RE: Tough Filtering Question

From: Brian K Valentine (bkvalentine@gmail.com)
Date: Sat Jun 07 2008 - 19:05:54 ART

Godswill,

If you configured this as you suggest here, wouldn't you have the added
side-effect of redistributing routes into EIGRP for the connected interfaces
that also happen to be running RIP? The way the question is worded, it
sounds like we aren't allowed to redistribute the prefixes of the connected
interfaces running RIP into the EIGRP topology. We are only allowed to
redistribute the one prefix into EIGRP.

Brian Valentine

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Godswill Oletu
Sent: Saturday, June 07, 2008 5:43 PM
To: Matt Bentley; Joseph Brunner
Cc: Luca Hall; ccielab@groupstudy.com
Subject: Re: Tough Filtering Question

The solution you have under section R1: below, will not meet the two
requirements set forth in the original question you posted.

Your solution will only satisfy Requirement 2: and will fail to satisfy
requirement 1:

Others here have provided you with solutions that should work find; that
using the ACL to control the routes that get into your RIP table and also
invoking the same ACL to control what gets into your EIGRP table.

If I was the one executing this task, I will avoid using a 'distribute-list'

when redistributing into EIGRP from RIP.

Note that the distribute-list will not only affect the RIP routes from BB1,
but all RIPs routes from either BB2, BB3 or other Routers in your pod; so as

you can see, it will have a far reaching effect than you anticipate.

I will go about the task as follows:

!

access-list 1 permit 1.1.1.1

!

Router RIP

distribute-list 1 in

!

Router EIGRP 1

redistribute RIP metric 1 1 1 1 1

!

This way, I am redistributing only the allowed RIP route from BB1 into EIGRP

and I am not also inadvertently filtering out from EIGRP all other RIP
routes that might have found their way into my Router from other sources.

Always remember to keep it simple and stupid. Many times in the real lab, if

your solution are not "simple & stupid", it might mean you are thinking way
too much and you need to throttle it down some notch.

Godswill Oletu
CCIE #16464 (R&S)

----- Original Message -----
From: "Matt Bentley" <mattdbentley@gmail.com>
To: "Joseph Brunner" <joe@affirmedsystems.com>
Cc: "Luca Hall" <lhall@setnine.com>; <ccielab@groupstudy.com>
Sent: Saturday, June 07, 2008 5:15 PM
Subject: Re: Tough Filtering Question

> Thanks for everyone's advice so far. I hope I am not persisting in a
> wrong
> thought, though it's very possible.
>
> I see it this way:
>
> There is some reverse logic going on here:
>
> When you are using distribute lists, offset-lists, and distance, anything
> that you DENY in an acl is NOT filtered. Anything that you PERMIT is
> filtered.
>
> For example:
>
> offset-list TEST 16 in fa0/0
>
> ip access-list standard TEST
> deny 1.1.1.1
> permit any
>
> The 1.1.1.0 prefix would be the only prefix appear - as you are denying it
> from being filtered. Everything else would be filtered.
>
> If I were to do this
> ip access-list standard TEST
> permit 1.1.1.1
>
> Then only 1.1.1.0 would be filtered, and everything else denied.
>
>
> I know this wouldn't work, but is it along the right track? Thanks for
> everybody's comments
>
> R1:
>
> ip cef
>
> class-map match-all FILTER
> match not access-group 1
> match protocol rip
>
> policy-map FILTER2
> class FILTER
> drop
>
> router eigrp 100
> redistribute rip route-map RIP->EIGRP metric 1 1 1 1 1
>
> route-map RIP->EIGRP
> match ip add 1
>
> access-list 1 permit [the one prefix]
>
>
>
>
>
> On Sat, Jun 7, 2008 at 4:22 PM, Joseph Brunner <joe@affirmedsystems.com>
> wrote:
>
>> >This infers a DENY in the ACL being used (you can only use one ACL for
>> both
>> >tasks).
>>
>> NO actually it does not mean you must DENY anything... as a matter of
>> fact
>> the word deny need not appear in the entire config to do this... Simply
>> don't permit the 9 filtered routes, and they will be effectively denied
>> without every saying so.
>>
>> Q> what is at the end of every ACL, with at least 1 permit line?
>> A> a deny any...
>>
>> Q> what happens to any route that is not matched by a route-map permit
>> sequence if that route-map is referenced during redistribution?
>> A> the route is not redistributed.
>>
>> I would recommend re-reading the Wendell odom ccie exam certification
>> guide's page on route-map matching not/matching routes, with permit and
>> deny
>> sequences.
>>
>> -Joe
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Matt
>> Bentley
>> Sent: Saturday, June 07, 2008 3:52 PM
>> To: Luca Hall
>> Cc: ccielab@groupstudy.com
>> Subject: Re: Tough Filtering Question
>>
>> Hello Luca:
>>
>> Tough part is that you can only use one ACL for both tasks. In order to
>> have the route in your table to redistribute it into EIGRP, you must
>> prevent it from being filtered, correct? This infers a DENY in the ACL
>> being used (you can only use one ACL for both tasks). Since you must use

>> a
>> deny - I think, then you would be denying that route from getting
>> redistributed. Once again, key here is you are only allowed a single ACL
>> for both tasks. Thanks again
>>
>> On Sat, Jun 7, 2008 at 3:44 PM, Luca Hall <lhall@setnine.com> wrote:
>>
>> >
>> > so if the routes 10.10.10.0/24 cant you just:
>> >
>> > access-list 5 permit 10.10.10.0
>> > router rip
>> > distribute-list 5 in <interface>
>> >
>> > route-map RIP->EIGRP permit 10
>> > match ip address 5
>> >
>> > router eigrp X
>> > redistribute rip route-map RIP->EIGRP metric 1 1 1 1 1
>> >
>> > wheres the tough part? if you have to use denys just deny the other
>> > 9 routes in the acl and permit any any or permit the specific one.
>> >
>> >
>> > ----- Original Message -----
>> > From: Matt Bentley <mattdbentley@gmail.com>
>> > To: ccielab@groupstudy.com
>> > Sent: Sat, 7 Jun 2008 15:09:42 -0400 (EDT)
>> > Subject: Tough Filtering Question
>> >
>> > Hi GS:
>> >
>> > Ran across this one on a lab.
>> >
>> > Requirement #1: R1 is receiving 10 RIP routes from BB1, you want to
>> filter
>> > out all except 1. You must use a standard ACL
>> > Requirement #2: You want to redistribute only that one route received
>> from
>> > BB1 from RIP into EIGRP on R1, restricting the redistribution to only
>> that
>> > single route. The ACL you use to restrict must be the same as the one
>> used
>> > to filter from BB1.
>> >
>> > Using distance, offset-lists, and distribute-lists, you have to DENY
>> > that
>> > single RIP route to prevent it getting filtered. Correct? How can you
>> use
>> > that same ACL to PERMIT it to be redistributed into EIGRP.
>> >
>> > Thanks in advance.
>> >
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART