No problem Carlos .I anyway appreciate your replies .. Let me try to
explain again
In my original email, R1 F0/0 connects to a LAN segment that has two other
routers connected R2 and R3. When I apply the distribute-list on F0/0 with a
gateway command, all routes are denied regardless of where they are coming
from. However, the intention was to deny routes coming from R3 only.So the
question here was, why all the routes were denied. Based upon the
configuration I was expecting the routes from R2 to be allowed.
In your response, when you said that the filter condition is not getting a
PASS , I replied back saying the same condition works if R1 has two
different ethernet interfaces connected to R2 and R3 each. So when I applied
the distribute-list on the interface connected to R3 it denied all the
routes coming in from R3 . I did not apply it to the other interface. I
might not have understood you correctly here but I thought you meant the
DENY-ALL prefix-list i.e deny 0.0.0.0/0 le 32 does not match any routes and
hence the filter-condition does not pass.
In my 2nd response to you, I just explained the setup that I talked about in
my previous response.
I think you might have missed the original setup .R1 actually gets the same
routes from R2 and R3 on the same interface, and I wanted to deny all routes
coming from R3 only, It does not work if I use a DENY-ALL prefix-list and
match routes coming from R3. It works if I PERMIT-ALL that is not coming
from R3.
Please let me know if this explains it any better. Appreciate your responses
and any further queries you may have ;-)
Regards,
Ravi
On Tue, Feb 8, 2011 at 12:04 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:
> I'm loosing you now. Sorry.
> Your first reply to me was, as I understood it, asking why the
> difference when you use a different interface. And the answer to that
> is that you are not applying the DL to the new interface.
>
> DLs are applied to interfaces, so if no DL applied, then everything
> goes through. As no list applies to F0/0, R2 routes pass.
>
> Or am I missing something ?
> -Carlos
>
>
> Ravi Singh @ 08/02/2011 08:35 -0300 dixit:
>
>> No .. Suppose R1 F0/0 connects to R2 and R1 F1/0 connects to R3, I apply
>> the distribute-list in command on F1/0 and all routes coming in from R3 are
>> denied. What I wanted to say was the prefix-lists have not changed , so they
>> are ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 <http://0.0.0.0/0> le
>> 32
>>
>> !
>> ip prefix-list FROM-R3 seq 5 permit 10.1.1.3/32 <http://10.1.1.3/32>
>> ! and the distribute-list command changes to
>>
>> distribute-list prefix DENY-ALL gateway FROM-R3 in FastEthernet1/0
>> So, if I understood you correctly, in this scenario as well , the PASS
>> condition is not met and R1 denies everything coming in F1/0.. is it ? I
>> then also wonder why does it match the routes when it is a permit using
>> 0.0.0.0/0 <http://0.0.0.0/0> le 32 and not when it is a deny ..
>> Ravi
>>
>> On Tue, Feb 8, 2011 at 11:26 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar<mailto:
>> tron_at_huapi.ba.ar>> wrote:
>>
>> Are you applying the distribute-list to both interfaces ?
>> -Carlos
>>
>> Ravi Singh @ 08/02/2011 08:21 -0300 dixit:
>>
>> Hi Carlos,
>> Well .. while trying to get my head round this issue , I tried
>> the same config in a setup when R1 has two different ethernet
>> interfaces connected to R2 and R3 i.e R1 F0/0 connects to R2 and
>> R1 F1/0 connects to R3 . The same prefix-list statements and
>> distribute-list works just as expected in that scenario . I
>> would assume the same mechanism would be applied in this
>> scenario as well ..
>> Regards,
>> Ravi
>>
>> On Tue, Feb 8, 2011 at 11:11 AM, Carlos G Mendioroz
>> <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>
>> <mailto:tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>> wrote:
>>
>> Ravi,
>> updates have to PASS the filter. When you put prefix and gateway
>> conditions, they have to pass both.
>>
>> So in your first config, no route passes the prefix, it does not
>> matter where it comes from.
>>
>> -Carlos
>>
>> Ravi Singh @ 08/02/2011 01:52 -0300 dixit:
>>
>> Hello Group ,
>>
>> The below email might seem long in the first glance but
>> it is a
>> simple
>> question with a very simple setup .
>>
>> R1
>> |
>> |
>> ------------------SW
>> | |
>> | |
>> R2 R3
>>
>> If wordwrap ruins the art, the setup is F0/0 on R1, R2 and
>> R3
>> each is
>> connected to a common LAN segment through SW1. The IP
>> Addresses
>> on the F0/0
>> interfaces are 10.1.1.1/24 <http://10.1.1.1/24>
>> <http://10.1.1.1/24>, 10.1.1.2/24 <http://10.1.1.2/24>
>> <http://10.1.1.2/24> and 10.1.1.3/24 <http://10.1.1.3/24>
>> <http://10.1.1.3/24>
>>
>> respectively. R2 and
>> R3 both have the same Loop 1, Loop 2 and Loop 3 addresses
>> which are
>> 1.1.1.1/24 <http://1.1.1.1/24> <http://1.1.1.1/24>,
>> 2.2.2.2/24 <http://2.2.2.2/24> <http://2.2.2.2/24>
>> and 3.3.3.3/24 <http://3.3.3.3/24> <http://3.3.3.3/24>
>>
>> respectively.
