Scribd
Upload
37 views

Route Filtering With RIPv2

R1, R2, R3 and SW1 are receiving RIP routes as expected. R1 has routes to networks on other routers. R3 is receiving routes via RIP but does not have any RFC1918 routes in its routing table. SW1 is receiving RIP routes and has routes to loopback interfaces on other routers in the topology.

Uploaded by

Nandan Bisht
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
37 views

Route Filtering With RIPv2

R1, R2, R3 and SW1 are receiving RIP routes as expected. R1 has routes to networks on other routers. R3 is receiving routes via RIP but does not have any RFC1918 routes in its routing table. SW1 is receiving RIP routes and has routes to loopback interfaces on other routers in the topology.

Uploaded by

Nandan Bisht
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

CCIE Security V4 Technology Labs Section 1:

System Hardening and Availability

Route Filtering with RIPv2


Last updated: May 3, 2013

Task
Load the task configuration files for R1, R2, R3, SW1, and SW3.
On R3, ensure that RFC1918 routes are never sent in any RIP routing update to R1.
Ensure that SW1 still sees routes to any RFC1918 network that was in the routing table when the
default configs were loaded.
Ensure that your own network is never advertised into R3 from R1.
Ensure that you do not accept RIP routes for the following networks:
0.0.0.0/8
127.0.0.0/8
169.254.0.0/16
192.0.2.0/24
198.18.0.0/15
224.0.0.0/4
255.255.255.255/32

Explanation and Verification


Begin by verifying that you are receiving RIP routes on all routers and SW1.

R1:

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
R

10.0.0.0 [120/1] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

10.1.0.0 [120/1] via 136.1.13.3, 00:00:07, GigabitEthernet0/0


19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

19.0.0.0/8 is directly connected, Loopback12

19.0.0.1/32 is directly connected, Loopback12


136.1.0.0/16 is variably subnetted, 10 subnets, 2 masks

136.1.13.0/24 is directly connected, GigabitEthernet0/0

136.1.13.1/32 is directly connected, GigabitEthernet0/0

136.1.23.0/24 [120/1] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.24.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.25.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.26.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.27.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.28.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0

136.1.99.0/24 is directly connected, Loopback99

136.1.99.1/32 is directly connected, Loopback99


146.77.0.0/16 is variably subnetted, 2 subnets, 2 masks

146.77.77.0/24 is directly connected, Loopback13

146.77.77.1/32 is directly connected, Loopback13


150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks

150.1.1.0/24 is directly connected, Loopback0

150.1.1.1/32 is directly connected, Loopback0

150.1.2.0/24 [120/2] via 136.1.13.3, 00:00:07, GigabitEthernet0/0


176.14.0.0/16 is variably subnetted, 2 subnets, 2 masks

176.14.23.0/24 is directly connected, Loopback11

176.14.23.1/32 is directly connected, Loopback11


209.85.22.0/24 is variably subnetted, 2 subnets, 2 masks

209.85.22.0/24 is directly connected, Loopback10

209.85.22.1/32 is directly connected, Loopback10

R1#

R3:

R3#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C

10.0.0.0/24 is directly connected, FastEthernet0/0.10

10.0.0.3/32 is directly connected, FastEthernet0/0.10

10.1.0.0/24 is directly connected, FastEthernet0/0.11

10.1.0.3/32 is directly connected, FastEthernet0/0.11

19.0.0.0/8 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13


136.1.0.0/16 is variably subnetted, 10 subnets, 2 masks

136.1.13.0/24 is directly connected, FastEthernet0/0.13

136.1.13.3/32 is directly connected, FastEthernet0/0.13

136.1.23.0/24 is directly connected, FastEthernet0/0.23

136.1.23.3/32 is directly connected, FastEthernet0/0.23

136.1.24.0/24 [120/1] via 136.1.23.20, 00:00:24, FastEthernet0/0.23

136.1.25.0/24 [120/1] via 136.1.23.20, 00:00:24, FastEthernet0/0.23

136.1.26.0/24 [120/1] via 136.1.23.20, 00:00:24, FastEthernet0/0.23

136.1.27.0/24 [120/1] via 136.1.23.20, 00:00:24, FastEthernet0/0.23

136.1.28.0/24 [120/1] via 136.1.23.20, 00:00:24, FastEthernet0/0.23

136.1.99.0/24 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13


146.77.0.0/24 is subnetted, 1 subnets

146.77.77.0 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13


150.1.0.0/24 is subnetted, 2 subnets

150.1.1.0 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13

150.1.2.0 [120/1] via 136.1.23.2, 00:00:24, FastEthernet0/0.23


176.14.0.0/24 is subnetted, 1 subnets

176.14.23.0 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13

209.85.22.0/24 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13

R3#

R2:

