CCNP ROUTE 300-101 Prt 3.9 – Configure and Verify Filtering with any Protocol

Routing protocols were not designed to interoperate with one another, so each protocol collects different types of information and reacts to topology changes in its own way, resulting in routing update traffic that must be processed by each protocol separately in a different way.

For example, Routing Information Protocol (RIP) uses hop count as a metric, and OSPF uses link cost as a metric. These metrics are incompatible and routers exchanging routing information from these protocols must account for these differences.

Along with high CPU utilization, more memory resources are needed to maintain all the routing, topology, and database tables in the routers running multiple routing protocols.
Cisco routers allow internetworks using different routing protocols (routing domains or autonomous systems), to exchange routing information through a feature called route redistribution.

Route redistribution is the capability of boundary routers connecting different routing domains to exchange and advertise routing information between those routing domains.

 

Routing Protocol Performance Solutions

Controlling routing updates involves a variety of solutions, including the following:

  • Design Changes, such as limiting the number of routing protocols used.
  • Passive Interfaces, to prevent all updates from a routing protocol from being advertised out of an interface.
  • Route Filtering, to block only specific routes from being advertised, such as during redistribution.

 

The following possibilities can be configured to filter routes:

  • Access control lists (ACLs)
  • Route Maps
  • Distribute Lists
  • Prefix Lists

 

Access Control Lists

ACLs are usually associated with interfaces and are usually used to control user traffic (data plane traffic), rather than routing protocol traffic (control plane traffic).

However, routers can have many interfaces, and route information can also be obtained through route redistribution, which does not involve a specific interface. Access Lists do not affect traffic originated by the router, so applying one on an interface has no effect on outgoing routing advertisements (but could affect incoming advertisements).

 

Route Maps, Distribute Lists, or Prefix Lists

These instead of access lists for route filtering gives the administrator greater flexibility in determining just which routes will be permitted and which will be denied. Route filtering works by regulating the routes that are entered into or advertised out of the routing table.

Note: Filtering affects link state routing protocols differently than distance vector protocols. Distance Vector routers advertise and can filter routes from their routing tables. Link State routers send LSAs and put received information in their link-state database (LSDB), from which they calculate their routing table. Because OSPF routers within the same area must have the same LSDB, LSA filtering for OSPF can be done only between areas.

 

Filters can be configured to prevent updates through router interfaces, to control the advertising of routes in routing updates, or to control the processing of routing updates. If filters are not configured correctly or if filters are applied to wrong interfaces, network performance issues may occur.

Below is an example of the process on how Inbound Filtering is used to control Incoming Routing Update traffic:

1. A routing update arrives at a router’s interface from a neighboring router. The router stores the packet in the interface buffer and triggers the CPU to make a decision.

2. The router’s CPU checks if there is an incoming filter applied to this interface. If there is no filter, the routing update packet is processed normally.

3. If there is a filter, the router’s CPU checks whether there is an entry for the address in the routing update packet in the filter. If there is no entry, the routing update is dropped.

4. If the entry exists, the router’s CPU processes the routing update packet according to the filter configuration.

Incoming Route Filter Processing

 

Controlling Routing Update Traffic

To ensure that the network operates efficiently, you must control and tune routing updates. Information about networks must be sent where it is needed and filtered from where it is not needed. No one type of route filter is appropriate for every situation.The more techniques you have at your disposal, the better your chance of having a smooth, well-run network!

We briefly viewed the process of filtering in the data and control plane, we now focus on controlling the updates sent and received by dynamic routing protocols and controlling the routes redistributed into routing protocols. In many cases, you do not want to prevent all routing information from being advertised, you might want to block the advertisement of only certain routes. You could use such a solution to prevent routing loops when implementing two-way route redistribution with dual redistribution points.

The following are some ways to control or prevent dynamic routing updates from being generated:

  • Passive Interface— A passive interface prevents routing updates for the specified protocol from being sent through an interface.
  • Default Routes— A default route instructs the router that if it does not have a route for a given destination, it should send the packet to the default route. Therefore, no dynamic routing updates about the remote destinations are necessary.
  • Static Routes— A static route allows routes to remote destinations to be manually configured on the router. Therefore, no dynamic routing updates about the remote destinations are necessary.
  • Route Maps— Route maps are complex access lists that allow conditions to be tested against a packet or route, and then actions taken to modify attributes of the packet or route.
  • Distribute Lists— A distribute list allows an access list to be applied to routing updates.
  • Prefix Lists— A prefix list is a specialized access list designed to filter routes. Works best in conjunction with Distribute Lists.

 

Note: I made a previous post on Passive Interfaces and Static & Default Routes, so I’m not going to cover it here.

 

Route Maps

Route maps provide a technique to manipulate and control routing protocol updates. Route maps may be used for a variety of purposes. We are now exploring the use of route maps as a tool to filter and manipulate routing updates. All the IP routing protocols can use route maps for redistribution filtering.

 

Route Map Applications

Network administrators use route maps for a variety of purposes. Several of the more common applications for route maps are as follows:

  • Route Filtering during redistribution— Redistribution nearly always requires some amount of route filtering. Although distribute lists can be used for this purpose, route maps offer the added benefit of manipulating routing metrics through the use of set commands.
  • Policy-Based Routing (PBR)— Route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to define the interface or next-hop address to which the packet should be sent. PBR allows the operator to define routing policy other than basic destination-based routing using the routing table.
  • Network Address Translation (NAT)— Route maps can better control which private addresses are translated to public addresses. Using a route map with NAT also provides more detailed show commands that describe the address-translation process.
  • BGP— Route maps are the primary tools for implementing BGP policy. Network administrators assign route maps to specific BGP sessions (neighbors) to control which routes are allowed to flow in and out of the BGP process. In addition to filtering, route maps provide sophisticated manipulation of BGP path attributes.

 

Route maps are complex access lists that allow some conditions to be tested against the packet or route in question using match commands. If the conditions match, some actions can be taken to modify attributes of the packet or route. These actions are specified by set commands. This is a big difference between route maps and access lists: Route maps can modify the packet or route by using set commands.

The statements in a route map correspond to the lines of an access list. Specifying the match conditions in a route map is similar in concept to specifying the source and destination addresses and masks in an access list.

 

 

Distribute List

Another way to control routing updates is to use a Distribute List. A Distribute List allows an access list to be applied to routing updates. As mentioned, access lists are usually associated with interfaces and are usually used to control user traffic (data plane traffic) rather than routing protocol traffic (or other control plane traffic).

Routers can have many interfaces, and route information can also be obtained through route redistribution, which does not involve a specific interface. In addition, access lists do not affect traffic originated by the router, so applying one on an interface has no effect on outgoing routing advertisements.

However, when you configure an access list and use it with a distribute list, routing updates can be controlled, no matter what their source is.

The associated distribute list is configured under the routing protocol process. The access list should permit the networks that you want advertised or redistributed and deny the networks that you want to remain hidden.

The router then applies the access list to routing updates for that protocol. Options in the distribute-list command allow updates to be filtered based on factors including the following:

  • Incoming Interface
  • Outgoing Interface
  • Redistribution from another routing protocol

 

Using a distribute list gives the administrator great flexibility in determining just which routes will be permitted and which will be denied.

 

Configuring Distribute Lists to Control Routing Updates

You can filter routing update traffic for any protocol by defining an access list and applying it to a specific routing protocol using the distribute-list command. A distribute list enables the filtering of routing updates coming into or out of a specific interface from neighboring routers using the same routing protocol. A distribute list also allows the filtering of routes redistributed from other routing protocols or sources.

 

Planning

The following should be documented in an implementation plan when planning to configure distribute lists:

  • Define the traffic filtering requirements that will be used to permit or deny routes, using an access list or a route map.
  • Define a distribute list to use the access list or route map, and whether it will be applied to the inbound or outbound updates.

 

Configure a Distribute List

  • Identify the network addresses of the routes you want to filter, and create an access list.
  • Determine whether you want to filter traffic on an incoming interface, traffic on an outgoing interface, or routes being redistributed from another routing source.

 

Use the following command syntax:

 distribute-list {access-list-number | name} out [interface-name | routing-process [routingprocess parameter]]

 

This router configuration command assigns the access list to filter outgoing routing updates through a distribute list.

Note: Because OSPF routers must maintain LSDB synchronization within an area, the distribute-list out command cannot be used with OSPF to block outbound LSAs on an interface. For OSPF, this command works only on the routes being redistributed by ASBRs into OSPF. The command can be applied to E2 and E1 routes, but not to intra-area or inter-area routes.

 

Alternatively, use the the following command syntax:

distribute-list [access-list-number | name] | [route-map maptag] in [interface-type interface-number] 

This router configuration command assigns the access list to filter routing updates coming in through an interface. (Also allows the use of a route map instead of an access list for OSPF and EIGRP.)

Note:  The distribute-list in command prevents most routing protocols from placing the filtered routes in their database. However, OSPF routes cannot be filtered from entering the OSPF LSDB. Thus, when this command is used with OSPF, the routes are still placed in the LSDB, they are only filtered from entering the routing table.

The distribute-list out command filters updates going out of the interface or routing protocol specified in the command, into the routing process under which it is configured.

The distribute-list in command filters updates going into the interface specified in the command, into the routing process under which it is configured.

Using distribute lists as route filters has several drawbacks, including the following:

  • A subnet mask cannot be easily matched.
  • Access lists are evaluated sequentially for every IP prefix in the routing update.
  • An extended access list can be cumbersome to configure.

 

Prefix Lists

To restrict the routing information that the Cisco IOS learns or advertises, you can filter routing updates to and from particular neighbors by defining either an access list with a distribute list, or a prefix list, and then apply it to the updates.

 

Prefix List Characteristics

As mentioned above, access lists were originally designed to do packet filtering. Prefix lists can be used as an alternative to access lists in many route filtering commands. The advantages of using prefix lists include the following:

  • Significant Performance Improvement over access lists in loading and route lookup of large lists. The router transforms the prefix list into a tree structure, with each branch of the tree representing a test, allowing the Cisco IOS Software to determine whether to permit or deny much faster.
  • Support Incremental Modifications. Compared to a traditional access list in which
    one no command erases the whole access list, prefix list entries can be modified incrementally. You can assign a sequence number to each line of a prefix list, the router uses this number to sort the entries in the list. If you initially sequence the lines with some gaps between the sequence numbers, you can easily insert lines later. You can also remove individual lines without removing the entire list.
    (Note: ACLs can now also be edited incrementally.)
  • User-friendly CLI. The command-line interface for using extended access lists to filter updates is difficult to understand and use.
  • Greater Flexibility. Routers match network numbers in a routing update against the prefix list using as many bits as indicated. You can specify a prefix list to match 10.0.0.0/16, which will match 10.0.0.0 routes but not 10.1.0.0 routes. Optionally, the prefix list can also specify the size of the subnet mask, or that the subnet mask must be in a specified range.

Note:  Prefix lists have several similarities to access lists. A prefix list can consist of any number of lines, each of which indicates a test and a result. When a router evaluates a route against the prefix list, the first line that matches results in either a permit or deny. If none of the lines in the list match, the result is “implicitly deny,” just as it is in an access list.

 

Filtering with Prefix Lists

Filtering by prefix list involves matching the prefixes of routes with those listed in the prefix list, similar to using access lists.

Whether a prefix is permitted or denied is based on the following rules:

  • An empty prefix list permits all prefixes.
  • If a prefix is permitted, the route is used. If a prefix is denied, the route is not used.
  • Prefix lists consist of statements with sequence numbers. The router begins the search for a match at the top of the prefix list, which is the statement with the lowest sequence number.
  • When a match occurs, the router does not need to go through the rest of the prefix list. For efficiency, you might want to put the most common matches (permits or denies) near the top of the list by specifying a lower sequence number.
  • An implicit deny is assumed if a given prefix does not match any entries in a prefix list.

 

Configuring Prefix Lists

The following is the syntax of the global configuration command is used to create a prefix list:

 prefix-list {list-name | list-number} [seq seq-value] {deny | permit} network/length [ge ge-value] [le le-value]

 

list-name The name of the prefix list that will be created (case sensitive).

list-number The number of the prefix list that will be created.

seq seq-value A 32-bit sequence number of the prefix-list statement, used to determine the order in which the statements are processed when filtering. Default sequence numbers are in increments of 5 (5, 10, 15, and so on).

deny | permit The action taken when a match is found.

network/length The prefix to be matched and the length of the prefix. The network is a 32-bit address. The length is a decimal number.

ge ge-value The range of the prefix length to be matched for prefixes that are more specific than network length. The range is assumed to be from gevalue to 32 if only the ge attribute is specified.

le levalue The range of the prefix length to be matched for prefixes that are more specific than network / length. The range is assumed to be from length to levalue if only the le attribute is specified.

Note:  The ge and le keywords are optional. They can be used to specify the range of the prefix length to be matched for prefixes that are more specific than network/length. The value range is as follows:  length < ge-value < le-value <= 32

An exact match is assumed when neither ge nor le is specified.

The below global configuration command, where list-name is the name of a prefix list, is used to delete a prefix list.

no ip prefix-list list-name

 

The below global configuration command can be used to add or delete a text description for a prefix list.

[no] ip prefix-list list-name description text

 

Prefix List Sequence Numbers

Prefix list sequence numbers are generated automatically, unless you disable this automatic generation. If you do so, you must specify the sequence number for each entry using the seq-value argument of the ip prefix-list command.

A prefix list is an ordered list. The sequence number is significant when a given prefix is matched by multiple entries of a prefix list, in which case the one with the smallest sequence number is considered the real match.

The evaluation of a prefix list starts with the lowest sequence number and continues down the list until a match is found. When an IP address match is found, the permit or deny statement is applied to that network and the remainder of the list is not evaluated.

The below global configuration command is used to disable the automatic generation of sequence numbers of prefix list entries.

no ip prefix-list sequence-number

 

Use the below global configuration command to reenable the automatic generation of sequence numbers.

ip prefix-list sequence-number

 

Prefix List Example

Consider the prefix list:

ip prefix-list MyList permit 192.168.0.0/16

Which of the following routes would this prefix list match: 192.168.0.0/16, 192.168.0.0/20, 192.168.2.0/24?  Only the first route, 192.168.0.0/16, would match because that is the only one that matches both the address and the mask.

 

Now consider the two prefix lists:

1- ip prefix-list List1 permit 192.168.0.0/16 le 20
2- ip prefix-list List2 permit 192.168.0.0/16 ge 18

Which of the following routes would these prefix lists match: 192.168.0.0/16, 192.168.0.0/20, 192.168.2.0/24?

The following routes match List 1: 192.168.0.0/16, 192.168.0.0/20. The route 192.168.2.0/24 is not matched because, even though the IP address falls within the specified address range, the subnet mask is too long.

The following routes match List 2: 192.168.0.0/20, 192.168.2.0/24. The route 192.168.0.0/16 is not matched because the subnet mask is too short.

 

Controlling Routing Updates Lab

I have built a topology to make some examples about controlling routing updates (route filtering), with two IGP’s, EIGRP and OSPF. I’ll add one example below using RIPv2 just as an example because the behaviour differs from protocol to protocol.

R1 and R2 are running EIGRP AS 1, and R2 and R3 are running OSPF. R2 is the ASBR consisting of areas 0, 10 and 20.

Routers are running the following:

R1# sh version
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(2)T4, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 08-Oct-15 21:21 by prod_rel_team

 

Topology

Filtering Routing Protocols

 

Scenario Objectives

  • Filter routes using distribute list and ACL.
  • Filter routes using distribute list and prefix list.
  • Filtering redistributed routes using a route maps.
  • Filtering redistributed routes and set attributes using route maps.

 

Initial configuration of all loopback interfaces and serial interfaces with IP addresses and bring them up on all routers.

R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# int lo0
*May 30 16:00:54.416: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)# ip add 172.16.1.1 255.255.255.0
R1(config-if)# int lo48 
*May 30 16:01:17.232: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback48, changed state to up
R1(config-if)# ip add 192.168.48.1 255.255.255.0
R1(config-if)# int lo49 
*May 30 16:01:33.901: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback49, changed state to up
R1(config-if)# ip add 192.168.49.1 255.255.255.0
R1(config-if)# int lo50 
*May 30 16:01:43.804: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback50, changed state to up
R1(config-if)# ip add 192.168.50.1 255.255.255.0
R1(config-if)# int lo51 
*May 30 16:01:55.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback51, changed state to up
R1(config-if)# ip add 192.168.51.1 255.255.255.0
R1(config-if)# int lo70 
*May 30 16:02:07.164: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback70, changed state to up
R1(config-if)# ip add 192.168.70.1 255.255.255.0
R1(config-if)# int s0/0
R1(config-if)# description TO-R2
R1(config-if)# ip add 172.16.12.1 255.255.255.0
R1(config-if)# clock rate threshold 64000
R1(config-if)# bandwidth 64
R1(config-if)# no shut
*May 30 16:02:58.922: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*May 30 16:02:59.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
*May 30 16:03:21.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R1# sh ip int bri | e admin
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.12.1 YES manual up up 
Loopback0 172.16.1.1 YES manual up up 
Loopback48 192.168.48.1 YES manual up up 
Loopback49 192.168.49.1 YES manual up up 
Loopback50 192.168.50.1 YES manual up up 
Loopback51 192.168.51.1 YES manual up up 
Loopback70 192.168.70.1 YES manual up up 
R1#

R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# int lo0
*May 30 22:04:11.204: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R2(config-if)# ip add 172.16.2.1 255.255.255.0
R2(config)# int lo100
*May 30 19:44:47.464: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to up
R2(config-if)# ip add 172.16.100.1 255.255.255.0
R2(config-if)# interface s0/0
R2(config-if)# clock rate threshold 64000
R2(config-if)# bandwidth 64
R2(config-if)# description TO->R1
R2(config-if)# ip add 172.16.12.2 255.255.255.0
R2(config-if)# no shut
*May 30 19:48:10.245: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*May 30 19:48:11.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2(config-if)# int s0/1
R2(config-if)# description TO->R3
R2(config-if)# clock rate threshold 64000
R2(config-if)# bandwidth 64
R2(config-if)# ip add 172.16.23.2 255.255.255.0
R2(config-if)# no shut
*May 30 19:49:32.310: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*May 30 19:49:33.313: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R2(config-if)# end
R2# sh ip int bri | e admin
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.12.2 YES manual up up 
Serial0/1 172.16.23.2 YES manual up up 
Loopback0 172.16.2.1 YES manual up up 
Loopback100 172.16.100.1 YES manual up up 
R2#

R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config-if)# int lo0
*May 30 21:25:40.301: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R3(config-if)# ip add 172.16.3.1 255.255.255.0
R3(config-if)# int lo20 
*May 30 21:25:52.609: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback20, changed state to up
R3(config-if)# ip add 192.168.20.1 255.255.255.0
R3(config-if)# int lo25 
*May 30 21:25:59.826: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback25, changed state to up
R3(config-if)# ip add 192.168.25.1 255.255.255.0
R3(config-if)# int lo30 
*May 30 21:26:11.917: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback30, changed state to up
R3(config-if)# ip add 192.168.30.1 255.255.255.0
R3(config-if)# int lo35 
*May 30 21:26:19.254: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback35, changed state to up
R3(config-if)# ip add 192.168.35.1 255.255.255.0
R3(config-if)# int lo40 
*May 30 21:26:36.641: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback40, changed state to up
R3(config-if)# ip add 192.168.40.1 255.255.255.0
R3(config-if)# int lo8
*May 30 19:53:45.050: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback8, changed state to up
R3(config-if)# ip add 192.168.8.1 255.255.255.0
R3(config-if)# int lo9 
*May 30 19:54:03.868: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback9, changed state to up
R3(config-if)# ip add 192.168.9.1 255.255.255.0
R3(config-if)# int lo10 
*May 30 19:54:13.650: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to up
R3(config-if)# ip add 192.168.10.1 255.255.255.0
R3(config-if)# int lo11 
*May 30 19:54:22.250: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback11, changed state to up
R3(config-if)# ip add 192.168.11.1 255.255.255.0
R3(config-if)# exit
R3(config)# int s0/1
R3(config-if)# description TO->R2
R3(config-if)# clock rate threshold 64000
R3(config-if)# bandwidth 64
R3(config-if)# ip add 172.16.23.3 255.255.255.0
R3(config-if)# no shut
R3(config-if)# end
*May 30 20:06:54.067: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*May 30 20:06:55.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R3# sh ip int bri | e admin
Interface IP-Address OK? Method Status Protocol
Serial0/1 172.16.23.3 YES manual up up 
Loopback0 172.16.3.1 YES manual up up 
Loopback8 192.168.8.1 YES manual up up 
Loopback9 192.168.9.1 YES manual up up 
Loopback10 192.168.10.1 YES manual up up 
Loopback11 192.168.11.1 YES manual up up 
Loopback20 192.168.20.1 YES manual up up 
Loopback25 192.168.25.1 YES manual up up 
Loopback30 192.168.30.1 YES manual up up 
Loopback35 192.168.35.1 YES manual up up 
Loopback40 192.168.40.1 YES manual up up 
R3#

 

On R1, create a supernet route summarizing the loopbacks 48 and 49 networks and EIGRP in AS 1.

R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# int s0/0
R1(config-if)# ip summary-address eigrp 1 192.168.48.0 255.255.254.0
R1(config-if)# exit
R1(config)# router eigrp 1
R1(config-router)# no auto-summary 
R1(config-router)# net 172.16.0.0 
R1(config-router)# net 192.168.0.0 0.0.255.255 
R1(config-router)#

 

On R3, summarize area 20 routes and configure OSPF for area 0 and area 20.

R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# router ospf 1
R3(config-router)# area 20 range 192.168.8.0 255.255.252.0
R3(config-router)# net 172.16.0.0 0.0.255.255 area 0
R3(config-router)# net 192.168.0.0 0.0.255.255 area 0
R3(config-router)# net 192.168.8.0 0.0.3.255 area 20 
R3(config-router)#
*May 30 20:51:43.477: %OSPF-6-AREACHG: 192.168.8.0/22 changed from area 0 to area 20
R3(config-router)#

 

On R2, configure EIGRP and redistribute the OSPF networks into EIGRP AS 1. Configure OSPF, redistribute and summarize the EIGRP networks into OSPF.

R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# router eigrp 1
R2(config-router)# no auto
R2(config-router)# net 172.16.0.0
*May 30 20:56:15.723: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.12.1 (Serial0/0) is up: new adjacency
R2(config-router)# redistribute ospf 1 metric 10000 100 255 1 1500
R2(config-router)# exit
R2(config)# router ospf 1
R2(config-router)# net 172.16.23.0 0.0.0.255 area 0
*May 30 20:57:04.382: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.11.1 on Serial0/1 from LOADING to FULL, Loading Done
R2(config-router)# net 172.16.100.0 0.0.0.255 area 10
R2(config-router)# redistribute eigrp 1 subnets 
R2(config-router)# summary-address 192.168.48.0 255.255.252.0
R2(config-router)# exit
R2(config)#

 

Verify EIGRP and OSPF routing table entries on R2.

R2# sh ip route eigrp | b Gateway
Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 13 subnets, 2 masks
D 172.16.1.0/24 [90/40640000] via 172.16.12.1, 00:38:40, Serial0/0
D 192.168.48.0/23 [90/40640000] via 172.16.12.1, 00:38:40, Serial0/0
D 192.168.50.0/24 [90/40640000] via 172.16.12.1, 00:38:40, Serial0/0
D 192.168.51.0/24 [90/40640000] via 172.16.12.1, 00:38:40, Serial0/0
D 192.168.70.0/24 [90/40640000] via 172.16.12.1, 00:38:40, Serial0/0
R2#
R2# sh ip route ospf | b Gateway 
Gateway of last resort is not set

 172.16.0.0/16 is variably subnetted, 10 subnets, 2 masks
O 172.16.3.0/24 [110/1563] via 172.16.23.3, 01:48:27, Serial0/1
O IA 192.168.8.0/22 [110/1563] via 172.16.23.3, 02:10:06, Serial0/1
O 192.168.20.0/24 [110/1563] via 172.16.23.3, 01:13:12, Serial0/1
O 192.168.25.0/24 [110/1563] via 172.16.23.3, 01:13:12, Serial0/1
O 192.168.30.0/24 [110/1563] via 172.16.23.3, 01:13:12, Serial0/1
O 192.168.35.0/24 [110/1563] via 172.16.23.3, 01:13:12, Serial0/1
O 192.168.40.0/24 [110/1563] via 172.16.23.3, 01:13:12, Serial0/1
O 192.168.48.0/22 is a summary, 02:10:13, Null0
R2#

 

We can observe that R2 is getting R1 routes including the summarized 192.168.48.0/22 EIGRP route. R2 is also receiving R3 OSPF area 0 routes and the summarized area 20 routes, as expected!

 

Verification of R1’s EIGRP routing table.

R1# sh ip route eigrp | b Gateway
Gateway of last resort is not set

  172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
D 172.16.2.0/24 [90/40640000] via 172.16.12.2, 01:35:58, Serial0/0
D EX 172.16.3.0/24 [170/40537600] via 172.16.12.2, 01:49:47, Serial0/0
D 172.16.23.0/24 [90/41024000] via 172.16.12.2, 02:13:01, Serial0/0
D 172.16.100.0/24 [90/40640000] via 172.16.12.2, 02:44:06, Serial0/0
D EX 192.168.8.0/22 [170/40537600] via 172.16.12.2, 02:11:26, Serial0/0
D EX 192.168.20.0/24 [170/40537600] via 172.16.12.2, 01:14:32, Serial0/0
D EX 192.168.25.0/24 [170/40537600] via 172.16.12.2, 01:14:32, Serial0/0
D EX 192.168.30.0/24 [170/40537600] via 172.16.12.2, 01:14:32, Serial0/0
D EX 192.168.35.0/24 [170/40537600] via 172.16.12.2, 01:14:32, Serial0/0
D EX 192.168.40.0/24 [170/40537600] via 172.16.12.2, 01:14:32, Serial0/0
D EX 192.168.48.0/22 [170/40537600] via 172.16.12.2, 02:11:33, Serial0/0
D 192.168.48.0/23 is a summary, 02:54:26, Null0
R1#

