Thursday, February 20, 2020

How to Filter Prefixes with Distribute-list

Prefixes that are advertised by routing protocols like OSPF, EIGRP or RIP can be filtered. One way of doing this is by using a distribute-list. In this lesson I’ll give you an example of how to filter certain prefixes with a distribute-list.
Filtering can occur inbound or outbound. If you have an inbound route filter we will first check if the network is permitted or not before we will accept it. Let’s take a look at a network topology so I can give you a demonstration:
route filtering two routers
R1 and R2 are connected to each other and running EIGRP. On R2 I have added a couple of loopback interfaces with prefixes that we will advertise in EIGRP. Here is the configuration:
R1(config)#router eigrp 12
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.12.0
R2(config)#router eigrp 12
R2(config-router)#no auto-summary
R2(config-router)#network 192.168.12.0
R2(config-router)#network 172.16.0.0 0.0.3.255
Above you can see that we advertise all prefixes in EIGRP.
R1#show ip route eigrp 
     172.16.0.0/24 is subnetted, 4 subnets
D       172.16.0.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D       172.16.1.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D       172.16.2.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
D       172.16.3.0 [90/156160] via 192.168.12.2, 00:01:07, FastEthernet0/0
If we look at the routing table of router R1 we can see all those networks on the loopback interfaces as it should be. Now we’ll see if we can do some filtering.
R1(config)#router eigrp 12
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map
Go to the configuration of the EIGRP process and use the distribute-list command to see your options. As you can see we can choose between an access-list, a prefix-list or a route-map. Let’s start with the access-list. You are probably familiar with the concept of access-lists if you studied CCNA.
R1(config-router)#distribute-list 1 ?
  in   Filter incoming routing updates
  out  Filter outgoing routing updates
If you specify an access-list number you can choose if this route filter has to be inbound or outbound.
R1(config-router)#distribute-list 1 in ?
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Lex                Lex interface
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  <cr>
If you want you can choose the interface where to apply the inbound route filter to. If you don’t specify an interface it will apply to all interfaces.
R1(config-router)#distribute-list 1 in FastEthernet 0/0
I’m going to apply it to the FastEthernet 0/0 interface since that’s the one where we receive information from router R2 on.
R1(config)#access-list 1 deny 172.16.1.0 0.0.0.255
R1(config)#access-list 1 permit any
Let’s create an access-list that will filter 172.16.1.0 /24 and permit all the other networks.

R1#
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 192.168.12.2 (FastEthernet0/0) is resync: route configuration changed
You’ll see a message showing you that the route filter has changed.
R1#show ip route eigrp 
     172.16.0.0/24 is subnetted, 3 subnets
D       172.16.0.0 [90/156160] via 192.168.12.2, 00:06:26, FastEthernet0/0
D       172.16.2.0 [90/156160] via 192.168.12.2, 00:06:26, FastEthernet0/0
D       172.16.3.0 [90/156160] via 192.168.12.2, 00:06:26, FastEthernet0/0
R1#show access-lists 
Standard IP access list 1
    10 deny   172.16.1.0, wildcard bits 0.0.0.255 (2 matches)
    20 permit any (3 matches)
You can see 172.16.1.0 /24 has been filtered from the routing table. The matches in the access-list also tell us we have filtered this network. Using an access-list is the most simple method of route filtering. There are two other options, let me show you:
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map
hostname R1
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router eigrp 12
 distribute-list 1 in FastEthernet0/0
 network 192.168.12.0
!
access-list 1 deny   172.16.1.0 0.0.0.255
access-list 1 permit any
!
end
hostname R2
!
interface Loopback0
 ip address 172.16.0.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
 ip address 172.16.2.1 255.255.255.0
!         
interface Loopback3
 ip address 172.16.3.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router eigrp 12
 network 172.16.0.0 0.0.3.255
 network 192.168.12.0
!
end

Using an access-list is the simplest method of filtering. The two other options are prefix-lists and route-maps. I’ll cover those two in another lesson 🙂 If you have any questions feel free to leave a comment!
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)