Route feedback

Yes, I know that this drawing is ugly. Sorry, I'm not a good artist :) Unfortunately...

Entry data:
1. Routing protocol - RIPv2
2. R1 advertises summary route on both it's links
3. S1 is a multipoint interface. R1, R2 and R3 are in the same subnet
4. Split horizon is disabled on S1

Normal network condition: R2 receives update on both links and advertises it through S1 interface back to R1 and to R3 (Split horizon is off). Next-Hop address in the update is R1's serial interface. R1 receives it's own update, check that Next Hop IP in update it's on IP address and discards it. R3 installs the summary into it's routing table with two GW as an NH - R1 and R2. Remember, that R2 advertises both routes to the summary subnet - one through itself and the other one through R1 directly.


Now, suppose, on R2's S1 interface we filter this summary inbound. Now we advertise the summary route that we received on a point to point link (S0 int) back to R1 through the S1. R1 receives it and installs it as a valid route. After several seconds it realizes that it's own route and poisons it (sends this summary to frame-relay link with metric of 16 hops). R2 receives poisoned route, then poisons it back to R1. After some time the process repeats. If we are pinging this summary from R3 sometimes we will receive replies and sometimes we will receive Unreachables (the moment the route is poisoned).

Solution - it wouldn't be a problem at all if R1 installed  a summary to Null0 to it's routing table when it advertised this summary to its neighbors.


I would like to thank INE workbooks for this interesting scenarios. I duplicate it here for future reference and memorizing the concept.

Route filtering

1. Distribution lists

Gateway keyword can be used only with prefix-lists

a. Distribution lists using access-lists.

Common thing among all of the ACL's - it's possible to filter only prefix, but not the prefix-length.

Two types of ACL's can be used:

Standard access-lists can specify the route, but not the origin of the route (i.e. advertising router). Route specified as a host address (0.0.0.0 wildcard bits).

Extended access-lists 

Origin is specified in a source portion of an ACL (host address) and the route being filtered is specified in a destination field.

By origin, I mean NH.

b. Prefix-lists.

My previous post

Logic is following:

distribute-list prefix-list SUBNETS gateway PREFIX_LIST_WITH_NH_IP in

Prefix list PREFIX_LIST_WITH_NH_IP will block everything from the specified NH routers (to deny, use deny keyword) and prefix-list SUBNETS can block any route from the rest of the routes in router database.

Once again. The routes from route sources that are permitted by gateway keyword (with permit statement in prefix-list) can be further filtered with a SUBNETS prefix-list.

The following paragraph applies to both filtering with extended access-lists and filtering with prefix-lists with gateway keyword.

If "gateway" keyword in prefix-list filtering or source IP in extended list filtering is defined under distribution-list command then IP has to be one of a next-hop router, not sending router!!! It's particularity interesting in scenarios with hub-and-spoke topologies where all spokes and hub share the common subnet. When hub sends a route to spoke 1 and the next-hop of a route is spoke 2 (which announced the network to a hub) and you are filtering inbound on spoke 1 and define "gateway" as IP of a hub (next-hop address of a route) - it won't work. You have to specify IP of a next hop!

R3#show ip route 10.200.0.1
Routing entry for 10.200.0.1/32
  Known via "rip", distance 120, metric 2
  Redistributing via rip
  Last update from 10.50.0.2 on Serial0/0.3, 00:00:01 ago
  Routing Descriptor Blocks:
  * 10.50.0.2, from 10.50.0.5, 00:00:01 ago, via Serial0/0.3
      Route metric is 2, traffic share count is 1

In other words, as we see from the output above, we need to filter address 10.50.0.2, and not 10.50.0.5.

2. Distance

What is particularly different in distance VALUE route_source mask ROUTE_ACL is that here we have to specify advertising router's address as a route source, not the NH address as we have seen in previous examples of distribute-list.

  3. Offset lists

With offset lists the ACL that we specify in the command should PERMIT the networks which we want the offset to be applied to (essentially, we select the networks with PERMIT statement and all the networks that are denied with this ACL are ignored by the offset list command).

Understanding Prefix-lists

If only prefix is specified in a permit or deny statement without mentioning le or ge keywords, then the actual route (including prefix length) is matched.
If  le or ge keywords are used, then in a prefix/prefix length we specify how many bits to check for exact match in a route and the actual prefix length of the route is matched by the le or ge keyword.


What was tricky to realize is the difference between the following two commands:


prefix-list DEFAULT permit 0.0.0.0/0 le 32

matches every possible route. Essentially this statement says: check 0 bits of the prefix for exact match and make sure that prefix length is less than 32 bits.

However let's check the next statement:

prefix-list DEFAULT permit 0.0.0.0/0

It was tricky to understand that this prefix-list would match only DEFAULT route.  Everything else is denied!

RIP default route advertisement

To advertise default I did:

int s0/0
ip summary-address rip 0.0.0.0 0.0.0.0

Result: all routes were suppressed from advertisement. Router just stopped sending updates to the neighbors.