3.9

Configure and verify route filtering with any protocol

Distribute Lists

A distribute list is a list of routes that are permitted or denied to propagate into or out of a router. Distribute lists are created using Access Control Lists (ACLs). Using ACLs also covers all the child elements of a wildmask, for example:

access-list 1 permit 172.16.1.0 0.0.0.255

The above will permit 172.16.1.0/24, it will also permit all children of that subnet. This means that the following would all be permitted:

Extended ACLs behave differently.

In an IGP such as RIP, EIGRP or OSPF an extended ACL is used to specify the of the route (where the route was learned from) and (the network that needs to be filtered out) :

access-list <100-1399> <permit|deny> ip 

access-list 100 permit ip host 196.16.253.2 213.197.214.0 0.0.0.63

With an EGP the ACL works differently as you need to specify the subnet mask of the route and you do not specify the source of the route

access-list <100-1399> <permit|deny> ip host <source address> <network to filter> <network to filter wildcard>

access-list 100 deny ip host 196.16.253.0 host 255.255.255.0

Confusingly the first host is the network address and the second host is the subnet mask of the network.

When configuring the distribute-list on the router it is done from within the routing protocol (Router(config-router)#) and you are filtering either in or out, on routes that are being advertised to the router or routes that are being advertised from the router. However, this is different with BGP. BGP distribute-lists are attached to the neighbor command:

Router(config)#router bgp 100

Router(config-router)#address-family ipv4

Router(config-router-af)neighbor 10.1.1.1 distribute-list 100 in

While this is an incredibly powerful and granular methodology (you can have a separate distribute-list for each neighbor) it is very configuration intensive.

Prefix Lists

Prefix lists are different because they are specifically designed for filtering out networks, unlike distribute-lists using ACLs. Prefix lists are stored in the same structure that routing tables are based on which means they are able to be cached by the data plane. This, in turn, means that most of the time prefix lists do not need to be processed by the control plane.

Like ACLs, there is an implicit deny all at the end of the prefix list. An empty prefix-list will permit all traffic.

Prefix lists do not use wildcard masks but they use subnet notation "/24, /22, etc.". For example:

numbered lists

ip prefix-list 1 permit 172.16.1.0/24

or named lists

ip prefix-list incoming seq 10 permit 172.16.1.0/24

Where prefix-lists truly come into their own is when you are trying to filter out child subnets of a parent network. With a distribute-list that is ACL based, this would take many lines of configuration whereas a prefix-list can manage this in one line of configuration. This one line of configuration is tricky to wrap your head around though:

ip prefix-list 1 permit <network range> <child subnets within that range>

Permit every network. Permit the network range 0.0.0.0/0 and permit child subnets within that range that have subnet notation that is less than or equal to /32.

ip prefix-list 0.0.0.0/0 le 32

Permit any /32 network. Permit the network range 0.0.0.0/0 and permit child subnets within that range which have subnet notation that is equal to or greater than /32. As /32 is the highest anyway this limits the permitted networks to only /32 from this statement.

ip prefix-list 0.0.0.0/0 ge 32

Permit 172.16.1.0/24 and any child subnet created within that range.

ip prefix-list 172.16.1.1/24 ge 24

Deny subnets smaller than /24 networks within the range 172.16.1.0/24 (172.16.1.0/25, 172.16.1.128/25, 172.16.1.128/26, etc.) whilst allowing 172.16.1.0/24.

ip prefix-list 172.16.1.0/24 ge 25

Permit /24 and /25 subnets from the range 172.16.1.0/24 but deny smaller subnets (/26-/32)

ip prefix-list 172.16.1.0/24 le 25

Permit any /27-/30 subnet within the network range 172.16.1.0/24

ip prefix-list 172.16.1.0/24 ge 25 le 30

Prefix lists are applied in much the same way as distribute-lists for IGPs, in router configuration mode for the routing protocol:

Router(config)#router <ospf|eigrp> <AS|Process ID>

Router(config-router)#distribute-list prefix <prefix-list name/number> <in|out>

EIGRP can filter routes inbound and outbound, is very flexible and simple to implement. On the other hand, outbound distribute lists should only be applied to ABRs in an OSPF implementation. On other routers within an area, an outbound prefix-list will not be effective as the routes will be learned from other routers.

Similarly to distribute-lists, a prefix-list is applied to BGP by adding it with the neighbor command:

Router(config)#router bgp <ASN>

Router(config-router)# neighbor <neighbor IP> prefix-list <prefix-list name/number> <in|out>

If you need a new website or your website needs updating go to https://10kinds.tech.

10 Kinds Technology
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram