NETWORK LESSON

Route Filtering Using Prefx-List (Part 3)

Published by

Recto Orpia

on


“God is always on the alert, constantly on the lookout for people who are totally committed to him”  (2 Chronicles 16:9). 


On this post, I will be going through another important Prefix-List operations which an ordinary access-list cannot implement. On my previous two study notes about prefix-list, I have gone through two important use of prefix-list:

1. To used prefix-list as a replacement for an access-list
2. To used prefix-list to filter network based on mask bits.

I will be going through a depth details of using prefix-list to specify a range of network to filter within the same subnets, e.g. Class B subnets.

  I will be using a discontiguous network that falls within the range of 172.16.0.0/16 for this study notes.  This is a class B network but assuming we have the following IP addressing assignment:

1. /20  means the 3rd octet has a decimal value of  .240, Now subtracting  256-240  =  16 . It means my IP addressing is multiple of 16 starting from 172.16.0.0/20 on the

172.16.0.0/20
172.16.16.0/20
172.16.32.0/20
172.16.48.0/20

172.16.64.0/20 — This subnet were subnetted further into /24 for other applications.

2.  /24 is easy, so we have the following IP address assignment.

172.16.64.0/24
172.16.65.0/24
172.16.66.0/24
172.16.67.0/24
172.16.68.0/24 — This is subnetted again to into /27.

3. /28 means the 4th octet has a decimal value of 240. Now subtracting 256-240 = 16, so this means that my subnets are multiple of 16.

172.16.68.0/28
172.16.68.16/28
172.16.68.32/28
172.16.68.48/28

Let me stop here. My lab objective will defined what I wanted to proved on this laboratory.

Again, I will be using the same laboratory diagram as with my previous two labs in Prefix-List but I have added several loopback interfaces on Manila.

Laboratory objective:

1. Create an outbound filtering on Singapore router to deny  the routes from  172.16.0.0/20 to 172.16.48.0/20 and also the network range from 172.16.68.0/28 to 172.16.68.48/28 from Manila router and allow the IP ranges 172.16.64.0/24 to 172.16.67.0/24.

2. On the same outbound filltering applied on Singapore router, allow the subnets 172.16.0.0/20 to 172.16.48.0/20.

3. Verify the connectivity from Melbourne loopbacks to any of the Singapore loopback interfaces.

So here are my router configurations:

So as seen, I have created all the Loopbacks in Manila router.

Manila#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES NVRAM  administratively down down
FastEthernet1/0        unassigned      YES NVRAM  administratively down down
FastEthernet1/1        unassigned      YES NVRAM  administratively down down
Serial2/0              192.168.12.1    YES NVRAM  up                    up
Serial2/1              unassigned      YES NVRAM  administratively down down
Serial2/2              unassigned      YES NVRAM  administratively down down
Serial2/3              unassigned      YES NVRAM  administratively down down
Loopback0              172.16.0.1      YES manual up                    up
Loopback2              172.16.16.1     YES manual up                    up
Loopback3              172.16.32.1     YES manual up                    up
Loopback4              172.16.48.1     YES manual up                    up
Loopback5              172.16.64.1     YES manual up                    up
Loopback6              172.16.65.1     YES manual up                    up
Loopback7              172.16.66.1     YES manual up                    up
Loopback8              172.16.67.1     YES manual up                    up
Loopback9              172.16.68.1     YES manual up                    up
Loopback10             172.16.68.17    YES manual up                    up
Loopback11             172.16.68.33    YES manual up                    up
Loopback12             172.16.68.49    YES manual up                    up

Manila#show ip prefix-list
ip prefix-list FILTERME: 2 entries
   seq 10 deny 100.100.100.0/24
   seq 20 permit 0.0.0.0/0 le 32

Manila#sh run | sec eigrp
router eigrp 100
 distribute-list prefix FILTERME in
 network 0.0.0.0
Manila#

Singapore#sh ip prefix-list
ip prefix-list FILTER-MANILA: 4 entries
   seq 10 deny 172.16.10.0/24
   seq 20 deny 172.16.20.0/24
   seq 30 permit 172.16.0.0/16 ge 23
   seq 40 permit 172.15.0.0/16 le 23
Singapore#

Singapore#sh run | sec eigrp
router eigrp 100
 distribute-list prefix FILTER-MANILA out Serial2/1
 network 0.0.0.0
Singapore#

Melbourne#sh run | sec eigrp
router eigrp 100
 network 0.0.0.0
Melbourne#



Let me removed the existing Prefix-list configured on Singapore router.

Singapore(config)#no ip prefix-list FILTER-MANILA

 Before adding the new prefix-list, let’s check the routing table of Melbourne router. So i have all the routes advertise to Melbourne router.
 
Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 12 subnets, 3 masks
D        172.16.0.0/20 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.16.0/20 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.32.0/20 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.48.0/20 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.64.0/24 [90/2809856] via 192.168.23.2, 00:26:52, Serial2/1
D        172.16.65.0/24 [90/2809856] via 192.168.23.2, 00:26:41, Serial2/1
D        172.16.66.0/24 [90/2809856] via 192.168.23.2, 00:26:29, Serial2/1
D        172.16.67.0/24 [90/2809856] via 192.168.23.2, 00:26:17, Serial2/1
D        172.16.68.0/28 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.68.16/28 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.68.32/28 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D        172.16.68.48/28 [90/2809856] via 192.168.23.2, 00:00:18, Serial2/1
D     192.168.12.0/24 [90/2681856] via 192.168.23.2, 00:00:18, Serial2/1
Melbourne#

And now,  I will be adding the new prefix-list as per the first lab objective.
 
Singapore(config)#ip prefix-list FILTER-MANILA-NEW seq 10 deny 172.16.48.0/16 le 20

The statement above means that I’m filtering out the range from 172.16.0.0/20 to 172.16.48.0/20. Or to re-phrase it, any ip range from 172.16.0.0 with a subnet mask between /16 and /20 will be filtered out. Make sense?

Singapore(config)#ip prefix-list FILTER-MANILA-NEW seq 20 deny 172.16.68.48/24 le 28

Similarly, I have 172.16.48/24 le /28 . This means that I will deny IP range from 172.16.68.0/28 to 172.16.68.48/28.

Singapore(config)#ip prefix-list FILTER-MANILA-NEW se 30 permit 172.16.64.0/24
Singapore(config)# ip prefix-list FILTER-MANILA-NEW se 40 permit 172.16.65.0/24
Singapore(config)#ip prefix-list FILTER-MANILA-NEW se 50 permit 172.16.66.0/24
Singapore(config)#ip prefix-list FILTER-MANILA-NEW se 60 permit 172.16.67.0/24

 The statements above is telling Singapore router to advertise the subnets to Melbourne router.

So here how’s my new prefix-list looks like on Singapore router,

 Singapore#show ip prefix-list
ip prefix-list FILTER-MANILA-NEW: 6 entries
   seq 10 deny 172.16.0.0/16 le 20
   seq 20 deny 172.16.68.0/24 le 28
   seq 30 permit 172.16.64.0/24
   seq 40 permit 172.16.65.0/24
   seq 50 permit 172.16.66.0/24
   seq 60 permit 172.16.67.0/24
Singapore#


Now, let’s add the Prefix-list policy under EIGRP process in Singapore. We can actually filter it out from Melbourne using Inbound policy applied on Melbourne Serial 2/1. But we have to create the same prefix-list statements in Melbourne to take effect.

Singapore(config)#router eigrp 100
Singapore(config-router)#distribute-list prefix FILTER-MANILA-NEW out  serial 2/1
Singapore(config-router)#

Now, since the Prefix-list is applied on Singapore, we can proceed to check the routing table of Melbourne. Life is good, right! I have the correct routes which I’m expecting on Melbourne.


Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      172.16.0.0/24 is subnetted, 4 subnets
D        172.16.64.0 [90/2809856] via 192.168.23.2, 00:40:30, Serial2/1
D        172.16.65.0 [90/2809856] via 192.168.23.2, 00:40:19, Serial2/1
D        172.16.66.0 [90/2809856] via 192.168.23.2, 00:40:07, Serial2/1
D        172.16.67.0 [90/2809856] via 192.168.23.2, 00:39:55, Serial2/1
Melbourne#

 Let’s explore one more time and complete the second lab objective. By this time, what we wanted to do is to allow 172.16.0.0/20 until 172.16.48.0/20.  There were two ways to this. We can add an individual Prefix-list sequence number for each subnets or we can just “change” the existing prefix-list statement sequence 10 from deny to permit. I would choose the last option.

 Singapore#sh run | inc ip prefix-list
ip prefix-list FILTER-MANILA-NEW seq 10 deny 172.16.0.0/16 le 20
ip prefix-list FILTER-MANILA-NEW seq 20 deny 172.16.68.0/24 le 27
ip prefix-list FILTER-MANILA-NEW seq 30 permit 172.16.64.0/24
ip prefix-list FILTER-MANILA-NEW seq 40 permit 172.16.65.0/24
ip prefix-list FILTER-MANILA-NEW seq 50 permit 172.16.66.0/24
ip prefix-list FILTER-MANILA-NEW seq 60 permit 172.16.67.0/24



Singapore(config)#no ip prefix-list FILTER-MANILA-NEW seq 10 deny 172.16.0.0/16 le 20


*Aug  9 09:59:08.591: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.3 (Serial2/1) is resync: intf route configuration changed

Singapore(config)#ip prefix-list list FILTER-MANILA-NEW seq 10 permit 172.16.0.0/16 le 20
Singapore(config)#^Z

Singapore#sh run | inc ip prefix-list
ip prefix-list FILTER-MANILA-NEW seq 10 permit 172.16.0.0/16 le 20
ip prefix-list FILTER-MANILA-NEW seq 20 deny 172.16.68.0/24 le 28
ip prefix-list FILTER-MANILA-NEW seq 30 permit 172.16.64.0/24
ip prefix-list FILTER-MANILA-NEW seq 40 permit 172.16.65.0/24
ip prefix-list FILTER-MANILA-NEW seq 50 permit 172.16.66.0/24
ip prefix-list FILTER-MANILA-NEW seq 60 permit 172.16.67.0/24

Now, let’s have a look on Melbourne’s routing table. Well, well…It does works. I have the subnets ranges from 172.16.0.0/20 to 172.16.48.0/20 in Singapore router!

Melbourne#show ip route eigrp
!

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
D        172.16.0.0/20 [90/2809856] via 192.168.23.2, 00:02:21, Serial2/1
D        172.16.16.0/20 [90/2809856] via 192.168.23.2, 00:02:21, Serial2/1
D        172.16.32.0/20 [90/2809856] via 192.168.23.2, 00:02:21, Serial2/1
D        172.16.48.0/20 [90/2809856] via 192.168.23.2, 00:02:21, Serial2/1
D        172.16.64.0/24 [90/2809856] via 192.168.23.2, 00:49:04, Serial2/1
D        172.16.65.0/24 [90/2809856] via 192.168.23.2, 00:48:53, Serial2/1
D        172.16.66.0/24 [90/2809856] via 192.168.23.2, 00:48:41, Serial2/1
D        172.16.67.0/24 [90/2809856] via 192.168.23.2, 00:48:29, Serial2/1
Melbourne#


Connectivity Testing:

As expected as the destination subnets is filtered out:

Melbourne#ping 172.16.48.49
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.48.49, timeout is 2 seconds:
….
Success rate is 0 percent (0/4)

This two subnets were allowed:



Melbourne#ping 172.16.64.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.64.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/64 ms

Melbourne#ping 172.16.0.1 source 30.30.30.3
% Invalid source address- IP address not on any of our up interfaces
Melbourne#ping 172.16.0.1 source 30.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/66/80 ms
Melbourne#

*** This end my laboratory on the third important concepts of route filtering using Prefix-list***

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

"People ask me what I do in the winter when there's no baseball. I'll tell you what I do. I stare out the window and wait for spring."

~ Rogers Hornsby

NETWORK LESSON

About

Passionate about simplifying the complex world of networking and automation for learners everywhere.”.

Topics

Follow Us

Create a website or blog at WordPress.com