Route Filtering

1. Distribute List with ACL

Options in the distribute-list command allow updates to be filtered based on three factors:

  • Incoming interface
distribute-list [access-list-number | name] in [interface-type interface-number]
  • Outgoing interface
distribute-list [access-list-number | name] out [interface-type interface-number | routing process | autonomous-system-number]
  • Redistribution from another routing protocol
R(config)# ip access-list standard ROUTE-FILTER 
R(config-std-nacl)# permit 10.10.11.0 0.0.0.255 
R(config-std-nacl)# permit 10.10.12.0 0.0.0.255 
R(config-std-nacl)# exit 
R(config)# router ospf 10 
R(config-router)# redistribute eigrp 100 metric 40 subnets 
R(config-router)# distribute-list ROUTE-FILTER out eigrp 100

2. Prefix Lists

The intended use of prefix lists is limited to route filtering, where access lists were originally intended to be used for packet filtering and were then extended to route filtering. ACLs as route filters for distribute lists have several drawbacks, including subnet mask matching.

 ip prefix-list {list-name | list-number} [seq seq-value] {deny | permit} network/
length [ge ge-value] [le le-value]

Let’s consider the following example to understand how matching is done:

#ip prefix-list LIST permit 10.0.0.0/8  le  24

  1. The routes must match the first 8 bits from 10.0.0.0, if they match
  2. The Subnet Mask si compared. In this case the routes must have a SM between 8 and 24.
Prefix List Parameter Subnet Mask Range
no parameter configured length = route length
le configured length <= route length <= le value
ge ge value <= route length <= 32
le & ge ge value <= route length <= le value

3. Route Maps

Common applications for route maps are as follows:

  • Route filtering during redistribution:  Although distribute lists can be used for this purpose, route maps offer the added benefit of manipulating routing metrics through the use of set commands.
  • Policy-based routing (PBR): Route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to define the interface or next-hop address to which the packet should be sent.
  • BGP: Route maps are the primary tools for implementing BGP policy. Network
    administrators assign route maps to specific BGP sessions (neighbors) to control
    which routes are allowed to flow in and out of the BGP process.

There are four steps when creating a route map:

Step 1. Define ACL/Prefix-List that will be used with the Route-Map.
Step 2. Define the route map using the route-map global configuration command.
Step 3. Define the matching conditions using the match command and optionally the
action to be taken when each condition is matched using the set command. The logical AND algorithm is applied for multiple match commands.
Step 4. Apply the route map.

R(config)# ip prefix-list FILTER-ROUTES permit 10.10.11.0/24
R(config)# ip prefix-list FILTER-ROUTES permit 10.10.12.0/24
R(config)# route-map RM-INTO-OSPF permit 10
//NOTE: if the prefix-list denies and the route-map denies, this will result into permit
R(config-route-map)# match ip address prefix-list FILTER-ROUTES
R(config-route-map)# set metric 25
R(config-route-map)# set metric-type type-1
R(config-route-map)# exit
R(config)# router ospf 10
R(config-router)# redistribute eigrp 100 subnets route-map RM-INTO-OSPF

4. Change Administrative Distance

The distance command is executed at the process level:

RIP:

#distance <distance>

EIGRP:

#distance eigrp <int distance> <ext distance>

OSPF:

#distance ospf [intra area dist] [inter area dist] [ext distance]
#default distance-default  //reset to the default values

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s