CCIE RS – Routing Concepts – Implement, Optimize and Troubleshoot Filtering with any Routing Protocol

Implement, Optimize and Troubleshoot Filtering with any Routing Protocol

Options:

Control routing updates with passive interface

Control processing and advertising in routing updates

  • Distribute List – Filter prefixes inbound/outbound
  • Offset List – Change incoming/outgoing metrics
  • Administrative Distance
  • Summarization
  • Floating Routes
  • OSPF – LSA Filters
  • BGP… Will be explained in it’s own post

Match IP/Prefixes

  • Standard Access List
  • Extended Access List
  • Prefix List
  • Tag
  • Route Map
    • Match next-hop
    • Match route-source
    • Match Metric
    • Match route-type
    • Match Tag
    • Match Interface
    • Match IP address

Routing Protocol Specifics

Config snipit’s based on INE workbook

RIP

Offset List
access-list 1 permit host [ip]
access-list 2 permit host [ip]
!
router rip
 offset-list 1 in 3 [int]
 offset-list 2 out 16 [int]

Distribute List with Prefix-list
ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.0.4/32
ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list RIP_FILTER_TO_R8 seq 5 deny 150.1.6.6/32
ip prefix-list RIP_FILTER_TO_R8 seq 15 permit 0.0.0.0/0 le 32
!
router rip
 distribute-list prefix RIP_FILTER_TO_R8 out GigabitEthernet1.58
 distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in

Distribute List with Standard ACL
access-list 1 permit 0.0.1.0 255.255.254.255
!
router rip
 distribute-list 1 in

Distribute List with Extended ACL
access-list 100 deny ip host 155.1.0.1 host 150.1.1.1
access-list 100 permit ip any any
!
router rip
 distribute-list 100 in tunnel0

Administrative Distance
router rip
 distance 255 0.0.0.0 255.255.255.255 [acl]

EIGRP

Distribute List with Prefix List
ip prefix-list NOT_FROM_R4 seq 5 deny 155.1.146.4/32
ip prefix-list NOT_FROM_R4 seq 10 permit 0.0.0.0/0 le 32
!
ip prefix-list PERMIT_ALL seq 5 permit 0.0.0.0/0 le 32
!
router eigrp 100
 distribute-list prefix PERMIT_ALL gateway NOT_FROM_R4 in

Distribute List with Standard ACL
access-list 1 permit 0.0.0.0 255.255.254.255
!
router eigrp 100
 distribute-list 1 in GigabitEthernet1.79

Distribute List with Exteneded ACL
access-list 100 deny ip host 155.1.0.4 host 150.1.9.9
access-list 100 permit ip any any
!
router eigrp 100
 distribute-list 100 in Tunnel0

Offset List
router eigrp 100
offset-list 1 in 2000 GigabitEthernet1.37

Administrative Distance
access-list 4 permit host 150.1.4.4
!
router eigrp 100
 distance 255 0.0.0.0 255.255.255.255 4

Distribute List with Route Map
route-map FILTER_ON_TAGS deny 10
 match tag 4
!
route-map FILTER_ON_TAGS permit 20
!
router eigrp 100
 distribute-list route-map FILTER_ON_TAGS in

OSPF

OSPF can filter on more than just tags or IP addresses. You can also filter LSA types from being forwarded into other areas based on the area type.

Stub Area: Stops type 4 and 5 LSAs

Totally Stubby: Stops type 3, 4 and 5 LSA’s, only gets 1 default type 3 LSA

Not So Stubby Area: Translates type 7 into 5. Stops type 4 and 5 LSAs

Totally No So Stubby Area: Translates type 7 into 5. Stops type 3, 4 and 5 LSA’s, only gets 1 default type 3 LSA

Distribute List with Standard ACL
router ospf 1
 distribute-list 1 in
!
access-list 1 deny 150.1.1.1 0.0.0.0
access-list 1 permit any

Administrative Distance
access-list 10 permit 155.1.146.0
!
router ospf 1
 distance 255 150.1.5.5 0.0.0.0 10

Distribute List with Route Map
route-map DENY_VLAN146_FROM_R4 deny 10
 match ip address 3
 match ip next-hop 4
! 
route-map DENY_VLAN146_FROM_R4 permit 20
!
router ospf 1
 distribute-list route-map DENY_VLAN146_FROM_R4 in

ISIS

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_isis/configuration/15-mt/irs-15-mt-book/is-is_inbound_filtering.html#GUID-A2FF145F-7989-442E-A9C5-C074FB4A800F

Route filtering by route destination with ACL
access-list access-list-number {permit | deny} ip any destination-address destination-wildcard
!
interface type number
ip router isis [route-tag]
!
router isis route-tag
distribute-list access-list-number in [interface-type interface-number]

BGP

BGP is also not limited to filtering on the normal set of tags and ip addresses. Routes can be filtered based on the AS number and communities. More details of this will be in the BGP section

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.