Inbound filtering deals with self-manipulation of incoming route updates, here I will describe two methods for applying RIP inbound filtering: prefix-list and extended ACL.
Using prefix-list allows us to filter route-prefixes from specific host using the following syntax:
router(config)#ip prefix-list NET seq 10 permit 192.168.3.0/24
router(config)#ip prefix-list NET seq 20 permit 192.168.30.0/24
router(config)#ip prefix-list SRC seq 10 permit 10.1.124.2/32
router(config-router)#distribute-list prefix NET gateway SRC in
Where the first two lines sets the networks that we allow to come into the routing table, the third line points the router that we wish to filter from and applying both prefix-lists into RIP using distribute-list command.
Distribute-list has local significant on the router and it doesn't apply for RIP update or request messages, it suppresses the route-prefixes from RIP database to the routing table.
Using extended access-list provides us much more flexibility when configuring RIP filtering. For example:
router(config-ext-nacl)#ip permit host 10.1.124.2 host 192.168.3.0
router(config-ext-nacl)#ip permit host 10.1.124.2 host 192.168.30.0
router(config-ext-nacl)#ip deny host 10.1.124.2 host 192.168.33.0
router(config-ext-nacl)#ip permit any any
router(config-router)#distribute-list 100 in
In the following example I have configured that the router will accept route-prefixes 192.168.3.0/24 and 192.168.30.0/24 from router 10.1.124.2 and deny route-prefix 192.168.33.0/24 from entering the route table, also permitting everything else from any other RIP enabled router.
Pay attention that the ACL is a little bit different then a normal ACL, in this case the next-hop router is refered as the first host and the route-prefix is the second host.
No comments:
Post a Comment