R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
R

10.0.0.0 [120/1] via 136.1.23.3, 00:00:25, GigabitEthernet0/0

10.1.0.0 [120/1] via 136.1.23.3, 00:00:25, GigabitEthernet0/0

19.0.0.0/8 [120/2] via 136.1.23.3, 00:00:25, GigabitEthernet0/0


136.1.0.0/16 is variably subnetted, 9 subnets, 2 masks

136.1.13.0/24 [120/1] via 136.1.23.3, 00:00:25, GigabitEthernet0/0

136.1.23.0/24 is directly connected, GigabitEthernet0/0

136.1.23.2/32 is directly connected, GigabitEthernet0/0

136.1.24.0/24 [120/1] via 136.1.23.20, 00:00:20, GigabitEthernet0/0

136.1.25.0/24 [120/1] via 136.1.23.20, 00:00:20, GigabitEthernet0/0

136.1.26.0/24 [120/1] via 136.1.23.20, 00:00:20, GigabitEthernet0/0

136.1.27.0/24 [120/1] via 136.1.23.20, 00:00:20, GigabitEthernet0/0

136.1.28.0/24 [120/1] via 136.1.23.20, 00:00:20, GigabitEthernet0/0

136.1.99.0/24 [120/2] via 136.1.23.3, 00:00:02, GigabitEthernet0/0


146.77.0.0/24 is subnetted, 1 subnets

146.77.77.0 [120/2] via 136.1.23.3, 00:00:02, GigabitEthernet0/0


150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks

150.1.1.0/24 [120/2] via 136.1.23.3, 00:00:02, GigabitEthernet0/0

150.1.2.0/24 is directly connected, Loopback0

150.1.2.2/32 is directly connected, Loopback0


176.14.0.0/24 is subnetted, 1 subnets

176.14.23.0 [120/2] via 136.1.23.3, 00:00:03, GigabitEthernet0/0

209.85.22.0/24 [120/2] via 136.1.23.3, 00:00:03, GigabitEthernet0/0

R2#

SW1:

SW1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
136.1.0.0/24 is subnetted, 8 subnets
R

136.1.13.0 [120/1] via 136.1.23.3, 00:00:24, Vlan23

136.1.25.0 is directly connected, Loopback11

136.1.24.0 is directly connected, Loopback10

136.1.27.0 is directly connected, Loopback13

136.1.26.0 is directly connected, Loopback12

136.1.28.0 is directly connected, Loopback14

136.1.23.0 is directly connected, Vlan23

136.1.99.0 [120/2] via 136.1.23.3, 00:00:24, Vlan23

19.0.0.0/8 [120/2] via 136.1.23.3, 00:00:24, Vlan23


10.0.0.0/24 is subnetted, 2 subnets

10.0.0.0 [120/1] via 136.1.23.3, 00:00:24, Vlan23

10.1.0.0 [120/1] via 136.1.23.3, 00:00:24, Vlan23


176.14.0.0/24 is subnetted, 1 subnets

176.14.23.0 [120/2] via 136.1.23.3, 00:00:00, Vlan23

209.85.22.0/24 [120/2] via 136.1.23.3, 00:00:00, Vlan23


146.77.0.0/24 is subnetted, 1 subnets

146.77.77.0 [120/2] via 136.1.23.3, 00:00:00, Vlan23


150.1.0.0/24 is subnetted, 2 subnets

150.1.2.0 [120/1] via 136.1.23.2, 00:00:21, Vlan23

150.1.1.0 [120/2] via 136.1.23.3, 00:00:00, Vlan23

SW1#

Now configure R3 so that it does not send RFC1918 routes to R1. To do so, use a distribute-list.

R3:

R3#
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#
R3(config)#
R3(config)#
R3(config)#
R3(config)#access-list 19 deny

10.0.0.0 0.255.255.255

R3(config)#access-list 19 deny

172.16.0.0 0.15.255.255

R3(config)#access-list 19 deny

192.168.0.0 0.0.255.255

R3(config)#access-list 19 permit any


R3(config)#
R3(config)#router rip
R3(config-router)#distr
R3(config-router)#distribute-list 19 ?
in

Filter incoming routing updates

out Filter outgoing routing updates


R3(config-router)#distribute-list 19 out f0/0.13
R3(config-router)#end
R3#
R3#
R3#

Force the routing update.

R3#
R3#clear ip route *
R3#

Now verify on R1 that the routes are gone.