>>
>>
>> R1, R2 and R3 run EIGRP between them. Here is the routing
>> table
>> on R1 under
>> normal circumstances
>>
>> R1#sh ip route eigrp
>> 1.0.0.0/24 <http://1.0.0.0/24> <http://1.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 1.1.1.0 [90/156160] via 10.1.1.3, 00:00:03,
>> FastEthernet0/0
>> [90/156160] via 10.1.1.2, 00:00:03,
>> FastEthernet0/0
>> 2.0.0.0/24 <http://2.0.0.0/24> <http://2.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 2.2.2.0 [90/156160] via 10.1.1.3, 00:00:03,
>> FastEthernet0/0
>> [90/156160] via 10.1.1.2, 00:00:03,
>> FastEthernet0/0
>> 3.0.0.0/24 <http://3.0.0.0/24> <http://3.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 3.3.3.0 [90/156160] via 10.1.1.3, 00:00:03,
>> FastEthernet0/0
>> [90/156160] via 10.1.1.2, 00:00:03,
>> FastEthernet0/0
>>
>> Now the objective (and the issue ) - I want to configure
>> distribute-list
>> using prefix-lists on R1 to *DENY* everything that
>> *COMES* from
>> R3 ( bold
>> keywords just to stress on logic )
>>
>> So here are the two prefix-lists that I made
>>
>> ip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0
>> <http://0.0.0.0/0> <http://0.0.0.0/0>
>>
>> le 32
>> !
>> ip prefix-list FROM-R3 seq 5 permit 10.1.1.3/32
>> <http://10.1.1.3/32> <http://10.1.1.3/32>
>>
>>
>> !
>>
>> And then I used the below command to achieve what is
>> being expected
>> router eigrp 100
>> distribute-list prefix DENY-ALL gateway FROM-R3 in
>> FastEthernet0/0
>>
>> The output on R1 now becomes
>>
>> R1#sh ip route eigrp
>>
>> R1#
>>
>> Basically no routes. So it denies everything coming in F0/0,
>> even though I
>> specified the gateway. BUT , if I change the logic i.e
>> *PERMIT*
>> everything
>> that does *NOT* come from R3 , it works just fine .
>> Therefore If
>> I make the
>> prefix-lists as
>>
>> ip prefix-list NOT-FROM-R3 seq 5 deny 10.1.1.3/32
>> <http://10.1.1.3/32>
>> <http://10.1.1.3/32>
>>
>> ip prefix-list NOT-FROM-R3 seq 10 permit 0.0.0.0/0
>> <http://0.0.0.0/0>
>> <http://0.0.0.0/0> le 32
>>
>> !
>> ip prefix-list PERMIT-ALL seq 5 permit 0.0.0.0/0
>> <http://0.0.0.0/0>
>> <http://0.0.0.0/0> le 32
>>
>>
>> And the distribute-list as
>>
>> router eigrp 100
>> distribute-list prefix PERMIT-ALL gateway NOT-FROM-R3 in
>> FastEthernet0/0
>>
>> The output on R1 is as expected now .
>>
>> R1#sh ip route eigrp
>> 1.0.0.0/24 <http://1.0.0.0/24> <http://1.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 1.1.1.0 [90/156160] via 10.1.1.2, 00:02:01,
>> FastEthernet0/0
>> 2.0.0.0/24 <http://2.0.0.0/24> <http://2.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 2.2.2.0 [90/156160] via 10.1.1.2, 00:02:01,
>> FastEthernet0/0
>> 3.0.0.0/24 <http://3.0.0.0/24> <http://3.0.0.0/24> is
>>
>> subnetted, 1 subnets
>>
>> D 3.3.3.0 [90/156160] via 10.1.1.2, 00:02:01,
>> FastEthernet0/0
>> R1#
>>
>> So, the question is What am I doing wrong in the first
>> method ?
>> Are there
>> some basic rules that are being broken here ?
>>
>> Regards,
>> Ravi
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>> <http://www.ccie.net/>
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar
>> <mailto:tron_at_huapi.ba.ar> <mailto:tron_at_huapi.ba.ar
>>
>> <mailto:tron_at_huapi.ba.ar>>>
>> LW7 EQI Argentina
>>
>>
>>
>> -- Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar
>> >>
>> LW7 EQI Argentina
>>
>>
>>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 08 2011 - 13:11:22 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART