RE: Access-list in route-map not blocking routes

From: Jonathan V Hays (jhays@jtan.com)
Date: Fri Jul 25 2003 - 19:13:34 GMT-3

• Next message: Deepesh Chouhan: "RE: Routed ports on the 3550"
• Previous message: MADMAN: "Re: Cat 3550 port-channel"
• Maybe in reply to: Joe Martin: "Access-list in route-map not blocking routes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I see you've already got your answer. Here's a detailed solution for
those who care.

Here's a list of the even/odd status of the second and third octets:
10.2.128.0 10.even.even.0
10.1.129.0 10.odd .odd .0
10.2.129.0 10.even.odd .0
10.5.128.0 10.odd .even.0
10.4.128.0 10.even.even.0

So if you are denying with "deny 10.1.1.0 0.254.254.255" then you will
only filter out ip addresses with BOTH 2nd and 3rd octets that are odd,
which means only 10.1.129.0.

I tried it on my routers and it does what it is supposed to do. Note
that only 10.1.129.0 is missing from the routing table of r3.

router ospf 4
 redistribute static metric 25 subnets route-map allow-static
!
ip route 10.1.129.0 255.255.255.0 Null0
ip route 10.2.128.0 255.255.255.0 Null0
ip route 10.2.129.0 255.255.255.0 Null0
ip route 10.4.128.0 255.255.255.0 Null0
ip route 10.5.128.0 255.255.255.0 Null0
!
access-list 11 deny 10.1.1.0 0.254.254.255
access-list 11 permit any

On another router:
r3#sh ip route | exclude -

Gateway of last resort is not set

     140.4.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 140.4.4.0/25 is directly connected, Ethernet0
     10.0.0.0/24 is subnetted, 6 subnets
O E2 10.2.128.0 [110/25] via 140.4.4.13, 00:10:51, Ethernet0
O E2 10.2.129.0 [110/25] via 140.4.4.13, 00:10:51, Ethernet0
O E2 10.4.128.0 [110/25] via 140.4.4.13, 00:10:51, Ethernet0
O E2 10.5.128.0 [110/25] via 140.4.4.13, 00:10:51, Ethernet0
r3#

Looking at the provided solution of "permit 10.0.128.0 0.6.0.0" to
permit even routes, let's perform a mask operation, looking only
at the 2nd and 3rd octet:

10.0.128.0 0.6.0.0

(remember that a '1' is don't care for an inverse mask)

2nd octet 3rd octet
00000000.10000000 prefix
00000110.00000000 mask
00000dd0.10000000 RESULT

All IP addresses must match the result.

The second octet must be dd0:
 dd0
 000 - 0
 010 - 2
 100 - 4
 110 - 6

The 3rd octet must be 128 - nothing else is allowed.
Only 2 bits are ignored (the 'dd' shown above).

Here's your list of prefixes. Let's see what matches:

00000dd0.10000000 RESULT
00000010.10000000 2.128 matches both octets

00000dd0.10000000 RESULT
00000001.10000001 1.129 fails to match the 3rd octet

00000dd0.10000000 RESULT
00000010.10000001 2.129 fails to match the 3rd octet

00000dd0.10000000 RESULT
00000101.10000000 5.128 fails to match the 2nd octet

00000dd0.10000000 RESULT
00000100.10000000 4.128 matches both octets

Sure enough, when I change access-list 11 to "permit 10.0.128.0 0.6.0.0"
here is the routing table on r3:

r3#sh ip route | exclude -

Gateway of last resort is not set

     140.4.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 140.4.4.0/25 is directly connected, Ethernet0
     10.0.0.0/24 is subnetted, 4 subnets
O E2 10.2.128.0 [110/25] via 140.4.4.13, 00:15:56, Ethernet0
O E2 10.4.128.0 [110/25] via 140.4.4.13, 00:15:56, Ethernet0
r3#

Hope that helps.

Jonathan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joe Martin
Sent: Friday, July 25, 2003 5:16 PM
To: CCIE GroupStudy
Subject: Access-list in route-map not blocking routes

Guys and Gals,

I had a lab requirement that asked me to configure some static routes to
null0 as follows:

ip route 10.2.128.0 255.255.255.0 null0
ip route 10.1.129.0 255.255.255.0 null0
ip route 10.2.129.0 255.255.255.0 null0
ip route 10.5.128.0 255.255.255.0 null0
ip route 10.4.128.0 255.255.255.0 null0

I was asked to advertise these routes to an EIGRP neighbor and to the
rest
of the network (which was running OSPF). However, "only routes with an
even
number in the 2nd and 3rd octects should be advertised to the rest of
the
network." I chose to redistribute static routes to EIGRP and then
redistribute EIGRP into OSPF.

I simply created a route-map that filtered the routes coming from EIGRP
as
follows.

access-list 1 deny 10.1.1.0 0.254.254.255 <---------
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 172.29.90.0 0.0.0.255
access-list 1 permit 172.29.69.0 0.0.0.255

route-map eigrp2ospf permit 10
match ip address 1
set tag 777

router ospf 1
redistribute eigrp 100 route-map eigrp2ospf

My question is with the filter for the even routes. I simply denied the
routes with the 1 bit on in the 2nd and 3rd octets, or so I thought.

The only route that was filtered was the second static route in the list
which has a 1 in the second octet. All of the other routes were
redistributed, including the other routes with odd numbers. Why?

The solution used a route-map that just allowed the specific even routes
as
follows:

access-list 1 permit 10.0.128.0 0.6.0.0

I switched to this and it worked great. But my solution should have
worked.
What am I missing?

Unfortunately, I cannot post full configs as this was done on a rental
rack
last night. However I should be able to answer any questions about the
configs as neccessary.

TIA,

Joe Martin

• Next message: Deepesh Chouhan: "RE: Routed ports on the 3550"
• Previous message: MADMAN: "Re: Cat 3550 port-channel"
• Maybe in reply to: Joe Martin: "Access-list in route-map not blocking routes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:53 GMT-3