Implement, Optimize and Troubleshoot Filtering with any Routing Protocol
Options:
Control routing updates with passive interface
Control processing and advertising in routing updates
- Distribute List – Filter prefixes inbound/outbound
- Offset List – Change incoming/outgoing metrics
- Administrative Distance
- Summarization
- Floating Routes
- OSPF – LSA Filters
- BGP… Will be explained in it’s own post
Match IP/Prefixes
- Standard Access List
- Extended Access List
- Prefix List
- Tag
- Route Map
- Match next-hop
- Match route-source
- Match Metric
- Match route-type
- Match Tag
- Match Interface
- Match IP address
Routing Protocol Specifics
Config snipit’s based on INE workbook
RIP
Offset List access-list 1 permit host [ip] access-list 2 permit host [ip] ! router rip offset-list 1 in 3 [int] offset-list 2 out 16 [int] Distribute List with Prefix-list ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.0.4/32 ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32 ! ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32 ! ip prefix-list RIP_FILTER_TO_R8 seq 5 deny 150.1.6.6/32 ip prefix-list RIP_FILTER_TO_R8 seq 15 permit 0.0.0.0/0 le 32 ! router rip distribute-list prefix RIP_FILTER_TO_R8 out GigabitEthernet1.58 distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in Distribute List with Standard ACL access-list 1 permit 0.0.1.0 255.255.254.255 ! router rip distribute-list 1 in Distribute List with Extended ACL access-list 100 deny ip host 155.1.0.1 host 150.1.1.1 access-list 100 permit ip any any ! router rip distribute-list 100 in tunnel0 Administrative Distance router rip distance 255 0.0.0.0 255.255.255.255 [acl]
EIGRP
Distribute List with Prefix List ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.146.4/32 ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32 ! ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32 ! router eigrp 100 distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in Distribute List with Standard ACL access-list 1 permit 0.0.0.0 255.255.254.255 ! router eigrp 100 distribute-list 1 in GigabitEthernet1.79 Distribute List with Exteneded ACL access-list 100 deny ip host 155.1.0.4 host 150.1.9.9 access-list 100 permit ip any any ! router eigrp 100 distribute-list 100 in Tunnel0 Offset List router eigrp 100 offset-list 1 in 2000 GigabitEthernet1.37 Administrative Distance access-list 4 permit host 150.1.4.4 ! router eigrp 100 distance 255 0.0.0.0 255.255.255.255 4 Distribute List with Route Map route-map FILTER_ON_TAGS deny 10 match tag 4 ! route-map FILTER_ON_TAGS permit 20 ! router eigrp 100 distribute-list route-map FILTER_ON_TAGS in
OSPF
OSPF can filter on more than just tags or IP addresses. You can also filter LSA types from being forwarded into other areas based on the area type.
Stub Area: Stops type 4 and 5 LSAs
Totally Stubby: Stops type 3, 4 and 5 LSA’s, only gets 1 default type 3 LSA
Not So Stubby Area: Translates type 7 into 5. Stops type 4 and 5 LSAs
Totally No So Stubby Area: Translates type 7 into 5. Stops type 3, 4 and 5 LSA’s, only gets 1 default type 3 LSA
Distribute List with Standard ACL router ospf 1 distribute-list 1 in ! access-list 1 deny 150.1.1.1 0.0.0.0 access-list 1 permit any Administrative Distance access-list 10 permit 155.1.146.0 ! router ospf 1 distance 255 150.1.5.5 0.0.0.0 10 Distribute List with Route Map route-map DENY_VLAN146_FROM_R4 deny 10 match ip address 3 match ip next-hop 4 ! route-map DENY_VLAN146_FROM_R4 permit 20 ! router ospf 1 distribute-list route-map DENY_VLAN146_FROM_R4 in
ISIS
Route filtering by route destination with ACL access-list access-list-number {permit | deny} ip any destination-address destination-wildcard ! interface type number ip router isis [route-tag] ! router isis route-tag distribute-list access-list-number in [interface-type interface-number]
BGP
BGP is also not limited to filtering on the normal set of tags and ip addresses. Routes can be filtered based on the AS number and communities. More details of this will be in the BGP section