EIGRP Route Filtering:
Eigrp inbound route filtering
Distribute-list
--standard access list
--extended acess-list
Source is route source, destination is prefix
Offset-List
Distance
-255=infinite
-can be per neighbor
route-map
-metric filter
-route tag filter
--------------------------------
Topology:
Filtering in EIGRP is similar to RIP, we can use standard or extended ACL to filter was we receive IN an interface or what we send OUT.
The extended ACL will not only match the route but the source of the route.
We can see the source of a route the following way.
R2#sh ip route 192.168.14.0
Routing entry for 192.168.14.0/24
Known via "eigrp 500", distance 90, metric 30720, type internal
Redistributing via eigrp 500
Last update from 192.168.24.4 on FastEthernet0/0, 00:06:45 ago
Routing Descriptor Blocks:
192.168.24.4, from 192.168.24.4, 00:06:45 ago, via FastEthernet0/0
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
* 192.168.12.1, from 192.168.12.1, 00:06:45 ago, via FastEthernet0/1
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
Here we see the route 192.168.14.0 is learned from two neighbors.
from 192.168.24.4
from 192.168.12.1
These are the interface IP addresses of the neighbors that we're learning the route from.
Whatever shows up in the FROM field in the output is going to be the ROUTE SOURCE
As a filtering example we can say we only learn the route from the first router listed in the output - 192.168.24.4
To do this - on the router where we want to filter the routes. We need to create and extended ACL.
Example:
access-list 100 deny ip host 192.168.12.1 host 192.168.14.0
access-list 100 permit ip any any
!
This basically says to deny the route source of 192.168.12.1 from sending us the prefix for the network192.168.14.0
Then permit any any.
Then under the EIGRP process -
R2(config-router)#distribute-list 100 in
Note:
After we apply the list the routers should recalculate the topology:
*Mar 1 00:43:38.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 500: Neighbor 192.168.12.1 (FastEthernet0/1) is resync: route configuration changed
*Mar 1 00:43:38.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 500: Neighbor 192.168.24.4 (FastEthernet0/0) is resync: route configuration changed
*Mar 1 00:43:38.467: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 500: Neighbor 192.168.23.3 (FastEthernet1/0) is resync: route configuration changed
R2#
We now see that we're only learning the route from 192.168.24.4 and not 192.168.12.1 any longer.
R2#sh ip route 192.168.14.0
Routing entry for 192.168.14.0/24
Known via "eigrp 500", distance 90, metric 30720, type internal
Redistributing via eigrp 500
Last update from 192.168.24.4 on FastEthernet0/0, 00:01:03 ago
Routing Descriptor Blocks:
* 192.168.24.4, from 192.168.24.4, 00:01:03 ago, via FastEthernet0/0
Route metric is 30720, traffic share count is 1
Total delay is 200 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
If we look at the access list we can see that we're filtering out the route.
Extended IP access list 100
10 deny ip host 192.168.12.1 host 192.168.14.0 (1 match)
20 permit ip any any (8 matches)
Reminder: The ACL says Filter all traffic coming from 192.168.12.1 for prefix 192.168.14.0
Note: the limitation with doing this is , both the standard ACL and the Extended ACL can match on the route but not on the prefix length or subnet mask.
The best implementation for filtering would be the Prefix-list because it is designed to match routing information.
We can also use an "Offset-List" to increase the route value to larger that the the infinite value of 255 or another value so the route is not preferred.
Examples:
R2(config-router)#offset-list 0 in ?
<0-2147483647> Offset
Note: 2147483647 - this is the max value, a route with this value will never be installed in the routing table.
Note: if we use offset list "0" - this means "all" networks.
We can then say in our out an interface after the offset-list number or just apply globally to the process.
Another Filter the ONLY EIGRP supports is filtering through a Route-map directly through a distribute list.
We can control what prefix's are redistributed / exchanged between other protocols by using a route-map. EX: EIGRP to BGP, OSPF to EIGRP, etc.
However with normal IGP implementations - there's no way to apply the route-map to a neighbor or to the process itself. Filtering with route-maps is normally reserved for BGP where you would apply it on a per neighbor basis, to control what prefix's we want to advertise or receive from the neighbors. Also to modify the attributes.
With EIGRP we can use this for a metric based filter or a filter based on route tag information.
Example:
From the topology, I'm going to create a new loopback on R4 ( 10.4.4.4/24) and advertise it into eigrp. Then I'll assign a TAG value "5" to that route. Then on R2 deny the route based on the TAG value on 5
R4(config-if)#ip address 10.4.4.4 255.255.255.0
router eigrp 500
redistribute connected route-map TAG
Note: redistributing the connected route will account for the Loopback.
route-map TAG permit 10
set metric 1 1 1 1 1 (random metric value)
set tag 5 (tag the route with a value of 5)
So now if i look at the routing table on any other router in my topology i should see the tag for the 10.4.4.4 route as "5".
R3#sh ip route 10.4.4.0
Routing entry for 10.4.4.0/24
Known via "eigrp 500", distance 170, metric 2560002816
Tag 5, type external -- Shows as an external router with a tag of 5.
Redistributing via eigrp 500
Last update from 192.168.34.4 on FastEthernet0/1, 00:06:54 ago
Routing Descriptor Blocks:
* 192.168.34.4, from 192.168.34.4, 00:06:54 ago, via FastEthernet0/1
Route metric is 2560002816, traffic share count is 1
Total delay is 110 microseconds, minimum bandwidth is 1 Kbit
Reliability 1/255, minimum MTU 1 bytes
Loading 1/255, Hops 1
Route tag 5
Now lets filter the route with another route-map on the upstream router R2:
First we need to verify that the route show in the table as expected.
R2#sh ip route 10.4.4.0
Routing entry for 10.4.4.0/24
Known via "eigrp 500", distance 170, metric 2560002816
Tag 5, type external
Redistributing via eigrp 500
Last update from 192.168.24.4 on FastEthernet0/0, 00:13:41 ago
Routing Descriptor Blocks:
* 192.168.24.4, from 192.168.24.4, 00:13:41 ago, via FastEthernet0/0
Route metric is 2560002816, traffic share count is 1
Total delay is 110 microseconds, minimum bandwidth is 1 Kbit
Reliability 1/255, minimum MTU 1 bytes
Loading 1/255, Hops 1
Route tag 5
route-map TAG_FILTER deny 10
match tag 5
route-map TAG_FILTER permit 1000
Now - here's where EIGRP differs from other IGP's. To aply this to R2, under the EIGRP process we need to apply the route map based on a distribute list.
Example:
R2(config)#router eigrp 500
R2(config-router)#distribute-list route-map TAG_FILTER in fastEthernet 0/0
*Mar 1 01:53:10.155: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 500: Neighbor 192.168.24.4 (FastEthernet0/0) is resync: route configuration changed
Routing entry for 10.4.4.0/24
Known via "eigrp 500", distance 170, metric 2560005376
Tag 5, type external
Redistributing via eigrp 500
Last update from 192.168.12.1 on FastEthernet0/1, 00:05:57 ago
Routing Descriptor Blocks:
* 192.168.23.3, from 192.168.23.3, 00:05:57 ago, via FastEthernet1/0
Route metric is 2560005376, traffic share count is 1
Total delay is 210 microseconds, minimum bandwidth is 1 Kbit
Reliability 1/255, minimum MTU 1 bytes
Loading 1/255, Hops 2
Route tag 5
192.168.12.1, from 192.168.12.1, 00:05:57 ago, via FastEthernet0/1
Route metric is 2560005376, traffic share count is 1
Total delay is 210 microseconds, minimum bandwidth is 1 Kbit
Reliability 1/255, minimum MTU 1 bytes
Loading 1/255, Hops 2
Route tag 5
R2#
We now see the routes are still learned but because we filtered it based on TAG value and called out the interface we're no longer see the route from the original source.
No comments:
Post a Comment