We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

311 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hey, what is the difference in using route-maps or access-lists or prefixlists when applied to distribute-list ? they all do the same in regards to filtering routes in ospf or eigrp ? are there any minor difference between those ? can you please explain in detail. Thank you.

  2. Hi Rene, I have a question regarding recusive routing and the filtering of routing interfaces.
    I have a network similar to the one shown in the EIGRP Route-MAP Filtering lesson. The difference I have in my network is that the Tunnel areas has two ASAs so that if the primary route fails routing information can be sent over a tunnel to the remote site via the internet. Routing on this network is provided bt EIGRP. Currently when the primary route fails the link that goes over the internet goes into recursive routing and fails.

    interface Tunnel0
     ip address 192.168.100.1 255.255.255.0
     tunnel source GigabitEthernet2/0.40
     tunnel destination 10.164.58.33
    !
    interface Loopback0
     description test interface
     ip address 10.164.56.8 255.255.255.255
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex half
    !
    interface GigabitEthernet1/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet2/0
     description SubInterfaced
     no ip address
     negotiation auto
    !
    interface GigabitEthernet2/0.20
     description Users
     encapsulation dot1Q 20
     ip address 10.164.57.1 255.255.255.128
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.30
     description Servers
     encapsulation dot1Q 30
     ip address 10.164.56.49 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.40
     description ASATransit
     encapsulation dot1Q 40
     ip address 10.164.56.33 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.85
     description Cloudbridge
     encapsulation dot1Q 85
     ip address 10.164.56.57 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.90
     description EntelMPLS
     encapsulation dot1Q 90
     ip address 192.168.1.252 255.255.255.0
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.360
     description NetManagement
     encapsulation dot1Q 360
     ip address 10.164.56.41 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet3/0
     description OptusTransit
     ip address 10.164.56.1 255.255.255.248
     negotiation auto
    !
    interface GigabitEthernet4/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet5/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet6/0
     no ip address
     shutdown
     negotiation auto
    !
    router eigrp 10
     redistribute connected
     redistribute bgp 64973 metric 4000 10 255 1 1476
     network 10.1.1.0 0.0.0.3
     network 10.164.56.0 0.0.0.7
     network 10.164.56.8 0.0.0.7
     network 10.164.56.16 0.0.0.7
     network 10.164.56.32 0.0.0.7
     network 10.164.56.40 0.0.0.7
     network 10.164.57.0 0.0.0.127
     network 192.168.1.0
     network 192.168.100.0
     no auto-summary
     eigrp router-id 1.1.1.1
     neighbor 10.164.56.34 GigabitEthernet2/0.40
     neighbor 192.168.100.2 Tunnel0
    !
    router bgp 64973
     no synchronization
     bgp log-neighbor-changes
     network 10.164.57.128 mask 255.255.255.128
     network 10.164.58.6 mask 255.255.255.255
     network 10.164.58.32 mask 255.255.255.248
     network 10.164.58.48 mask 255.255.255.248
     network 10.164.59.0 mask 255.255.255.192
     network 192.168.1.254 mask 255.255.255.255
     network 192.168.3.1 mask 255.255.255.255
     redistribute connected
     neighbor 10.164.56.2 remote-as 64972
     no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.164.56.34
    no ip http server
    no ip http secure-server
    !
    !
    !
    ip access-list standard NET_192_100
     permit 192.168.100.0 0.0.0.255
    ip access-list standard NET_56
     permit 10.164.56.32 0.0.0.7
    !
    ip access-list extended WCCP_GRE_Redirect
     permit ip any any
    ip access-list extended WCCP_Redirect
     deny   ip 0.0.0.0 255.255.248.0 0.0.0.0 255.255.248.0
     permit ip any any
    !
    logging alarm informational
    no cdp log mismatch duplex
    !
    route-map FILTER_OUT deny 10
     match ip address NET_192_100
    !
    route-map FILTER_OUT permit 20
    !
    route-map FILT_OUT_56 deny 10
     match ip address NET_56
    !
    route-map FILT_OUT_56 permit 20
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line vty 0 4
    !
    !
    end
    
    !
    interface Tunnel0
     ip address 192.168.100.2 255.255.255.0
     tunnel source GigabitEthernet2/0.40
     tunnel destination 10.164.56.33
    !
    interface Loopback0
     ip address 10.164.58.8 255.255.255.255
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex half
    !
    interface GigabitEthernet1/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet2/0
     description SubInterfaced
     no ip address
     negotiation auto
    !
    interface GigabitEthernet2/0.10
     description Servers
     encapsulation dot1Q 10
     ip address 10.164.59.1 255.255.255.192
     ip wccp 53 redirect in
     ip wccp 54 redirect in
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.20
     description Users
     encapsulation dot1Q 20
     ip address 10.164.57.129 255.255.255.128
     ip helper-address 10.164.59.41
     ip wccp 53 redirect in
     ip wccp 54 redirect in
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.30
     description GuestAccess
     encapsulation dot1Q 30
     ip address 172.16.34.1 255.255.255.128
     ip helper-address 10.164.59.41
     ip helper-address 10.160.0.40
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.40
     description ASAInside
     encapsulation dot1Q 40
     ip address 10.164.58.33 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.85
     description Cloudbridge
     encapsulation dot1Q 85
     ip address 10.164.58.1 255.255.255.248
     no snmp trap link-status
    !
    interface GigabitEthernet2/0.302
     description EntelMPLS
     encapsulation dot1Q 302
     ip address 192.168.3.2 255.255.255.0
     ip wccp 51 redirect in
     ip wccp 52 redirect in
     no snmp trap link-status
    !
    interface GigabitEthernet3/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet4/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet5/0
     no ip address
     shutdown
     negotiation auto
    !
    interface GigabitEthernet6/0
     no ip address
     shutdown
     negotiation auto
    !
    router eigrp 10
     network 10.164.56.66 0.0.0.0
     network 10.164.57.128 0.0.0.127
     network 10.164.58.1 0.0.0.0
     network 10.164.58.8 0.0.0.0
     network 10.164.58.32 0.0.0.7
     network 10.164.59.1 0.0.0.0
     network 192.168.3.0
     network 192.168.100.0
     distribute-list route-map FILT_OUT_58 out
     no auto-summary
     eigrp router-id 2.2.2.2
     neighbor 10.164.58.34 GigabitEthernet2/0.40
     neighbor 192.168.100.1 Tunnel0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.164.58.34
    ip route 10.175.227.0 255.255.255.0 192.168.3.1 2
    ip route 10.175.228.0 255.255.255.0 192.168.3.1 2
    ip route 172.16.32.0 255.255.255.0 192.168.3.1 2
    no ip http server
    ip http access-class 20
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    !
    ip access-list standard NET_192_100
     permit 192.168.100.0 0.0.0.255
    ip access-list standard NET_58
     permit 10.164.58.32 0.0.0.7
    !
    ip access-list extended WCCP_Redirect_LAN_Ingress
     deny   ip any 10.164.56.0 0.0.7.255 log
     permit ip 10.164.56.0 0.0.7.255 10.0.0.0 0.255.255.255 log
    ip access-list extended WCCP_Redirect_WAN_Ingress
     deny   ip 10.164.56.0 0.0.7.255 any log
     permit ip 10.0.0.0 0.255.255.255 10.164.56.0 0.0.7.255
    !
    logging alarm informational
    no cdp log mismatch duplex
    !
    route-map FILTER_OUT deny 10
     match ip address NET_192_100
    !
    route-map FILTER_OUT permit 20
    !
    route-map FILT_OUT_58 deny 10
     match ip address NET_58
    !
    route-map FILT_OUT_58 permit 20
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     stopbits 1
    line vty 0 4
    !
    !
    end
    
    
    AWSANTASA01(config-router)# show run
    : Saved
    
    :
    : Serial Number: 9ARGJW8UCR7
    : Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 3465 MHz
    :
    ASA Version 9.5(2)
    !
    hostname AWSANTASA01
    enable password 8Ry2YjIyt7RRXU24 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    !
    interface GigabitEthernet0/0
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/1
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/2
     nameif INSIDE
     security-level 100
     ip address 10.164.56.34 255.255.255.248
    !
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/4
     nameif OUTSIDE
     security-level 0
     ip address 200.111.55.138 255.255.255.248
    !
    interface GigabitEthernet0/5
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/6
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management0/0
     management-only
     shutdown
     no nameif
     no security-level
     no ip address
    !
    ftp mode passive
    access-list LAN1_LAN2 extended permit ip 10.164.56.32 255.255.255.248 10.164.58.32 255.255.255.248
    pager lines 23
    mtu INSIDE 1500
    mtu OUTSIDE 1500
    no failover
    no monitor-interface service-module
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    router eigrp 10
     eigrp stub connected
     neighbor 10.164.56.33 interface INSIDE
     network 10.164.32.0 255.255.255.248
     network 10.164.56.32 255.255.255.248
     redistribute connected
    !
    route OUTSIDE 0.0.0.0 0.0.0.0 200.111.55.137 2
    route OUTSIDE 10.116.58.32 255.255.255.248 186.67.106.90 2
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 INSIDE
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
    crypto map MY_CRYPTO_MAP 10 set peer 186.67.106.90
    crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
    crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
    crypto map MY_CRYPTO_MAP interface OUTSIDE
    
    AWREQASA01# show run
    : Saved
    
    :
    : Serial Number: 9AGGCHM29TA
    : Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 3465 MHz
    :
    ASA Version 9.5(2)
    !
    hostname AWREQASA01
    enable password 8Ry2YjIyt7RRXU24 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    !
    interface GigabitEthernet0/0
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/1
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/2
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/4
     nameif OUTSIDE
     security-level 0
     ip address 186.67.106.90 255.255.255.248
    !
    interface GigabitEthernet0/5
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface GigabitEthernet0/6
     nameif INSIDE
     security-level 100
     ip address 10.164.58.34 255.255.255.248
    !
    interface Management0/0
     management-only
     shutdown
     no nameif
     no security-level
     no ip address
    !
    ftp mode passive
    access-list LAN2_LAN1 extended permit ip 10.164.58.32 255.255.255.248 10.164.56.32 255.255.255.248
    pager lines 23
    mtu OUTSIDE 1500
    mtu INSIDE 1500
    no failover
    no monitor-interface service-module
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    router eigrp 10
     neighbor 10.164.58.33 interface INSIDE
     network 10.164.58.32 255.255.255.248
    !
    route OUTSIDE 0.0.0.0 0.0.0.0 186.67.106.89 1
    route OUTSIDE 10.164.56.32 255.255.255.248 200.111.55.138 2
    route INSIDE 10.164.57.128 255.255.255.128 10.164.58.33 2
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
    crypto ipsec security-association pmtu-aging infinite
    crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
    crypto map MY_CRYPTO_MAP 10 set peer 200.111.55.138
    crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
    crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
    crypto map MY_CRYPTO_MAP interface OUTSIDE
  3. Hi @Robhorseman101,

    The EIGRP route-map filtering lesson only has two routers with a single link so I think you had something else in mind? :smile:

    In your config, I see the tunnel interfaces of your routers:

    interface Tunnel0
     ip address 192.168.100.2 255.255.255.0
     tunnel source GigabitEthernet2/0.40
     tunnel destination 10.164.56.33

    And:

    interface Tunnel0
     ip address 192.168.100.1 255.255.255.0
     tunnel source GigabitEthernet2/0.40
     tunnel destination 10.164.58.33

    Not sure on which router you get the recursive routing error but for example, if it's the first one then somehow a more specific route to 10.164.56.33 gets installed through your tunnel interface.

    Make sure you filter those so that a route to 10.164.56.33 or 10.164.58.33 is never learned through the tunnel. Look for the networks that are advertised through the tunnel and deny those. If it is learned through EIGRP, you can do something like this:

    R1(config)#router eigrp 1
    R1(config-router)#distribute-list 1 in tunnel 0

    Hope this helps!

  4. Hi Rene,

    I had a question on the Design and efficiency portion here.

    We can place access-list on “in” or “out” I looked up the following which says standard access list should be placed near destination.

    Standard Access Control List (ACL) filters the traffic based on source IP address. Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. If we place the Standard Access Control List (ACL) near to source of the traffic, there is a chance for denial or other legitimate traffic from the source network to some other network.

    http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-a-standard-access-control-list-acl-be-placed.php

    I also looked up the extended:

    Extended Access Control List (ACL) can filter the traffic based many factors like source IP address, destination IP address, Protocol, TCP or UDP port numbers etc.

    Since an Extended Access Control List (ACL) can filter the IP datagram packet based on the destination IP address, it must be placed on the router which is near to the source network/host. If we place the Extended Access Control List (ACL) near to destination, the unwanted traffic may consume the bandwidth till destination, and the the unwanted traffic will get filtered finally near destination.

    http://www.omnisecu.com/cisco-certified-network-associate-ccna/where-should-an-extended-access-control-list-acl-be-placed.php

    However, what is best practice?? what saves the CPU the most work? I mean it almost seems to me if I placed ACL on the source R2 in your example so that it did not have to even send the traffic I save processing on both R2 and R1 which is more efficient.

    also since this is only applied to EIGRP it will not effect other traffic anyway. So the rule of the standard acl would not seem to apply here so it seems like you could break that rule for best interest of the efficiency and use a standard.

    However, you could use a extended as well here if you wanted. so another question I have in addition to those already asked is does the extended access list cause more work than the standard to the processor?

    what is best practice here that will put the least load on our routers?

    Also what is best performance and architect wise: distribution ACL, prefix, or route map?

  5. Thanks for answering.

    So it seems to me that Best Practice here is just a starting point. Once you get enough knowledge you can be even more efficient depending on the specific design and setup. That was what I was really getting at. I am starting to understand it so my thinking once I have the basic grasp is not held down by specific rules because rules are for the most part general in nature.

    I just wanted to ask and confirm that before hand because while what I just stated is logical and common sense if your not careful and don’t ask questions there may be an unknown that can impact and I would hate to pull something into my toobox of knowledge that might be a no no… thank you for helping to setup boundaries so that I know when to follow the boundaries and when to change them to tailor fit something.

    when I don’t know how big my world is or the box on a specific item I am generally very cautious until I find the boundaries of my box and then after that point I can use my imagination and creativity to run amuck but only after I have a basic grasp of the foundations and understand the complete system of that box.

    So yes that does help a lot! =)

3 more replies! Ask a question or join the discussion by visiting our Community Forum