Monday, January 21, 2013

Filter routes when redistributing

This blogpost will explain about 2 tools used in filtering routes when redistributing: Distribute-lists and route-maps.

1.Distribute-lists

Distribute-lists are used to filter routing updates in both inbound and outbound direction. It refers to access-list or prefix-list to match a source traffic and then applies under routing process.

Example using access-list
Router(config)# access-list 10 permit ip 172.16.0.0 0.0.255.255
Router(config)# router rip
Router(config-router)# distribute-list 10 in serial0/0
Distribute-list only allows incoming updates to RIP on serial0/0 for traffic refered in access-list 10. That means "Only update informations from 172.16.0.0/24  go through Serial0/0 by inbound direction will be accepted to RIP protocol."

Example using prefix-list
Router(config)# ip prefix-list MYLIST 10.1.0.0/16
Router(config)# router rip
Router(config-router)# distribute-list 10 in serial0/0
With the same meaning with access-list, difference in  replacing access-list 10 with prefix-list MYLIST

Two above examples both say about routing updates, so what happen in redistribution.
Distribute-lists can be configured under routing process that importing routes from redistributed-protocol. That means, when configuring distribute-lists, you have to go to received-protocol process to configure filtering. And the command must use "out" direction because it refers to routing process from which routes are redistributed.

For example, under EIGRP process, the command
distribute-list 1 out ospf 2
tells EIGRP to apply ACL 1 when importing routes from OSPF process 2. Note that, "out" direction must be refered.
Using this figure to demonstrate:
In this scenario, two routing protocols running are EIGRP and OSPF. R1 will take redistributing functions. The requirement is preventing route 1.1.1.0/24 from redistributing into OSPF process.
Before filtering route, subnet 1.1.1.0/24 still appears in routing table of R3:
R3#show ip route ospf
     1.0.0.0/24 is subnetted, 1 subnets
O E2    1.1.1.0 [110/20] via 11.0.0.1, 00:01:08, Ethernet0/1
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:28:33, Ethernet0/1
 I'm using prefix-list named TEST:
R1#show run | section prefix-list
ip prefix-list TEST seq 5 deny 1.1.1.0/24
ip prefix-list TEST seq 10 permit 0.0.0.0/0 le 32
 This prefix-list only denies subnet 1.1.1.0/24 exactly and allows the rest.  Go to R1, under OSPF process:
R1#show run | section router ospf
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets
 network 11.0.0.0 0.0.0.3 area 0
 distribute-list prefix TEST out eigrp 10
After applying distribute-list to OSPF process, subnet 1.1.1.0/24 is no longer appears in R3's routing table.
R3#show ip route ospf
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:30:21, Ethernet0/1

2. Route-maps

Route-map is another tool to filter traffic like ACL but has more power functions:
  • Controlling redistribution between routing protocols
  • Adjust attributes for routes (especially BGP)
  • Implement Policy Base Routing - PBR
Route-maps are organized by statements, each statement with a permit or deny condition. Traffic must firstly matched by using some criterias and then particular attribution or action is set to matched traffic.

Syntax of route-map:
Router(config)# access-list 1 permit 10.1.0.0 0.0.0.255
Router(config)# route-map TEST permit 10
Router(config-route-map)# match ip address 1
Router(config-route-map)# set ip next-hop 2.2.2.2
An ACL was created first to match traffic from 10.1.0.0/24. Then the route-map named TEST with permit condition and a sequence number is 10.
The route-map will match traffic listed in ACL 1 and finally sets attribute next-hop to traffic.
A route-map can contains multiple match commands:
Router(config)# route-map TEST permit 10
Router(config-route-map)# match ip address 1 2 3
With matching criteria in the same line, that means "OR" logical is applied.
Router(config-route-map)# match ip address 1
Router(config-route-map)# match ip address 2
With separated lines, the "AND" logical is applied.

When using with redistribution, if you dont want to make any changes to attributes of traffic, the route-map must have permit condition, match condition refers to ACL with no set is configured.

Use above diagram and requirement to demonstrate:

R1#show run | section access-list
access-list 10 deny   1.1.1.0 0.0.0.255
access-list 10 permit any
R1#show run | section route-map
route-map TEST permit 10
 match ip address 10  <<<< there is no set condition
R1#show run | section router ospf
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets route-map TEST
 network 11.0.0.0 0.0.0.3 area 0
 Verify routing table on R3:
R3#show ip route ospf
     2.0.0.0/24 is subnetted, 1 subnets
O E2    2.2.2.0 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
     10.0.0.0/30 is subnetted, 1 subnets
O E2    10.0.0.0 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
     11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O E2    11.11.11.0/24 [110/20] via 11.0.0.1, 00:03:09, Ethernet0/1
As you can see, both distribute-lists and route-map accept us to expand configuration depends on requirement. They use ACL and prefix-list for reference so you can set various settings in ACL to have the best configuration.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)