From: Godswill Oletu (oletu@inbox.lv)
Date: Sat Jun 07 2008 - 19:02:41 ART
Replace the initial solution with the one below, so that your filtering will
only affect RIP routes from BB1 and not other sources...
access-list 1 deny <route-1>
access-list 1 deny <route-2>
access-list 1 deny <route-3>
.
.
access-list 1 deny <route-9>
access-list 1 permit any
!
Router RIP
distribute-list 1 in
!
Router EIGRP 1
redistribute RIP metric 1 1 1 1 1
!
The above solution should be okay, since you were not restricted from using
multiple ACL statements. and you will be allowing future RIP routes from
other sources into EIGRP as well.
One can do it both way, i.e. using one 'permit statement' or using 'multiple
deny statements' however solution you adopt, you must make sure that it does
not break other part of your network.
HTH
Godswill Oletu
CCIE #16464 (R&S)
----- Original Message -----
From: "Godswill Oletu" <oletu@inbox.lv>
To: "Matt Bentley" <mattdbentley@gmail.com>; "Joseph Brunner"
<joe@affirmedsystems.com>
Cc: "Luca Hall" <lhall@setnine.com>; <ccielab@groupstudy.com>
Sent: Saturday, June 07, 2008 5:43 PM
Subject: Re: Tough Filtering Question
> The solution you have under section R1: below, will not meet the two
> requirements set forth in the original question you posted.
>
>
>
> Your solution will only satisfy Requirement 2: and will fail to satisfy
> requirement 1:
>
>
>
> Others here have provided you with solutions that should work find; that
> using the ACL to control the routes that get into your RIP table and also
> invoking the same ACL to control what gets into your EIGRP table.
>
>
>
> If I was the one executing this task, I will avoid using a
> 'distribute-list' when redistributing into EIGRP from RIP.
>
>
>
> Note that the distribute-list will not only affect the RIP routes from
> BB1, but all RIPs routes from either BB2, BB3 or other Routers in your
> pod; so as you can see, it will have a far reaching effect than you
> anticipate.
>
>
>
> I will go about the task as follows:
>
>
>
> !
>
> access-list 1 permit 1.1.1.1
>
> !
>
> Router RIP
>
> distribute-list 1 in
>
> !
>
> Router EIGRP 1
>
> redistribute RIP metric 1 1 1 1 1
>
> !
>
>
>
> This way, I am redistributing only the allowed RIP route from BB1 into
> EIGRP and I am not also inadvertently filtering out from EIGRP all other
> RIP routes that might have found their way into my Router from other
> sources.
>
>
>
> Always remember to keep it simple and stupid. Many times in the real lab,
> if your solution are not "simple & stupid", it might mean you are thinking
> way too much and you need to throttle it down some notch.
>
>
>
>
> Godswill Oletu
> CCIE #16464 (R&S)
>
>
> ----- Original Message -----
> From: "Matt Bentley" <mattdbentley@gmail.com>
> To: "Joseph Brunner" <joe@affirmedsystems.com>
> Cc: "Luca Hall" <lhall@setnine.com>; <ccielab@groupstudy.com>
> Sent: Saturday, June 07, 2008 5:15 PM
> Subject: Re: Tough Filtering Question
>
>
>> Thanks for everyone's advice so far. I hope I am not persisting in a
>> wrong
>> thought, though it's very possible.
>>
>> I see it this way:
>>
>> There is some reverse logic going on here:
>>
>> When you are using distribute lists, offset-lists, and distance, anything
>> that you DENY in an acl is NOT filtered. Anything that you PERMIT is
>> filtered.
>>
>> For example:
>>
>> offset-list TEST 16 in fa0/0
>>
>> ip access-list standard TEST
>> deny 1.1.1.1
>> permit any
>>
>> The 1.1.1.0 prefix would be the only prefix appear - as you are denying
>> it
>> from being filtered. Everything else would be filtered.
>>
>> If I were to do this
>> ip access-list standard TEST
>> permit 1.1.1.1
>>
>> Then only 1.1.1.0 would be filtered, and everything else denied.
