Distribute lists – apply access lists upon routing updates to filter unnecessary routes.
Route maps – powerful but complicated route filtering and manipulation tools.
Administrative distance – controlling the route preference.
Blocking the advertisement of certain routes (route filtering) is a solution that is often being implemented to prevent domain loops when implementing two-way route redistribution with multiple redistribution points.
Access list are configured in global configuration mode; and the associated distribute list is configured under a routing protocol process. The access list should permit the networks that will be received, advertised, or redistributed and deny the networks that will remain hidden. The router then applies the access list upon routing updates for the routing protocol. The distribute-list {[acl-num | acl-name] | prefix {ip-prefix-name} | route-map {map-tag}} {in [intf-type intf-num] | out [intf-type intf-num | routing-process [as-num]]} router subcommand filters routing updates based on incoming interface, outgoing interface, and redistribution from another routing protocol.
Distribute List Processing Based on the Incoming or Outgoing Interface
Routing updates can be controlled at both the interface and routing protocol levels.
Figure above shows the process of a router when filtering routing updates using a distribute list that is based on the incoming or outgoing interface. Below lists the steps of the processing:
The router receives or prepares to send a routing update about one or more networks.
The router determines the interface on which an incoming routing update has arrived; or the interface out of which an outgoing routing update should be advertised.
The router determines if a filter (distribute list) is associated with the interface.
If a filter (distribute list) is not associated with the interface, the update is processed normally.
If a filter (distribute list) is associated with the interface, the router processes the access list referenced by the distribute list for a match upon the route specified in the routing update.
If there is a match in the access list, the route entry is processed as configured – which is either permitted or denied by the matching access list statement.
If no match is found in the access list, the implicit deny any at the end of the access list drops the route entry.
The distribute-list out router subcommand cannot be used with link-state routing protocols to block outbound LSAs for an interface. The routes are not inserted in the local routing table, but are still placed in the link-state database.
The distribute-list in router subcommand filters routing updates going into the interface specified in the command into the routing process under which it is configured.
The distribute-list out router subcommand filters routing updates going out from the interface or routing protocol specified in the command, into the routing process under which it is configured.
IP Route Filtering
Below shows the routing table on RT3 before and after the route filtering configuration on RT2:
RT3#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets D 172.16.1.0 [90/30720] via 192.168.1.1, 00:00:08, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets D 10.10.10.0 [90/33280] via 192.168.1.1, 00:00:08, FastEthernet0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 RT3# 00:05:20: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (FastEthernet0/0) is down: Interface Goodbye received 00:05:25: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.1 (FastEthernet0/0) is up: new adjacency RT3#sh ip route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets D 172.16.1.0 [90/30720] via 192.168.1.1, 00:00:03, FastEthernet0/0 C 192.168.1.0/24 is directly connected, FastEthernet0/0 RT3#
The alternative way to achieve the filtering of network 10.0.0.0 is deny network 10.0.0.0 and permit other networks. This is an efficient approach if the routing information contained multiple networks but only network 10.0.0.0 needed to be filtered.
access-list 1 deny 10.0.0.0 0.255.255.255 access-list 1 permit any
Distribute Lists For Two-way / Mutual Redistribution
The sample network above implemented two-way redistribution between EIGRP and OSPF. Below shows that RT2 will redistribute the OSPF routes 172.16.0.0/22, which redistributed by RT3 from OSPF into EIGRP, back to RT4 when modifying the administrative distance for EIGRP external routes and removing the distribute list for OSPF on RT2:
RT2#sh ip route Gateway of last resort is not set 12.0.0.0/24 is subnetted, 1 subnets C 12.12.12.0 is directly connected, FastEthernet0/0 13.0.0.0/24 is subnetted, 1 subnets D 13.13.13.0 [90/30720] via 12.12.12.1, 00:02:38, FastEthernet0/0 24.0.0.0/24 is subnetted, 1 subnets C 24.24.24.0 is directly connected, FastEthernet1/0 34.0.0.0/24 is subnetted, 1 subnets O 34.34.34.0 [110/2] via 24.24.24.4, 00:01:24, FastEthernet1/0 O 172.16.0.0/16 [110/2] via 24.24.24.4, 00:01:24, FastEthernet1/0 O 172.17.0.0/16 [110/2] via 24.24.24.4, 00:01:24, FastEthernet1/0 O 172.18.0.0/16 [110/2] via 24.24.24.4, 00:01:24, FastEthernet1/0 O 172.19.0.0/16 [110/2] via 24.24.24.4, 00:01:24, FastEthernet1/0 D 192.168.0.0/24 [90/156160] via 12.12.12.1, 00:02:38, FastEthernet0/0 D 192.168.1.0/24 [90/156160] via 12.12.12.1, 00:02:38, FastEthernet0/0 D 192.168.2.0/24 [90/156160] via 12.12.12.1, 00:02:38, FastEthernet0/0 D 192.168.3.0/24 [90/156160] via 12.12.12.1, 00:02:38, FastEthernet0/0 RT2# RT2#conf t Enter configuration commands, one per line. End with CNTL/Z. RT2(config)#router eigrp 100 RT2(config-router)#distance eigrp 90 80 RT2(config-router)# 00:04:25: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 12.12.12.1 (FastEthernet0/0) is down: route configuration changed 00:04:29: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 12.12.12.1 (FastEthernet0/0) is up: new adjacency RT2(config-router)#do sh ip route Gateway of last resort is not set 12.0.0.0/24 is subnetted, 1 subnets C 12.12.12.0 is directly connected, FastEthernet0/0 13.0.0.0/24 is subnetted, 1 subnets D 13.13.13.0 [90/30720] via 12.12.12.1, 00:00:06, FastEthernet0/0 24.0.0.0/24 is subnetted, 1 subnets C 24.24.24.0 is directly connected, FastEthernet1/0 34.0.0.0/24 is subnetted, 1 subnets D EX 34.34.34.0 [80/1336320] via 12.12.12.1, 00:00:05, FastEthernet0/0 D EX 172.16.0.0/16 [80/1336320] via 12.12.12.1, 00:00:05, FastEthernet0/0 D EX 172.17.0.0/16 [80/1336320] via 12.12.12.1, 00:00:05, FastEthernet0/0 D EX 172.18.0.0/16 [80/1336320] via 12.12.12.1, 00:00:05, FastEthernet0/0 D EX 172.19.0.0/16 [80/1336320] via 12.12.12.1, 00:00:05, FastEthernet0/0 D 192.168.0.0/24 [90/156160] via 12.12.12.1, 00:00:06, FastEthernet0/0 D 192.168.1.0/24 [90/156160] via 12.12.12.1, 00:00:06, FastEthernet0/0 D 192.168.2.0/24 [90/156160] via 12.12.12.1, 00:00:06, FastEthernet0/0 D 192.168.3.0/24 [90/156160] via 12.12.12.1, 00:00:06, FastEthernet0/0 RT2(config-router)# RT2(config-router)#do sh access-lists Standard IP access list 1 10 deny 192.168.0.0, wildcard bits 0.0.3.255 (4 matches) 20 permit any (24 matches) Standard IP access list 2 10 deny 172.16.0.0, wildcard bits 0.3.255.255 (4 matches) 20 permit any (19 matches) RT2(config-router)# RT2(config-router)#router ospf 100 RT2(config-router)#no distribute-list 2 out eigrp 100 RT2(config-router)#do sh ip ospf database --- output omitted --- Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 12.12.12.0 2.2.2.2 276 0x80000001 0x00F97A 0 12.12.12.0 3.3.3.3 250 0x80000003 0x00D796 0 13.13.13.0 2.2.2.2 45 0x80000005 0x00CD9F 0 13.13.13.0 3.3.3.3 265 0x80000001 0x00B7B5 0 34.34.34.0 2.2.2.2 50 0x80000001 0x00DE53 0 172.16.0.0 2.2.2.2 3 0x80000001 0x0026B5 0 172.17.0.0 2.2.2.2 3 0x80000001 0x001AC0 0 172.18.0.0 2.2.2.2 3 0x80000001 0x000ECB 0 172.19.0.0 2.2.2.2 3 0x80000001 0x0002D6 0 192.168.0.0 2.2.2.2 45 0x80000005 0x00F139 0 192.168.0.0 3.3.3.3 250 0x80000003 0x00D751 0 192.168.1.0 2.2.2.2 45 0x80000005 0x00E643 0 192.168.1.0 3.3.3.3 250 0x80000003 0x00CC5B 0 192.168.2.0 2.2.2.2 45 0x80000005 0x00DB4D 0 192.168.2.0 3.3.3.3 250 0x80000003 0x00C165 0 192.168.3.0 2.2.2.2 45 0x80000005 0x00D057 0 192.168.3.0 3.3.3.3 250 0x80000003 0x00B66F 0 RT2(config-router)#
Using a single router to redistribute routes means introducing a single point of failure that can cause production issues upon hardware failure. Most redistribution scenarios implement a minimum of 2 routers performing redistribution for redundancy and even for load sharing.
The existence of multiple redistribution points between 2 routing domains introduces some complex and tricky issues, in which a route from a routing domain can be redistributed into another routing domain, and then being redistributed back into the original routing domain. Domain loop occurs when the twice-redistributed route is redistributed back into the original routing domain with a relatively low metric and being preferred over the route that was advertised only internal to that routing domain. Configuring higher metrics upon redistributed routes is often used to prevent domain loop.
Interestingly, EIGRP and OSPF with default settings is not prone to domain loop problems when either one of them is one of the routing protocols that undergo a two-way mutual redistribution. The default EIGRP administrative distances values (90 for internal; 170 for external) defeats the domain loop problem when redistributing between EIGRP and OSPF. OSPF always prefers internal routes over E1 routes, and E1 routes over E2 routes, before even considering the metrics.
Distribute lists hides network information, which can be considered a drawback in some setups. Ex: In a network with redundant paths, a distribute list might permit routing updates for only specific routes to avoid routing loops. Other routers might not know about other paths to reach the filtered networks. So when the primary path goes down, the backup paths are not used, as other routers do not know they exist. When redundant paths exist, other techniques, eg: manipulating the administrative distance or metric, should be used instead of distribute lists, to enable the use of an alternative path (with a worse administrative distance or metric) when the primary path goes down.
Cisco recommended using route maps to manipulate and control routing updates.
All IP routing protocols can use route maps for redistribution filtering.
Route maps are complex ACLs that use match commands to test some conditions upon interesting packets or routes. Once the conditions are matched, the actions specified by set commands will be taken to modify the attributes of the packet or routes.
A route map is a collection of route map statements that have the same route map name. Within a route map, each route map statement is numbered and can be edited individually. Like an access list, there is an implicit deny any at the end of a route map. The consequences of this deny depend upon the usage of the route map.
The route-map {map-tag} [permit | deny] [seq-num] global configuration command can be used to define the conditions for processing. The map-tag is the name of the route map. The permit and deny are optional parameters that specify the action to be taken when a route map match conditions are met. The optional sequence number indicates the position for a new route map statement in an already existed route map (used for inserting or deleting specific route map statements in a route map).
A route map referenced by the redistribute router subcommand always attempts to filter routes. If a particular route-map statement with the permit action matches a particular route, the route is redistributed as controlled by the set actions; for policy routing, the packet is policy routed. If a particular route-map statement with the deny action matches a particular route, the route is filtered – not redistributed; for policy routing, the packet is not policy routed.
A single match statement may contain multiple conditions; just a single condition needs to be true for the match statement to be considered matched. (Logical OR)
A single route map statement may contain multiple match statements; all match statements in the route map statement must be true for the route map statement to be considered matched. (Logical AND)
Multiple match conditions > A match statement / clause.
Multiple match statements / clauses > A route map statement.
Multiple route map statements > A route map.
Route Map Interpretation
The sample route map named demo01 in the figure above is interpreted as:
if ((a or b or c) and d) set e and f else if (g) set h else set nothing
Note: The default action for the route-map command is permit, with sequence number of 10. The actions defined with the set {condition} route map configuration command will be effective only when the action of the route map is permit.
Note: Do not leave out the seq-num when editing and adding statements in a route map list, or else only the 1st statement with the sequence number of 10 will always be referred to. Route map sequence numbers do not automatically increment as with ACL configuration!
Route maps are being used for a variety of purposes. Several common usages of route maps are:
Route filtering during redistribution. Redistribution often requires route filtering. Although distribute lists can be used for this purpose, route maps offer greater flexibilities for matching and manipulating routing updates using match criterions and set actions.
Policy-Based Routing (PBR). Route maps are able to match source and destination addresses, protocol types, and end-user applications through transport layer port numbers. When a match occurs, a set action can be used to define the interface or next-hop address to which the packet should be forwarded. PBR provides an ability to define routing policy rather than rely upon the routing table for basic destination-based routing.
NAT. Route maps provides better control upon defining the NAT addresses as well as detailed show commands that available to monitor the address-translation process.
BGP. Route maps are the primary tools used for implementing BGP routing policies. Network administrators assign route maps to specific BGP sessions / neighbors to control which routes are allowed to flow in and out of the BGP process. In addition to filtering, route maps also provide sophisticated manipulation upon BGP path attributes.
Route maps use the match subcommand to identify routes.
The match command can refer to ACLs and prefix-lists to match anything matchable by them.
Below lists the match commands that matter when using route maps for redistribution.
| match interface {intf-type intf-num} [… intf-type intf-num] | Matches routes that outgoing from one of the specified interfaces. |
| match ip address {[acl-num | acl-name] | prefix-list {prefix-name}} | Matches routes that matched by the access list or prefix list. [*] |
| match ip next-hop {[acl-num | acl-name] | prefix-list {prefix-name}} | Matches routes that have the next-hop address matched by the access list or prefix list. [*] |
| match ip route-source {[acl-num | acl-name] | prefix-list {prefix-name}} | Matches routes that advertised by the IP address (router) that matched by the access list or prefix list. [*] |
| match metric {metric} [… metric] | Matches routes with the specified metrics. |
| match route-type {internal | external [type-1 | type-2] | level-1 | level-2 | local | nssa-external} | Matches routes with the specified EIGRP, OSPF, IS-IS, and BGP route types. |
| match tag {tag-value} [… tag-value] | Matches the route tag that set by another router. |
Below lists the set actions that matter when using route maps for redistribution.
| set metric {metric-value | bandwidth delay reliability loading mtu} | Sets the metric for RIP, OSPF, IS-IS, and EIGRP routes. |
| set metric-type {type-1 | type-2 | internal | external} | Sets the type (E1 or E2) for OSPF external routes and IS-IS routes. |
| set tag {tag-value} | Sets the tag value for the redistributed routes. |
Prefix lists are used to match IP prefixes, with the capability to match an exact prefix length or a prefix range. Prefix lists are often used as the alternative over access lists and distribute lists. Prefix lists are faster and less CPU-intensive than regular access lists and distribute lists. Prefix list entries can be deleted and added individually.
The formats of a prefix list entry and an IP access control list (ACL) entry are similar. A prefix list entry consists of a name, an action (deny or permit), the prefix number, and the prefix length. The syntax of the command is ip prefix-list {list-name} [seq seq-num] {deny | permit} {prefix/length} [ge ge-value] [le le-value]. The network number can be any valid IP address or prefix, while the bit mask can be a number from 0 to 32. The prefix is automatically converted to match the prefix length value, eg: entering 10.11.12.0/8 would result in 10.0.0.0/8.
Note: If a prefix is permitted, the route will be used; if a prefix is denied, the route is not used.
The basic form of prefix list assumes an exact match of both prefix number and prefix length. Additional parameters are required to match a range of prefixes. When a prefix range ends at /32, the ge-value (greater-than-or-equal-to) can be specified. The ge-value must be greater than the length specified by the prefix/length parameter, and less than 32. When the ge parameter is specified, the prefixes with mask length from the ge-value to 32 (inclusive) will be matched.
If the prefix length does not end at /32, the le (less-than-or-equal-to) parameter must be specified. When both the ge and le parameters are specified, the prefixes with mask length between the ge-value and le-value (inclusive) will be matched. The specified ge-value and le-value must satisfy the following condition:
prefix-length < ge-value < le-value ≤ 32
Representation of Prefix Length Ranges for the ip prefix-list Command
Below is an example of using both the ge and le parameters to match a portion of 172.16.1.0/24:
ip prefix-list pl-test permit 172.16.1.0/24 ge 25 le 30
Note that 172.16.1.0/24 and all the /31s and /32s are not in the range.
Below lists the prefixes that are being matched by the prefix range:
| 2 /25s | 172.16.1.0/25, 172.16.1.128/25. |
| 4 /26s | 172.16.1.0/26, 172.16.1.64/26, 172.16.1.128/26, 172.16.1.192/26. |
| 8 /27s | 172.16.1.0/27, 172.16.1.32/27 … 172.16.1.192/27, 172.16.1.224/27. |
| 16 /28s | 172.16.1.0/28, 172.16.1.16/28 … 172.16.1.224/28, 172.16.1.240/28. |
| 32 /29s | 172.16.1.0/29, 172.16.1.8/29 … 172.16.1.240/29, 172.16.1.248/29. |
| 64 /30s | 172.16.1.0/30, 172.16.1.4/30 … 172.16.1.248/30, 172.16.1.252/30. |
When a prefix list is configured without a sequence number, the default sequence number of 5 will be applied to the prefix list, and subsequent prefix list entries will be incremented by 5, eg: 5, 10, 15, etc. If a sequence number is entered for the first prefix list entry but not subsequent entries, the subsequent entries will also be incremented by 5, eg: if the first configured sequence number is 3, then the subsequent sequence numbers will be 8, 13, 18, etc.
Below lists some examples of prefix lists:
| ip prefix-list pl-test permit 0.0.0.0/0 A prefix list entry configured to match only the default route 0.0.0.0/0. |
| ip prefix-list pl-test permit 0.0.0.0/0 le 32 A prefix list entry configured to match any address or subnet – match all (permit any any). |
| ip prefix-list pl-test permit 0.0.0.0/0 ge 8 le 24 A prefix list entry configured to match any prefix that has a prefix length from 8 to 24 bits. |
| ip prefix-list pl-test permit 0.0.0.0/0 ge 30 le 30 A prefix list entry configured to match any prefix with prefix length of 30. |
| ip prefix-list pl-test permit 172.16.1.0/24 A prefix list entry configured to match the 172.16.1.0/24 subnet. |
| ip prefix-list pl-test permit 10.0.0.0/8 le 24 A prefix list entry configured to match subnets from the 10.0.0.0/8 network that have a prefix length that is less than or equal to 24 bits. |
| ip prefix-list pl-test permit 10.0.0.0/8 ge 25 A prefix list entry configured to match subnets from the 10.0.0.0/8 network that have a prefix length that is greater than or equal to 25 bits. |
Network Setup for IP Prefix Lists
The sample network above was setup to observe how RT2 uses prefix lists to determine which subnets to be redistributed from OSPF into EIGRP.
Below shows the configuration on RT2:
! router ospf 100 network 12.12.12.2 0.0.0.0 area 0 ! router eigrp 100 redistribute ospf 100 route-map OSPF-EIGRP network 23.23.23.2 0.0.0.0 default-metric 10000 100 255 1 1500 no auto-summary ! ip prefix-list OSPF-EIGRP-routes seq 5 permit 10.0.0.0/8 ip prefix-list OSPF-EIGRP-routes seq 10 permit 11.0.0.0/8 ge 9 ip prefix-list OSPF-EIGRP-routes seq 15 permit 12.0.0.0/8 ge 9 ip prefix-list OSPF-EIGRP-routes seq 20 permit 13.0.0.0/8 ge 9 le 24 ip prefix-list OSPF-EIGRP-routes seq 25 permit 172.16.0.0/16 ip prefix-list OSPF-EIGRP-routes seq 30 permit 172.17.0.0/16 ge 24 ip prefix-list OSPF-EIGRP-routes seq 35 permit 172.18.0.0/16 ge 24 ip prefix-list OSPF-EIGRP-routes seq 40 permit 172.19.0.0/16 ge 24 le 30 ! route-map OSPF-EIGRP permit 10 match ip address prefix-list OSPF-EIGRP-routes !
Below shows the routing table on RT3:
RT3#sh ip route
Gateway of last resort is not set
23.0.0.0/24 is subnetted, 1 subnets
C 23.23.23.0 is directly connected, FastEthernet0/0
D EX 172.16.0.0/16 [170/284160] via 23.23.23.2, 00:01:29, FastEthernet0/0
172.19.0.0/16 is variably subnetted, 2 subnets, 2 masks
D EX 172.19.2.0/30 [170/284160] via 23.23.23.2, 00:00:04, FastEthernet0/0
D EX 172.19.1.0/28 [170/284160] via 23.23.23.2, 00:00:04, FastEthernet0/0
172.18.0.0/24 is subnetted, 1 subnets
D EX 172.18.1.0 [170/284160] via 23.23.23.2, 00:00:24, FastEthernet0/0
D EX 10.0.0.0/8 [170/284160] via 23.23.23.2, 00:04:52, FastEthernet0/0
12.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 12.11.0.0/16 [170/284160] via 23.23.23.2, 00:03:06, FastEthernet0/0
D EX 12.12.12.0/24 [170/284160] via 23.23.23.2, 00:03:06, FastEthernet0/0
D EX 12.13.14.0/24 [170/284160] via 23.23.23.2, 00:03:06, FastEthernet0/0
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D EX 13.12.0.0/16 [170/284160] via 23.23.23.2, 00:02:35, FastEthernet0/0
D EX 13.14.15.0/24 [170/284160] via 23.23.23.2, 00:02:35, FastEthernet0/0
RT3#
Route Filtering using Route Maps
The sample network above demonstrates the flexibility of filtering redistributed routes using route maps. Only certain prefixes are being redistributed from EIGRP to OSPF, and vice versa.
The route maps simply need to have route map statements with deny and permit actions to match the routes to be filtered and not to be filtered correspondingly.
There are 2 different approaches to perform the mentioned task:
Approach #1: Begin with a match of the routes to be filtered using extended IP ACLs or IP prefix lists, with a deny action for the routes to be filtered. Followed by a permit statement with no match command at all, matching and allowing all remaining routes.
Approach #2: Begin with a match of routes not to be allowed using extended IP ACLs or IP prefix lists, with a permit action for the routes to be allowed. Followed by using the implicit deny all at the end of the route map to filter unwanted routes.
Below shows the configuration on RT2. It uses approach #1 to filter routes from EIGRP to OSPF, and approach #2 to filter routes from OSPF to EIGRP.
! Filtering redistributed routes from EIGRP to OSPF (Approach #1): ! ip access-list extended match-192.168.1.0_24 permit ip host 192.168.1.0 host 255.255.255.0 ! ip access-list extended match-192.168.4.0_27*192.168.5.0_28 permit ip host 192.168.4.0 host 255.255.255.224 permit ip host 192.168.5.0 host 255.255.255.240 ! route-map redist-eigrp*ospf deny 10 match ip address match-192.168.1.0_24 ! route-map redist-eigrp*ospf deny 20 match ip address match-192.168.4.0_27*192.168.5.0_28 ! route-map redist-eigrp*ospf permit 100 ! router ospf 100 redistribute eigrp 100 subnets route-map redist-eigrp*ospf ! ! ====================================================================== ! Filtering redistributed routes from OSPF to EIGRP (Approach #2): ! ip prefix-list match-ospf-routes seq 5 permit 172.16.2.0/23 ge 25 le 26 ip prefix-list match-ospf-routes seq 10 permit 172.16.6.0/23 ge 29 le 30 ! route-map redist-ospf*eigrp permit 10 match ip address prefix-list match-ospf-routes ! router eigrp 100 redistribute ospf 100 metric 2000 200 255 1 1500 route-map redist-ospf*eigrp !
Below shows 2 alternative configurations for Approach #1 to filter routes from EIGRP to OSPF.
! Approach #1 - Alternative #1: ! ip access-list extended match-192.168.1.0_24 permit ip 192.168.1.0 0.0.0.255 host 255.255.255.0 ! ip access-list extended match-192.168.4.0_27*192.168.5.0_28 permit ip 192.168.4.0 0.0.0.31 host 255.255.255.224 permit ip 192.168.5.0 0.0.0.15 host 255.255.255.240 ! route-map redist-eigrp*ospf deny 10 match ip address match-192.168.1.0_24 match-192.168.4.0_27*192.168.5.0_28 ! route-map redist-eigrp*ospf permit 100 ! router ospf 100 redistribute eigrp 100 subnets route-map redist-eigrp*ospf ! ====================================================================== ! Approach #1 - Alternative #2: ! ip prefix-list match-eigrp-routes seq 5 permit 192.168.1.0/24 ip prefix-list match-eigrp-routes seq 10 permit 192.168.4.0/23 ge 27 le 28 ! route-map redist-eigrp*ospf deny 10 match ip address prefix-list match-eigrp-routes ! route-map redist-eigrp*ospf permit 100 ! router ospf 100 redistribute eigrp 100 subnets route-map redist-eigrp*ospf !
Routing tables on RT1 and RT3 after implemented the redistribution configuration on RT2:
RT1#sh ip route Gateway of last resort is not set 12.0.0.0/24 is subnetted, 1 subnets C 12.12.12.0 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks D EX 172.16.2.0/25 [170/1333760] via 12.12.12.2, 00:00:30, FastEthernet0/0 D EX 172.16.3.0/26 [170/1333760] via 12.12.12.2, 00:00:30, FastEthernet0/0 D EX 172.16.6.0/29 [170/1333760] via 12.12.12.2, 00:00:30, FastEthernet0/0 D EX 172.16.7.0/30 [170/1333760] via 12.12.12.2, 00:00:30, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Loopback1 192.168.2.0/25 is subnetted, 1 subnets C 192.168.2.0 is directly connected, Loopback2 192.168.3.0/26 is subnetted, 1 subnets C 192.168.3.0 is directly connected, Loopback3RT1# 192.168.4.0/27 is subnetted, 1 subnets C 192.168.4.0 is directly connected, Loopback4 192.168.5.0/28 is subnetted, 1 subnets C 192.168.5.0 is directly connected, Loopback5 192.168.6.0/29 is subnetted, 1 subnets C 192.168.6.0 is directly connected, Loopback6 192.168.7.0/30 is subnetted, 1 subnets C 192.168.7.0 is directly connected, Loopback7 ====================================================================== RT3#sh ip route Gateway of last resort is not set 12.0.0.0/24 is subnetted, 1 subnets O E2 12.12.12.0 [110/20] via 23.23.23.2, 00:00:35, FastEthernet0/0 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 7 subnets, 7 masks C 172.16.1.0/24 is directly connected, Loopback1 C 172.16.2.0/25 is directly connected, Loopback2 C 172.16.3.0/26 is directly connected, Loopback3 C 172.16.4.0/27 is directly connected, Loopback4 C 172.16.5.0/28 is directly connected, Loopback5 C 172.16.6.0/29 is directly connected, Loopback6 C 172.16.7.0/30 is directly connected, Loopback7 192.168.2.0/25 is subnetted, 1 subnets O E2 192.168.2.0 [110/20] via 23.23.23.2, 00:00:35, FastEthernet0/0 192.168.3.0/26 is subnetted, 1 subnets O E2 192.168.3.0 [110/20] via 23.23.23.2, 00:00:35, FastEthernet0/0 192.168.6.0/29 is subnetted, 1 subnets O E2 192.168.6.0 [110/20] via 23.23.23.2, 00:00:35, FastEthernet0/0 192.168.7.0/30 is subnetted, 1 subnets O E2 192.168.7.0 [110/20] via 23.23.23.2, 00:00:35, FastEthernet0/0
Route Tagging For Two-way / Mutual Redistribution
The network setup above is revisited with implement route tagging upon mutual redistribution. The EIGRP and OSPF routing processes on RT2 and RT3 can then perform route filtering upon mutual redistribution.
A route tag follows the route advertisement, even through another redistribution process. Other route maps can match routes with a route tag to make a route filtering decision.
With the configuration above, RT2 and RT3 are able to identify OSPF and EIGRP external routes with tags of 1 and 2 respectively. RT2 and RT3 will filter OSPF and EIGRP external routes that advertised back into the original routing domains using route map statements with deny action.
Set tags when redistributing; deny tagged routes at the redistribution points.
Route selection is sometimes confusing due to route redistribution. Controlling administrative distance is an important and effective method to indicate the preference upon route selection. Changing the default administrative distance values only after careful planning and considered the specific requirements upon the network design and setup.
The distance {ad-weight} [adv-router wildcard-mask [acl-num | acl-name]] [ip] router subcommand defines administrative distances for all routing protocols except EIGRP and BGP. The optional adv-router wildcard-mask pair matches routes according to the IP address(es) of the advertising router(s) that supply the routing information. Uses the address / mask of 0.0.0.0 255.255.255.255 to match any advertising router supplying the routing information. An optional access list can also be referenced to match the specific routes from any matched neighbors to use the specified administrative distance – Prefix-Based Administrative Distance.
Note: The ip keyword specifies IP-derived routes for Integrated IS-IS.
The distance eigrp {internal-distance external-distance} EIGRP router subcommand defines the administrative distances for EIGRP internal and external routes respectively.
The distance ospf {external dist1 | inter-area dist2 | intra-area dist3} OSPF router subcommand defines the administrative distances of OSPF routes based on the route type. This command performs the same function as the distance command used with an access list. However, this command provides the capability to set an administrative distance for an entire group of routes, rather than specific routes that matched by an access list. A common usage of this command is when implementing OSPF processes with mutual redistribution, which is often required to prefer internal routes from a process over external routes from another process.
Route Filtering using Administrative Distance
The routes are being redistributed with metric values higher than the native metrics for routes in both routing domains in order to protect against suboptimal routing.
Below shows that suboptimal routing occurred on RT3 due to the RIPv2 routes redistributed into OSPF as E2 routes have a lower administrative distance and being preferred over the RIPv2 routes.
RT3#sh ip route Gateway of last resort is not set 35.0.0.0/24 is subnetted, 1 subnets C 35.35.35.0 is directly connected, Serial1/0 24.0.0.0/24 is subnetted, 1 subnets O E2 24.24.24.0 [110/100] via 123.123.123.2, 00:00:10, FastEthernet0/0 123.0.0.0/24 is subnetted, 1 subnets C 123.123.123.0 is directly connected, FastEthernet0/0 O E2 192.168.1.0/24 [110/100] via 123.123.123.2, 00:00:10, FastEthernet0/0 O E2 192.168.2.0/24 [110/100] via 123.123.123.2, 00:00:10, FastEthernet0/0 45.0.0.0/24 is subnetted, 1 subnets O E2 45.45.45.0 [110/100] via 123.123.123.2, 00:00:10, FastEthernet0/0 RT3#Note: OSPF has an administrative distance of 110; RIPv2 has an administrative distance of 120.
The redistribution configuration on RT2 has resulted in suboptimal routing to many destinations. RT3 takes the longer (worse) OSPF paths than the more direct RIPv2 paths to those networks.
Below implements the solution on RT3 by changing the administrative distance for redistributed RIPv2 routes (OSPF external routes) advertised by RT2. When RT3 learn about the networks that matched by the access list from both RIPv2 and OSPF, it selects the routes learned from RIPv2:
RT3#debug ip routing IP routing debugging is on RT3# RT3#conf t Enter configuration commands, one per line. End with CNTL/Z. RT3(config)#access-list 1 permit 24.24.24.0 RT3(config)#access-list 1 permit 45.45.45.0 RT3(config)#access-list 1 permit 192.168.1.0 RT3(config)#access-list 1 permit 192.168.2.0 RT3(config)# RT3(config)#router ospf 100 RT3(config-router)#distance 125 0.0.0.0 255.255.255.255 1 RT3(config-router)#end RT3# 00:03:56: RT: closer admin distance for 24.24.24.0, flushing 1 routes 00:03:56: RT: add 24.24.24.0/24 via 35.35.35.5, rip metric [120/2] 00:03:56: RT: closer admin distance for 45.45.45.0, flushing 1 routes 00:03:56: RT: add 45.45.45.0/24 via 35.35.35.5, rip metric [120/1] 00:03:56: RT: closer admin distance for 192.168.1.0, flushing 1 routes 00:03:56: RT: add 192.168.1.0/24 via 35.35.35.5, rip metric [120/2] 00:03:56: RT: closer admin distance for 192.168.2.0, flushing 1 routes 00:03:56: RT: add 192.168.2.0/24 via 35.35.35.5, rip metric [120/1] RT3# RT3#sh access-list Standard IP access list 1 permit 24.24.24.0 (1 match) permit 45.45.45.0 (1 match) permit 192.168.1.0 (1 match) permit 192.168.2.0 (1 match) RT3# RT3#sh ip route Gateway of last resort is not set 35.0.0.0/24 is subnetted, 1 subnets C 35.35.35.0 is directly connected, Serial1/0 24.0.0.0/24 is subnetted, 1 subnets R 24.24.24.0 [120/2] via 35.35.35.5, 00:00:12, Serial1/0 123.0.0.0/24 is subnetted, 1 subnets C 123.123.123.0 is directly connected, FastEthernet0/0 R 192.168.1.0/24 [120/2] via 35.35.35.5, 00:00:12, Serial1/0 R 192.168.2.0/24 [120/1] via 35.35.35.5, 00:00:12, Serial1/0 45.0.0.0/24 is subnetted, 1 subnets R 45.45.45.0 [120/1] via 35.35.35.5, 00:00:12, Serial1/0 RT3#
Basically RT3 assigns an administrative distance of 125 upon redistributed routes that matched by access list 1. Note that the distance command is implemented under the OSPF process, as the administrative distance should be changed for routes that learned via OSPF, not RIPv2.
The main advantage of using administrative distance to control route preference is that no path information is lost – the OSPF information still resides in the OSPF LSDB. When the primary path to RIPv2 networks (the RT3 – RT5 link) fails, the OSPF routes reasserts themselves, and RT3 resumes connectivity with those RIPv2 networks through RT2.
As a conclusion, it is important to know the network design and setup inside out and thoroughly prior to implementing redistribution, and closely monitors the redistributed routes, particularly on networks with redundant paths, as routers are more likely to select suboptimal paths.
No comments:
Post a Comment