A small lab on RIPv2 and the use of prefix-lists which had a pretty neat solution with filtering by advertising router that I hadn’t seen before.
- Stop R5 from advertising the Loopback-prefixes of R6 & R7 to R8 with a prefix-list, everything else should be forwarded
- In R5, filter out any RIP updates received from R4 over the DMVPN-cloud, other routes should be accepted over DMPVN
We enable RIPv2 on all routers with the very basic commands:
router rip version 2 network 18.104.22.168 network 22.214.171.124 no auto-summary
Step1 should be fairly straightforward, we create a prefix-list denying the loopbacks of R6 & R7 and filter updates going out on Gi1.58 on R5.
ip prefix-list LO_FILTER deny 126.96.36.199/32 ip prefix-list LO_FILTER deny 188.8.131.52/32 ip prefix-list LO_FILTER permit 0.0.0.0/0 le 32
The “permit 0.0.0.0/0 le 32” works just like a “permit any any” in an access-list. Final step is to set which interface (Gi1.58) and in what direction it should be filtered (outgoing).
router rip distribute-list prefix LO_FILTER out GigabitEthernet1.58
After the invalid timer has expired the routes for R6 & R7s loopbacks should drop from R8s routing table while still getting the rest of the networks.
R8# sh ip route | beg Gate Gateway of last resort is not set 184.108.40.206/32 is subnetted, 8 subnets R 220.127.116.11 [120/2] via 18.104.22.168, 00:00:28, GigabitEthernet1.58 R 22.214.171.124 [120/2] via 126.96.36.199, 00:00:28, GigabitEthernet1.58 R 188.8.131.52 [120/2] via 184.108.40.206, 00:00:28, GigabitEthernet1.58 R 220.127.116.11 [120/2] via 18.104.22.168, 00:00:28, GigabitEthernet1.58 R 22.214.171.124 [120/1] via 126.96.36.199, 00:00:28, GigabitEthernet1.58 C 188.8.131.52 is directly connected, Loopback0 R 184.108.40.206 [120/4] via 220.127.116.11, 00:00:28, GigabitEthernet1.58 R 18.104.22.168 [120/1] via 22.214.171.124, 00:00:05, GigabitEthernet1.108
The next requirement is the tricky bit, here I was stuck for quite a while and I still haven’t actually managed to find any current official documentation regarding it except for this deprecated IOS 12.2 docs. First step first, as we need to filter out routes from R4 over the DMVPN and accept the rest, let’s create two (a bit strange I know but you’ll soon see why) prefix-lists:
ip prefix-list ACCEPT_ALL permit 0.0.0.0/0 le 32 ip prefix-list BLOCK_R4 deny 126.96.36.199/32 ip prefix-list BLOCK_R4 permit 0.0.0.0/0 le 32
We then use an extension within the distribute-list command in RIP thats called “gateway”, to first specify which networks we will accept (ACCEPT_ALL) filtered by gateway (BLOCK_R4). The actual command looks like this:
router rip distribute-list prefix ACCEPT_ALL gateway BLOCK_R4 in
We should now see every network except the ones advertised from R4 over the DMVPN-cloud (188.8.131.52):
R5#sh ip route | beg Gate Gateway of last resort is not set 184.108.40.206/32 is subnetted, 10 subnets R 220.127.116.11 [120/1] via 18.104.22.168, 00:00:07, Tunnel0 R 22.214.171.124 [120/1] via 126.96.36.199, 00:00:12, Tunnel0 R 188.8.131.52 [120/1] via 184.108.40.206, 00:00:06, Tunnel0 R 220.127.116.11 [120/1] via 18.104.22.168, 00:00:09, GigabitEthernet1.45 C 22.214.171.124 is directly connected, Loopback0 R 126.96.36.199 [120/2] via 188.8.131.52, 00:00:07, Tunnel0 R 184.108.40.206 [120/2] via 220.127.116.11, 00:00:06, Tunnel0 R 18.104.22.168 [120/1] via 22.214.171.124, 00:00:19, GigabitEthernet1.58 R 126.96.36.199 [120/3] via 188.8.131.52, 00:00:06, Tunnel0 R 184.108.40.206 [120/2] via 220.127.116.11, 00:00:19, GigabitEthernet1.58 R5#sh ip rip database 18.104.22.168 255.255.255.255 22.214.171.124/32  via 126.96.36.199, 00:00:20, GigabitEthernet1.45
Sweet! We’re still receiving R4’s loopback but over the physical link instead of the DMVPN.