 

R1 is aware of all internal routes, its also receiving all external EIGRp routes redistributed from the OSPF domain by R2. I highlighted the entry identifying the OSPF 20 routes, which will be used to filter using a a distribute list and an ACL in the next step.

 

Verify OSPF routing table on R3.

R3# sh ip route ospf | b Gateway
Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 18 subnets, 2 masks
O E2 172.16.1.0/24 [110/20] via 172.16.23.2, 00:42:26, Serial0/1
O E2 172.16.2.0/24 [110/20] via 172.16.23.2, 00:06:58, Serial0/1
O E2 172.16.12.0/24 [110/20] via 172.16.23.2, 00:42:26, Serial0/1
O IA 172.16.100.0/24 [110/1563] via 172.16.23.2, 00:17:00, Serial0/1
O 192.168.8.0/22 is a summary, 00:42:26, Null0
O E2 192.168.48.0/22 [110/20] via 172.16.23.2, 00:42:26, Serial0/1
O E2 192.168.70.0/24 [110/20] via 172.16.23.2, 00:42:26, Serial0/1
R3#

 

R3 is aware of the internal OSPF routes and the external routes redistributed by R2 from EIGRP routing domain. The highlighted entries identify the EIGRP routes, which will be filtered using a distribute list and prefix list in another step.

 

Now let’s test reachability on all routers. We should be able to ping all segments.

R3# tclsh
R3(tcl)# foreach n {
+>(tcl)# 172.16.1.1
+>(tcl)# 192.168.48.1
+>(tcl)# 192.168.49.1
+>(tcl)# 192.168.50.1
+>(tcl)# 192.168.51.1
+>(tcl)# 192.168.70.1
+>(tcl)# 172.16.12.1
+>(tcl)# 172.16.12.2
+>(tcl)# 172.16.2.1
+>(tcl)# 172.16.100.1
+>(tcl)# 172.16.23.2
+>(tcl)# 172.16.23.3
+>(tcl)# 172.16.3.1
+>(tcl)# 192.168.8.1
+>(tcl)# 192.168.9.1
+>(tcl)# 192.168.10.1
+>(tcl)# 192.168.11.1
+>(tcl)# 192.168.20.1
+>(tcl)# 192.168.25.1
+>(tcl)# 192.168.30.1
+>(tcl)# 192.168.35.1
+>(tcl)# 192.168.40.1
+>(tcl)# } {ping $n }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 63/63/65 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.48.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/66/70 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 63/65/68 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61/64/67 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.51.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/69 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/63/68 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/63/66 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 31/33/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 27/30/34 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/35 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 27/31/34 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/63/66 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.8.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.25.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.35.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R3(tcl)#

 

All segments are reachable and responding back so I’ll just assume everything is working fine. Please do not assume anything in a production environment, always test and verify everything!

 

Filter Redistributed Routes using a Distribute List and ACL

Now we will use a distribute list with an ACL to filter routes being advertised from R2 to R1. We will filter the OSPF area 20 routes – 192.168.8.0/22 – from being advertised by R2 to R1.

On R1, verify the routing table for the 192.168.8.0/22 route.

R1# sh ip route 192.168.8.0
Routing entry for 192.168.8.0/22, supernet
 Known via "eigrp 1", distance 170, metric 40537600, type external
 Redistributing via eigrp 1
 Last update from 172.16.12.2 on Serial0/0, 00:03:46 ago
 Routing Descriptor Blocks:
 * 172.16.12.2, from 172.16.12.2, 00:03:46 ago, via Serial0/0
 Route metric is 40537600, traffic share count is 1
 Total delay is 21000 microseconds, minimum bandwidth is 64 Kbit
 Reliability 255/255, minimum MTU 1500 bytes
 Loading 1/255, Hops 1
R1#

 

We could implement a distribute list on the receiving router but its usually best to filter routes from the distributing router, so on R2 I’ll create an ACL called OSPF_AREA20_FILTER that denies the 192.168.8.0/22 route. Note that the ACL must have a statement permitting all other routes as all ACLs have an implicit deny at the end. Otherwise no OSPF routes would be redistributed into EIGRP.

