Sunday, November 7, 2010


By design, routing protocol send routes, and the protocols send the routes to all neighbors as best as they could. However, sometimes, we do not want all routes to go through. For example, if we're partnering with other organizations, we wouldn't want certain routes to go to them.
There are many ways we can manipulate route updates. We will start with the simplest of all: Distribute Lists.

Distribute Lists allow us to apply an Access-List to routing updates. It can be applied inbound or outbound under a routing process. If you do not want to see your neighbor's routes, use an inbound Distribute List. If you do not want to tell your neighbor about some routes you have, use an outbound Distribute List.

However, it works slightly differently with OSPF and IS-IS. Remember that Link State protocol needs to know about all routes in the topology table. You cannot not tell your neighbors about routes. However, you can use Distribute Lists to keep it from entering the Routing table. Therefore, you can only apply an inbound Distribute List to your Link State routing protocol process.

Suppose that we're again using the following topology:

Suppose that there are networks 10.0.[0-7].0/24 networks sitting behind R1. The network is a secret lab, so it shouldn't be advertised to anyone else. Next, networks and should be kept within RIP domains only.

In this case, we'll need two access-lists. One is an Outbound Distribute List for R1 and another is a Redistribution Distribute List for R2.

On R1, we'll create a list that denies and permits the rest. To do this, we'll type:
ip access-l standard DENY_3
permit any

Now we'll need to add it into the routing process as shown:
router rip
distribute-list DENY_3 out f0/0

At this point, R2 will stop receiving networks. However, you would have to wait a while for the routes to disappear from the list. If we want to clear the table, use:
clear ip route *

We'll now deny and from going over to the OSPF domain. To do this, we'll create a new list on R2:
ip access-l standard DENY_6_7
permit any

Next, we'll filter the RIP protocol out of OSPF:
router ospf 1
distribute-list DENY_6_7 out rip
redistribute rip subnets metric 1

Another way to filter routes is through Route Maps. Route Maps operate similar to BASIC programming. Route Maps is essentially a compilation of multiple "If...Then" statements and is used heavily in BGP, Policy-Based Routing and Route Filtering.

In Route Maps, "match" correlates to "if", and "set" correlates to "then". Route Maps have sequence numbers, and it will go through the sequence numbers until a match occurs.

Here's how a Route Map looks like:
route-map ROUTE_MAP permit 10
match condition
set action
route-map ROUTE_MAP permit 20
match condition1 condition2
match condition3
set action1
set action2
route-map ROUTE_MAP deny 30
match condition
route-map ROUTE_MAP permit 40
set action

Route Maps are created in global configuration mode. The syntax is as follows:
route-map NAME <permit|deny> [SEQUENCE]

You can have many conditions in a match statement. When this happens, it's a logical-OR.

If you have multiple match statements, you have a logical-AND.

You can also have more than 1 set statements.

Anything matched by a deny entry would not be processed by the route-map.

If you do not specify a match statement, it matches everything.

Using the same scenario, we'll use a Distribute-List on R1 as usual, but on R2, we'll create a route-map to permit networks 6 and 7, then use a route-map to deny those networks:
ip access-l standard PERMIT_6_7
route-map FILTER_6_7 deny 10
match ip address PERMIT_6_7
route-map FILTER_6_7 permit 20

Now we'll apply the route-map to the redistribution process:
router ospf 1
redistribute rip route-map FILTER_6_7

No comments :

Post a Comment