NETWORK LESSON

Route Filtering using Route-Maps

Published by

Recto Orpia

on

This post will go through a deep details of using Route-Maps for route filtering.  We have seen from the previous post about using distribute-list and prefix-list to filter routes that will be advertise to other routers. For me Route-Maps will be widely used for other applications such as route selection or  QoS than route filtering but I would like to explore how route-maps could be used for route filtering as well.

I will be using the same Laboratory topology as my last Prefix-list post (Part 3).


My Laboratory Objectives:

1. Create an outbound filtering in Singapore router using route-maps in which the IP subnets 172.16.0.0/20 and 172.16.68.0/28 will be filtered out and will not be advertised to Melbourne.

2. The IP subnets 172.16.64.0/24 until 172.16.67.0/24 should be allowed and will be advertised to Melbourne routers. No other network address should be advertise except for this 4 subnets.

Here is my configurations:

Manila#sh run | sec eigrp
router eigrp 100
 distribute-list prefix FILTERME in
 network 0.0.0.0
Manila#

Melbourne#sh run | sec eigrp
router eigrp 100
 network 0.0.0.0
Melbourne#

Singapore#sh ip prefix-list
ip prefix-list FILTER-MANILA-NEW: 6 entries
   seq 10 permit 172.16.0.0/16 le 20
   seq 20 deny 172.16.68.0/24 le 27
   seq 30 permit 172.16.64.0/24
   seq 40 permit 172.16.65.0/24
   seq 50 permit 172.16.66.0/24
   seq 60 permit 172.16.67.0/24 

Singapore#sh run | sec eigrp
router eigrp 100
 distribute-list prefix-list MANILA-FLITER-NEW out serial 2/1
 network 0.0.0.0
Singapore#


Okay, so here is the approach to deal with this kind of scenarios:

a. I will delete the existing prefix-list on Singapore and the distribute-list under EIGRP.
b.  I will be creating an extended access-list to deny 172.16.0.0/20 & 172.16.68.0/28. I will name the ACL as MANILA-DENY.
c. I will create another Extended Access-List to permit the IP subnets 172.16.64.0/24 until 
     172.16.67.0/24 and name it MANILA-PERMIT.
d. I will create a route-map and name it MANILA-RM , match the two ACL which I have created, and set the next hop address to the IP address of Singapore links towards Melbourne router.
c. I will create a distribute-list with the route-maps which I have created.

That’s IT!

So now, Let’s do as per the outline steps above.

Singapore(config)#no ip prefix-list FILTER-MANILA-NEW

Singapore(config)#router eigrp 100
Singapore(config-router)#no distribute-list prefix FILTER-MANILA-NEW out Serial2/1
Singapore(config)#ip access-list extended MANILA-DENY
Singapore(config-ext-nacl)#10 deny ip 172.16.0.0 0.0.240.255 any
Singapore(config-ext-nacl)#20 deny ip 172.16.68.0 0.0.0.240 any
Singapore(config-ext-nacl)#exit

Singapore(config)#ip access-list extended MANILA-PERMIT
Singapore(config-ext-nacl)#10 permit ip 172.16.64.0 0.0.0.255 any
Singapore(config-ext-nacl)#20 permit ip 172.16.65.0 0.0.0.255 any
Singapore(config-ext-nacl)#30 permit ip 172.16.66.0 0.0.0.255 any
Singapore(config-ext-nacl)#40 permit ip 172.16.67.0 0.0.0.255 any

So here’s how my Extended ACL looks like,

Singapore#sh ip access-lists
Extended IP access list MANILA-DENY
    10 deny ip 172.16.0.0 0.0.240.255 any
    20 deny ip 172.16.68.0 0.0.0.240 any
Extended IP access list MANILA-PERMIT
    10 permit ip 172.16.64.0 0.0.0.255 any
    20 permit ip 172.16.65.0 0.0.0.255 any
    30 permit ip 172.16.66.0 0.0.0.255 any
    40 permit ip 172.16.67.0 0.0.0.255 any

Now, let me create the route-maps on Singapore router,

 Singapore(config)#route-map MANILA-RM 10  <<< I have created a route-map name MANILA-RM with Sequence 10
Singapore(config-route-map)#match ip address MANILA-DENY MANILA-PERMIT   <<< I have match the two Extended ACL
Singapore(config-route-map)#set ip next-hop 192.168.23.2  <<< I want my Route-map to exit the interface Serial 2/1 (192.168.23.2)
Singapore(config-route-map)#^Z

So here’s how my route-maps looks like,

Singapore#show route-map
route-map MANILA-RM, permit, sequence 10
  Match clauses:
    ip address (access-lists): MANILA-DENY MANILA-PERMIT
  Set clauses:
    ip next-hop 192.168.23.2
  Policy routing matches: 0 packets, 0 bytes



Before I apply the route-maps, I wanted to ensure that I have all the routes which I have advertised in Manila router in Melbourne router.


Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 12 subnets, 3 masks
D        172.16.0.0/20 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.16.0/20 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.32.0/20 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.48.0/20 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.64.0/24 [90/2809856] via 192.168.23.2, 01:14:55, Serial2/1
D        172.16.65.0/24 [90/2809856] via 192.168.23.2, 01:14:55, Serial2/1
D        172.16.66.0/24 [90/2809856] via 192.168.23.2, 01:14:55, Serial2/1
D        172.16.67.0/24 [90/2809856] via 192.168.23.2, 01:14:55, Serial2/1
D        172.16.68.0/28 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.68.16/28 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.68.32/28 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D        172.16.68.48/28 [90/2809856] via 192.168.23.2, 00:20:32, Serial2/1
D     192.168.12.0/24 [90/2681856] via 192.168.23.2, 00:20:32, Serial2/1
Melbourne#

Now, let’s apply the policy under EIGRP process,

Singaporeconfig)#router eigrp 100

Singapore(config-router)#distribute-list ?
        IP access list number
    IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming address updates based on gateway
  prefix       Filter prefixes in address updates
  route-map    Filter prefixes based on the route-map
 
Distribute-list is very useful as we have several options to filter routes, e.g. prefix, access-list , gateway and now using route-maps.

Singapore(config-router)#distribute-list route-map MANILA-RM out serial 2/1  <<< So this statement is telling Singapore that it will apply the content of route-map MANILA-RM out into it's Serial link towards Melbourne router.
Singapore(config-router)#

Singapore(config-router)#
*Aug  9 14:43:45.427: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.3 (Serial2/1) is resync: intf route configuration changed
Singapore(config-router)#



Now, let’s check the routing table of Melbourne. This is great, right.My filtering works fine. I have only the MANILA-PERMIT IP subnets in my Melbourne router.

Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      172.16.0.0/24 is subnetted, 4 subnets
D        172.16.64.0 [90/2809856] via 192.168.23.2, 01:20:20, Serial2/1
D        172.16.65.0 [90/2809856] via 192.168.23.2, 01:20:20, Serial2/1
D        172.16.66.0 [90/2809856] via 192.168.23.2, 01:20:20, Serial2/1
D        172.16.67.0 [90/2809856] via 192.168.23.2, 01:20:20, Serial2/1
Melbourne#

*** This ends my Route-Filtering Lab Using Route-Maps*****

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

"People ask me what I do in the winter when there's no baseball. I'll tell you what I do. I stare out the window and wait for spring."

~ Rogers Hornsby

NETWORK LESSON

About

Passionate about simplifying the complex world of networking and automation for learners everywhere.”.

Topics

Follow Us

Create a website or blog at WordPress.com