A small lab on RIPv2 and the use of prefix-lists which had a pretty neat solution with filtering by advertising router that I hadn’t seen before.
- Stop R5 from advertising the Loopback-prefixes of R6 & R7 to R8 with a prefix-list, everything else should be forwarded
- In R5, filter out any RIP updates received from R4 over the DMVPN-cloud, other routes should be accepted over DMPVN
We enable RIPv2 on all routers with the very basic commands:
router rip version 2 network 188.8.131.52 network 184.108.40.206 no auto-summary
Step1 should be fairly straightforward, we create a prefix-list denying the loopbacks of R6 & R7 and filter updates going out on Gi1.58 on R5.
ip prefix-list LO_FILTER deny 220.127.116.11/32 ip prefix-list LO_FILTER deny 18.104.22.168/32 ip prefix-list LO_FILTER permit 0.0.0.0/0 le 32
The “permit 0.0.0.0/0 le 32” works just like a “permit any any” in an access-list. Final step is to set which interface (Gi1.58) and in what direction it should be filtered (outgoing).
router rip distribute-list prefix LO_FILTER out GigabitEthernet1.58
After the invalid timer has expired the routes for R6 & R7s loopbacks should drop from R8s routing table while still getting the rest of the networks.
R8# sh ip route | beg Gate Gateway of last resort is not set 22.214.171.124/32 is subnetted, 8 subnets R 126.96.36.199 [120/2] via 188.8.131.52, 00:00:28, GigabitEthernet1.58 R 184.108.40.206 [120/2] via 220.127.116.11, 00:00:28, GigabitEthernet1.58 R 18.104.22.168 [120/2] via 22.214.171.124, 00:00:28, GigabitEthernet1.58 R 126.96.36.199 [120/2] via 188.8.131.52, 00:00:28, GigabitEthernet1.58 R 184.108.40.206 [120/1] via 220.127.116.11, 00:00:28, GigabitEthernet1.58 C 18.104.22.168 is directly connected, Loopback0 R 22.214.171.124 [120/4] via 126.96.36.199, 00:00:28, GigabitEthernet1.58 R 188.8.131.52 [120/1] via 184.108.40.206, 00:00:05, GigabitEthernet1.108
The next requirement is the tricky bit, here I was stuck for quite a while and I still haven’t actually managed to find any current official documentation regarding it except for this deprecated IOS 12.2 docs. First step first, as we need to filter out routes from R4 over the DMVPN and accept the rest, let’s create two (a bit strange I know but you’ll soon see why) prefix-lists:
ip prefix-list ACCEPT_ALL permit 0.0.0.0/0 le 32 ip prefix-list BLOCK_R4 deny 220.127.116.11/32 ip prefix-list BLOCK_R4 permit 0.0.0.0/0 le 32
We then use an extension within the distribute-list command in RIP thats called “gateway”, to first specify which networks we will accept (ACCEPT_ALL) filtered by gateway (BLOCK_R4). The actual command looks like this:
router rip distribute-list prefix ACCEPT_ALL gateway BLOCK_R4 in
We should now see every network except the ones advertised from R4 over the DMVPN-cloud (18.104.22.168):
R5#sh ip route | beg Gate Gateway of last resort is not set 22.214.171.124/32 is subnetted, 10 subnets R 126.96.36.199 [120/1] via 188.8.131.52, 00:00:07, Tunnel0 R 184.108.40.206 [120/1] via 220.127.116.11, 00:00:12, Tunnel0 R 18.104.22.168 [120/1] via 22.214.171.124, 00:00:06, Tunnel0 R 126.96.36.199 [120/1] via 188.8.131.52, 00:00:09, GigabitEthernet1.45 C 184.108.40.206 is directly connected, Loopback0 R 220.127.116.11 [120/2] via 18.104.22.168, 00:00:07, Tunnel0 R 22.214.171.124 [120/2] via 126.96.36.199, 00:00:06, Tunnel0 R 188.8.131.52 [120/1] via 184.108.40.206, 00:00:19, GigabitEthernet1.58 R 220.127.116.11 [120/3] via 18.104.22.168, 00:00:06, Tunnel0 R 22.214.171.124 [120/2] via 126.96.36.199, 00:00:19, GigabitEthernet1.58 R5#sh ip rip database 188.8.131.52 255.255.255.255 184.108.40.206/32  via 220.127.116.11, 00:00:20, GigabitEthernet1.45
Sweet! We’re still receiving R4’s loopback but over the physical link instead of the DMVPN.