R1:

R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
19.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C

19.0.0.0/8 is directly connected, Loopback12

19.0.0.1/32 is directly connected, Loopback12


136.1.0.0/16 is variably subnetted, 10 subnets, 2 masks

136.1.13.0/24 is directly connected, GigabitEthernet0/0

136.1.13.1/32 is directly connected, GigabitEthernet0/0

136.1.23.0/24 [120/1] via 136.1.13.3, 00:00:10, GigabitEthernet0/0

136.1.24.0/24 [120/2] via 136.1.13.3, 00:00:06, GigabitEthernet0/0

136.1.25.0/24 [120/2] via 136.1.13.3, 00:00:06, GigabitEthernet0/0

136.1.26.0/24 [120/2] via 136.1.13.3, 00:00:06, GigabitEthernet0/0

136.1.27.0/24 [120/2] via 136.1.13.3, 00:00:06, GigabitEthernet0/0

136.1.28.0/24 [120/2] via 136.1.13.3, 00:00:06, GigabitEthernet0/0

136.1.99.0/24 is directly connected, Loopback99

136.1.99.1/32 is directly connected, Loopback99


146.77.0.0/16 is variably subnetted, 2 subnets, 2 masks

146.77.77.0/24 is directly connected, Loopback13

146.77.77.1/32 is directly connected, Loopback13


150.1.0.0/16 is variably subnetted, 3 subnets, 2 masks

150.1.1.0/24 is directly connected, Loopback0

150.1.1.1/32 is directly connected, Loopback0

150.1.2.0/24 [120/2] via 136.1.13.3, 00:00:10, GigabitEthernet0/0


176.14.0.0/16 is variably subnetted, 2 subnets, 2 masks

176.14.23.0/24 is directly connected, Loopback11

176.14.23.1/32 is directly connected, Loopback11


209.85.22.0/24 is variably subnetted, 2 subnets, 2 masks

209.85.22.0/24 is directly connected, Loopback10

209.85.22.1/32 is directly connected, Loopback10

R1#

Configure R3 so that it does not accept our own network if advertised by R1. Note that when we
verified the routes on R3 there was a 136.1.99.0 route being advertised by R1.

136.1.99.0/24 [120/1] via 136.1.13.1, 00:00:20, FastEthernet0/0.13

After you apply the configuration, this route should not appear in the routing table. At the same time
you can configure the last task, prohibiting the specified networks.

R3:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#! These are the prohibited networks:
R3(config)#access-list 136 deny

ip 0.0.0.0 0.255.255.255 any

R3(config)#access-list 136 deny

ip 127.0.0.0 0.255.255.255 any

R3(config)#access-list 136 deny

ip 169.254.0.0 0.0.255.255 any

R3(config)#access-list 136 deny

ip 192.0.2.0 0.0.0.255 any

R3(config)#access-list 136 deny

ip 198.18.0.0 0.1.255.255 any

R3(config)#access-list 136 deny

ip 224.0.0.0 15.255.255.255 any

R3(config)#access-list 136 deny

ip host 255.255.255.255 any

R3(config)#! This is our network:


R3(config)#access-list 136 deny

ip 136.1.0.0 0.0.255.255 any

R3(config)#! This makes sure everything else is allowed:


R3(config)#access-list 136 permit ip any any
R3(config)#!
R3(config)#
R3(config)#
R3(config)#router rip
R3(config-router)#distrib
R3(config-router)#distribute-list 136 in f0/0.13
R3(config-router)#end
R3#
R3#
R3#
*Jan 15 02:23:08.874: %SYS-5-CONFIG_I: Configured from console by console
R3#

Now clear the routing table to force a refresh (or wait) and verify.

R3#
R3#clear ip route *
R3#
R3#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C

10.0.0.0/24 is directly connected, FastEthernet0/0.10

10.0.0.3/32 is directly connected, FastEthernet0/0.10

10.1.0.0/24 is directly connected, FastEthernet0/0.11

10.1.0.3/32 is directly connected, FastEthernet0/0.11


136.1.0.0/16 is variably subnetted, 9 subnets, 2 masks

136.1.13.0/24 is directly connected, FastEthernet0/0.13

136.1.13.3/32 is directly connected, FastEthernet0/0.13

136.1.23.0/24 is directly connected, FastEthernet0/0.23

136.1.23.3/32 is directly connected, FastEthernet0/0.23

136.1.24.0/24 [120/1] via 136.1.23.20, 00:00:17, FastEthernet0/0.23

136.1.25.0/24 [120/1] via 136.1.23.20, 00:00:17, FastEthernet0/0.23

136.1.26.0/24 [120/1] via 136.1.23.20, 00:00:17, FastEthernet0/0.23

136.1.27.0/24 [120/1] via 136.1.23.20, 00:00:17, FastEthernet0/0.23

136.1.28.0/24 [120/1] via 136.1.23.20, 00:00:17, FastEthernet0/0.23


150.1.0.0/24 is subnetted, 1 subnets

R
R3#

150.1.2.0 [120/1] via 136.1.23.2, 00:00:12, FastEthernet0/0.23

You might also like