Thursday, 3 October 2013

Understanding EIGRP Stub Leak Map

While reviewing IEWB VOL 1 VER 5 labs, I discovered a new feature: EIGRP Stub with Leak Map. I spent some time researching the topic and found out a variation of the feature which is not explored in the workbook. Here I’ll try to demonstrate EIGRP stub routing with leak map as well as what is called strictly controlled Leak Maps.


The basic routing configuration on the routers is as follows.

R4 and R5 are running rip.

R4:
router rip
version 2
passive-interface default
no passive-interface Serial1/0
network 150.1.0.0
no auto-summary

R5:
router rip
version 2
network 5.0.0.0
network 150.1.0.0
no auto-summary

The rip table of R4 is as follows.

R4#sh ip route rip
5.0.0.0/24 is subnetted, 4 subnets
R 5.5.0.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.1.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.2.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0
R 5.5.3.0 [120/1] via 150.1.45.5, 00:00:22, Serial1/0

R4:
router eigrp 10
network 150.1.14.4 0.0.0.0
no auto-summary

R1:
router eigrp 10
network 150.1.12.1 0.0.0.0
network 150.1.13.1 0.0.0.0
network 150.1.14.1 0.0.0.0
no auto-summary

R2:
router eigrp 10
network 150.1.12.2 0.0.0.0
no auto-summary

R3:
router eigrp 10
network 150.1.13.3 0.0.0.0
auto-summary


Also at R4 we have mutual distribution between Rip and EIGRP.

R4
router eigrp 10
redistribute rip met 1 1 1 1 1
router rip
redistribute eigrp 10 met 1

Now we examine the routing tables on R2 and R3.
We notice that all eigrp routes, including the external RIP routes are in routing table.

R2#sh ip route eigrp
5.0.0.0/24 is subnetted, 4 subnets
D EX 5.5.0.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.1.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.2.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
D EX 5.5.3.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0
150.1.0.0/24 is subnetted, 4 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:03:54, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:03:54, Serial1/0
D EX 150.1.45.0 [170/2560537856] via 150.1.12.1, 00:00:18, Serial1/0

R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 4 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:00:40, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:00:40, Ethernet0/0
D EX 5.5.2.0 [170/2560051456] via 150.1.13.1, 00:00:40, Ethernet0/0
D EX 5.5.3.0 [170/2560051456] via 150.1.13.1, 00:00:40, Ethernet0/0
150.1.0.0/24 is subnetted, 4 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:03:50, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:03:50, Ethernet0/0
D EX 150.1.45.0 [170/2560051456] via 150.1.13.1, 00:00:40, Ethernet0/0

Now we’ll configure R1 as stub.
As a result all external routes should disappear from R2 and R3.

R1
router eigrp 10
eigrp stub connected

R2#sh ip route eigrp
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:00:23, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:00:23, Serial1/0

R3#sh ip route eigrp
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:01:15, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:01:15, Ethernet0/0

All right!

Now we’ll discover different options for leak maps by implementing different routing policies.

Policy 1:

Configure R1 such that R2 and R3 have reach ability to 5.5.0.5 and 5.5.1.5 networks.

For this we’ll match the desired networks in an access-list and then implement EIGRP stub Leak Map.



R1
access-list 1 permit 5.5.0.0 0.0.0.255
access-list 1 permit 5.5.1.0 0.0.0.255
route-map EIGRP_LEAK
match ip address 1
router eigrp 10
eigrp stub connected leak-map EIGRP_LEAK

Now we examine the routing tables on R2 and R3

R2#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560537856] via 150.1.12.1, 00:00:28, Serial1/0
D EX 5.5.1.0 [170/2560537856] via 150.1.12.1, 00:00:28, Serial1/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:00:28, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:00:28, Serial1/0
R2#

R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:00:20, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:00:20, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:00:20, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:00:20, Ethernet0/0
R3#


Policy 2:
Configure R1 such as R3 sees both 5.5.0.0 and 5.5.1.0 networks but R2 cannot.

Here we can use ‘match interface’ option in the route-map.
This is called strictly controlled Leak map.
The login is as follows

1. If “match interface” options is not used, routes are leaked on all interfaces.
2. If “match interface” option is used, routes are ONLY leaked on the interface matched.


So we’ll use match interface argument in the route-map and only match interface Ethernet 0/0, which is connected to R3.

route-map EIGRP_LEAK permit 10
match ip address 1
match interface e0/0

R1#sh route-map
route-map EIGRP_LEAK, permit, sequence 10
Match clauses:
ip address (access-lists): 1
interface Ethernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes




Now we examine the routing tables.


R2#sh ip route eigrp
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:02:42, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:02:42, Serial1/0




R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:03:55, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:03:55, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:03:55, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:03:55, Ethernet0/0

So, only R3 is seeing the leaked networks now, and R2 hasn’t.



Policy 3:
Allow R3 access to 5.5.0.0/24 and 5.5.1.0/24 networks only.
Allow R4 access to 5.5.2.0/24 and 5.5.3.0/24 only.


So we’ll match the other two routes in another access-list and match that and Interface S1/0

On R1:
route-map EIGRP_LEAK permit 20
match ip address 2
match interface s1/0


R1#sh route-map
route-map EIGRP_LEAK, permit, sequence 10
Match clauses:
ip address (access-lists): 1
interface Ethernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map EIGRP_LEAK, permit, sequence 20
Match clauses:
ip address (access-lists): 2
interface Serial1/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes


Now we examine the routing tables.






R3#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.0.0 [170/2560051456] via 150.1.13.1, 00:05:48, Ethernet0/0
D EX 5.5.1.0 [170/2560051456] via 150.1.13.1, 00:05:48, Ethernet0/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/307200] via 150.1.13.1, 00:05:48, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.13.1, 00:05:48, Ethernet0/0



R2#sh ip route eigrp
5.0.0.0/24 is subnetted, 2 subnets
D EX 5.5.2.0 [170/2560537856] via 150.1.12.1, 00:00:25, Serial1/0
D EX 5.5.3.0 [170/2560537856] via 150.1.12.1, 00:00:25, Serial1/0
150.1.0.0/24 is subnetted, 3 subnets
D 150.1.14.0 [90/2195456] via 150.1.12.1, 00:05:08, Serial1/0
D 150.1.13.0 [90/2195456] via 150.1.12.1, 00:05:08, Serial1/0

Lets test connectivity




Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/58/80 ms
R3#ping 5.5.1.5


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/60/84 ms


R2#ping 5.5.2.5


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/68/96 ms
R2#ping 5.5.3.5


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.3.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/58/80 ms


Policy 4:
Add a loopback0 3.3.0.0/24 on R3. Allow R3 to reach RIP networks when sourced from Loopback 0.

Well this is to emphasize the point that we need to consider all implications of the configuration we make.
Since R1 is a stub connected router, towards R4 it is advertising 150.1.13.0/24 and 150.1.12.0/24 networks which are directly connected, which are then redistributed into RIP and hence R3 and R1 can ping R5’s loopbacks.
But R3’s loopback won’t be advertised to R4 and until we add another route-map entry leaking this network to R4, we won’t be able to reach to R5’s loopback networks from R3’s loopback network.

Lets see this



R3:
int lo 0
ip add 3.3.0.3 255.255.255.0
router eigrp 10
net 3.3.0.3 0.0.0.0


R3#ping 5.5.0.5 source lo 0


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.0.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.0.3
.....

Success rate is 0 percent (0/5)


Now we add another route-map Entry to allow 3.3.0.0/24 network to leak to R4.

R1:
access-list 3 permit 3.3.0.0 0.0.0.255
route-map EIGRP_LEAK permit 30
match ip address 3
match interface e0/1

R4#sh ip route eigrp
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.0.0 [90/435200] via 150.1.14.1, 00:00:28, Ethernet0/0
150.1.0.0/24 is subnetted, 4 subnets
D 150.1.13.0 [90/307200] via 150.1.14.1, 00:01:39, Ethernet0/0
D 150.1.12.0 [90/2195456] via 150.1.14.1, 00:01:39, Ethernet0/0

Now this network will be redistributed into rip and we’ll have connectivity.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.0.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.0.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/54/68 ms

0 comments:

Post a Comment