>>
>>
>> I know this wouldn't work, but is it along the right track? Thanks for
>> everybody's comments
>>
>> R1:
>>
>> ip cef
>>
>> class-map match-all FILTER
>> match not access-group 1
>> match protocol rip
>>
>> policy-map FILTER2
>> class FILTER
>> drop
>>
>> router eigrp 100
>> redistribute rip route-map RIP->EIGRP metric 1 1 1 1 1
>>
>> route-map RIP->EIGRP
>> match ip add 1
>>
>> access-list 1 permit [the one prefix]
>>
>>
>>
>>
>>
>> On Sat, Jun 7, 2008 at 4:22 PM, Joseph Brunner <joe@affirmedsystems.com>
>> wrote:
>>
>>> >This infers a DENY in the ACL being used (you can only use one ACL for
>>> both
>>> >tasks).
>>>
>>> NO actually it does not mean you must DENY anything... as a matter of
>>> fact
>>> the word deny need not appear in the entire config to do this... Simply
>>> don't permit the 9 filtered routes, and they will be effectively denied
>>> without every saying so.
>>>
>>> Q> what is at the end of every ACL, with at least 1 permit line?
>>> A> a deny any...
>>>
>>> Q> what happens to any route that is not matched by a route-map permit
>>> sequence if that route-map is referenced during redistribution?
>>> A> the route is not redistributed.
>>>
>>> I would recommend re-reading the Wendell odom ccie exam certification
>>> guide's page on route-map matching not/matching routes, with permit and
>>> deny
>>> sequences.
>>>
>>> -Joe
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Matt
>>> Bentley
>>> Sent: Saturday, June 07, 2008 3:52 PM
>>> To: Luca Hall
>>> Cc: ccielab@groupstudy.com
>>> Subject: Re: Tough Filtering Question
>>>
>>> Hello Luca:
>>>
>>> Tough part is that you can only use one ACL for both tasks. In order to
>>> have the route in your table to redistribute it into EIGRP, you must
>>> prevent it from being filtered, correct? This infers a DENY in the ACL
>>> being used (you can only use one ACL for both tasks). Since you must
>>> use a
>>> deny - I think, then you would be denying that route from getting
>>> redistributed. Once again, key here is you are only allowed a single
>>> ACL
>>> for both tasks. Thanks again
>>>
>>> On Sat, Jun 7, 2008 at 3:44 PM, Luca Hall <lhall@setnine.com> wrote:
>>>
>>> >
>>> > so if the routes 10.10.10.0/24 cant you just:
>>> >
>>> > access-list 5 permit 10.10.10.0
>>> > router rip
>>> > distribute-list 5 in <interface>
>>> >
>>> > route-map RIP->EIGRP permit 10
>>> > match ip address 5
>>> >
>>> > router eigrp X
>>> > redistribute rip route-map RIP->EIGRP metric 1 1 1 1 1
>>> >
>>> > wheres the tough part? if you have to use denys just deny the other
>>> > 9 routes in the acl and permit any any or permit the specific one.
>>> >
>>> >
>>> > ----- Original Message -----
>>> > From: Matt Bentley <mattdbentley@gmail.com>
>>> > To: ccielab@groupstudy.com
>>> > Sent: Sat, 7 Jun 2008 15:09:42 -0400 (EDT)
>>> > Subject: Tough Filtering Question
>>> >
>>> > Hi GS:
>>> >
>>> > Ran across this one on a lab.
>>> >
>>> > Requirement #1: R1 is receiving 10 RIP routes from BB1, you want to
>>> filter
>>> > out all except 1. You must use a standard ACL
>>> > Requirement #2: You want to redistribute only that one route received
>>> from
>>> > BB1 from RIP into EIGRP on R1, restricting the redistribution to only
>>> that
>>> > single route. The ACL you use to restrict must be the same as the one
>>> used
>>> > to filter from BB1.
>>> >
>>> > Using distance, offset-lists, and distribute-lists, you have to DENY
>>> > that
>>> > single RIP route to prevent it getting filtered. Correct? How can
>>> > you
>>> use
>>> > that same ACL to PERMIT it to be redistributed into EIGRP.
>>> >
>>> > Thanks in advance.
>>> >
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART