255.255.255.255 1' commands
work, it's matching on every router advertising 0.0.0.0. And while this
may
be exactly what you need, also know that the following more specific
entry
will work as well:
FRS#s ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "isis", distance 115, metric 10, candidate default path,
type
level-2
Redistributing via isis
Last update from 172.16.36.3 on Ethernet0/0, 00:03:45 ago
Routing Descriptor Blocks:
* 172.16.36.3, from 172.16.36.3, via Ethernet0/0
Route metric is 10, traffic share count is 1
FRS#conf t
Enter configuration commands, one per line. End with CNTL/Z.
FRS(config)#access-l 5 permit 0.0.0.0
FRS(config)#router isis
FRS(config-router)#distance 255 172.16.36.3 0.0.0.0 5
FRS(config-router)#end
FRS#clear ip route *
FRS#s ip route 0.0.0.0
% Network not in table
Picked this up from a Brian McGahan email dated 11/10/2004 with the
subject
line "RE: OSPF : Commands Doubt.":
'The common problem is that the address you need to match is the
"from" address. In OSPF this is the router-id of the originating
router. It differs from protocol to protocol what the originator is
(EIGRP is the neighbor's interface address), but it's always the "from"
address in the show ip route output.'
----- Original Message -----
From: "Ian Henderson" <ianh@chime.net.au>
To: "ccie2be" <ccie2be@nyc.rr.com>
Cc: "'Bob Sinclair'" <bsin@cox.net>; "'Long Kwok'" <lkwok@ccieunix.com>;
<ccielab@groupstudy.com>
Sent: Monday, May 30, 2005 10:30 AM
Subject: RE: Filtering/Poisoning ISIS injected 0.0.0.0/0 default route
from
L1 internal routers
> On Mon, 30 May 2005, ccie2be wrote:
>
>> BTW, I don't see anything wrong with how Kwok used the distance
command.
>> Shouldn't that have worked?
>>
>> Router isis
>> Distance 255 0.0.0.0 255.255.255.255 1
>>
>> Access-list 1 deny 0.0.0.0 0.0.0.0
>
> 'access-list 1 permit 0.0.0.0 0.0.0.0' is what you're after here. This
> shows up as 'access-list 1 permit any' in the running config.
>
> Rack1R3#show run | inc access-list 1
> access-list 1 permit any
> Rack1R3#show ip route 0.0.0.0
> % Network not in table
> Rack1R3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1R3(config)#no access-list 1
> Rack1R3(config)#access-list 1 deny 0.0.0.0 0.0.0.0
> Rack1R3(config)#
> Rack1R3#show
> 6d05h: %SYS-5-CONFIG_I: Configured from console by console
> Rack1R3#show ip route 0.0.0.0
> Routing entry for 0.0.0.0/0, supernet
> Known via "isis", distance 115, metric 10, candidate default path,
type
> level-2
> Redistributing via isis
> Last update from 149.1.127.4 on FastEthernet0/0, 00:00:00 ago
> Routing Descriptor Blocks:
> * 149.1.127.4, from 149.1.254.4, via FastEthernet0/0
> Route metric is 10, traffic share count is 1
>
> Rack1R3#
>
>
> --
> Ian Henderson CCNA, CCNP
> Senior Network Engineer
>
> iiNet Limited
> Chime Communications Pty Ltd
>
>
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3