Filtering Routing Updates

Route filters give you granular control over the routes sent and received by your router. Unlike the passive-interface command that blocks all routes sent out an interface, a route filter can selectively block some updates and let others through. Route filters can also block incoming routes something the passive-interface command cannot do. Filtering incoming routes is like filtering e-mail spam. It rejects routes that are unwanted or unnecessary (for example, improperly sourced default routes that might confuse your router).

Like the passive interface, route filtering is a building block for routing protocol redistribution (which is why it is covered in this chapter before the section on redistribution). The technique is also useful for filtering and saniti/ing routes received from a router outside of your control— a router managed by another department or organization, for example.

Suppose you need to control the dispersion of routing updates in the network depicted in Figure 3-2 (the routing protocol is IGRP).

Figure 3-2 A Scenario for Configuring Route Filters

Net X

NetY

The situation you face is the following:

• You manage all routers except Router E. Router E is owned by another group who often reconfigure, or rather misconfigure, their router. This sometimes causes problems for your router. Router D, because it gets confused when it receives illegal routes from Router E. You know that one route, 192.168.66.0/24, should be accepted by Router D. All other routes from Router E are noise and should be filtered.

• For security reasons, Router B and Router C should not have a route to subnet 172.16.13.0/24. This prevents users in Net X and NetY from accessing that particular subnet. Subsequently, Router D needs to filter 172.16.13.0/24 from its updates to Router B and Router C.

To accomplish these objectives, configure route filters on Router D with the distribute-list router mode command. The following is Router D's configuration:

router igrp 100 network 172.16.0.0 distribute-list 1 in Serial0 distribute-list 2 out Ethernet©

access-list 1 permit 192.168.66.0 0.0.0.255 access list 2 deny 172.16.13.0 0.0.0.255 access-list 2 permit any

192.168.66.0/24 Router E I

Router B

Router D

»tribute list in on Router D

Router F

Distribute list out on Router D

The command distribute-list 1 in ScrialO tells Router D to filter all 1GRP updates inbound on SerialO based on the criteria defined by access list 1, which permits route 192.168.66.0/ 24 only. This is the only route Router D will accept from Router E. All other routes entering SerialO (sent from Router E) are ignored.

The command distribute-list 2 out EthernetO tells the router to filter all IGRP updates outbound on EthernetO, based on the criteria defined by access list 2. Access list 2 denies route 172.16.13.0/24 and permits all other routes—thus meeting the stated requirement to prevent Router B and Router C from learning route 172.16.13.0/24.

The remaining access-list commands define the access lists, 1 and 2, that are referenced by the distribute-list commands. You don't have to configure a deny rule for access list 1 because of the invisible deny-any rule at the end of every acccss list. Access lists and their syntax arc covcrcd in Chapter 6, "Deploying Basic Security Services."

After configuring the route filters, you should verify that they are delivering the expected results. You can issue show ip route on Router E) to ensure that Router D is accepting only route 192.168.66.0/24 from Router E. Likewise, you can issue show ip route on Router B and Router C and verify that those routers have all routes except 172.16.13.0/24.

You can also verify route filtering with debugging commands. The following is an output with debug ip igrp transactions enabled on Router D:

RTD#deb ip igrp tr

IGRP protocol debugging is on

IGRP: sending update to 255.255.255.255 via EthernetO (172.16.1.1) subnet 172.16.2.0, metric=501 subnet 172.16.3.0, metric-501 subnet 172.16.10.0, metric=9675 subnet 172.16.11.0, metric=9675 subnet 172.16.12.0, metric=10255 subnet 172.16.14.0, metric=9675 network 192.168.66.0, metric 8576

The preceding output shows the IGRP updates sent by Router D out its EthernetO interface. Noticeably absent from the list is route 172.16.13.0/24, the route blocked by the route filter (distribute-list 2 out EthernetO). Subnets 172.16.2.0 and 172.16.3.0 are the links joining Router D to Routers E and F (refer to Figure 3-2).

NOTE OSPF complicates the use of route filters somewhat and, in general, you should avoid OSPF route filtering whenever possible. With OSPF, you cannot use distribute-list out and specify an interface; however, when redistributing with OSPF', you can specify an external routing protocol with distribute-list out. You can prevent a router from entering a route in its routing table with distribute-list in, but this does not stop the router from forwarding the LS A to other routers in the network. Because OSPF is a link-state protocol and requires extensive propagation of LSAs, it cannot be route filtered like RIP. IGRP, and EIGRP.

Was this article helpful?

0 0

Post a comment