R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# ip access-list standard OSPF_AREA20_FILTER
R2(config-std-nacl)# remark USED IN DIST LIST TO FILTER OSPF AREA 20 ROUTES
R2(config-std-nacl)# deny 192.168.8.0 0.0.3.255
R2(config-std-nacl)# permit any
R2(config-std-nacl)# exit
R2(config)#

 

Now let’s configure a distribute list under EIGRP process to filter routes propagated to R1 using the ACL above.

R2(config)# router eigrp 1
R2(config-router)# distribute-list OSPF_AREA20_FILTER out ospf 1
R2(config-router)#
*Jun 1 15:40:45.048: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.12.1 (Serial0/0) is resync: route configuration changed
R2(config-router)#

 

On R1 verify that the route is now missing from its routing table. Note that as soon as we configured the distribute list, EIGRP resynced the process with its neighbor R1.

R1#
*Jun 1 15:40:45.607: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.12.2 (Serial0/0) is resync: peer graceful-restart
R1# sh ip route 192.168.8.0
% Network not in table
R1# sh ip route eigrp | b Gateway
Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
D 172.16.2.0/24 [90/40640000] via 172.16.12.2, 00:15:35, Serial0/0
D EX 172.16.3.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D 172.16.23.0/24 [90/41024000] via 172.16.12.2, 00:15:35, Serial0/0
D 172.16.100.0/24 [90/40640000] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.20.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.25.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.30.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.35.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.40.0/24 [170/40537600] via 172.16.12.2, 00:15:35, Serial0/0
D EX 192.168.48.0/22 [170/40537600] via 172.16.12.2, 00:15:34, Serial0/0
D 192.168.48.0/23 is a summary, 00:15:44, Null0
R1#

 

The output confirms that the route 192.168.8.0/22 is no longer in the routing table and is now being filtered.

Note: If any additional filtering was required, only the ACL would need to be altered.

 

Filter Redistributed Routes Using Distribute List and Prefix List

Now we will use a Prefix List to be configured with a Distribute List to filter R1 routes being advertised from R2 to R3.

Let’s verify the routing table entry for OSPF external type 2 routes (identified with O E2 entry).

R3# sh ip route ospf | i O E2
O E2 172.16.1.0/24 [110/20] via 172.16.23.2, 00:21:55, Serial0/1
O E2 172.16.2.0/24 [110/20] via 172.16.23.2, 00:22:06, Serial0/1
O E2 172.16.12.0/24 [110/20] via 172.16.23.2, 00:22:06, Serial0/1
O E2 192.168.48.0/22 [110/20] via 172.16.23.2, 00:21:54, Serial0/1
O E2 192.168.70.0/24 [110/20] via 172.16.23.2, 00:21:55, Serial0/1
R3#

 

We will specifically filter the highlighted routes from being advertised using a Prefix List. On R2 I’ll configure a Prefix List identifying which networks to advertised to R3. Only the 172.16.0.0 networks will be permitted.

R2(config)# ip prefix-list EIGRP_192.168_FILTER description USED WITH DIST LIST TO FILTER EIGRP ROUTES 
R2(config)# ip prefix-list EIGRP_192.168_FILTER permit 172.16.0.0/16 le 24
R2(config)#

 

Now, under OSPF process let’s configure a Distribute List to filter routes propagated to R3 using the Prefix List.

R2(config)# router ospf 1
R2(config-router)# distribute-list prefix EIGRP_192.168_FILTER out eigrp 1
R2(config-router)#

 

Now let’s verify if the route is missing on R3’s routing table.

R3# sh ip route ospf | i O E2
O E2 172.16.1.0/24 [110/20] via 172.16.23.2, 00:44:47, Serial0/1
O E2 172.16.2.0/24 [110/20] via 172.16.23.2, 00:44:58, Serial0/1
O E2 172.16.12.0/24 [110/20] via 172.16.23.2, 00:44:58, Serial0/1
R3# sh ip route 192.168.48.0 2
% Unrecognized command
R3# sh ip route 192.168.70.0 255.255.255.0
% Network not in table
R3#

 

And again, the output confirms that the 192.168 routes from R1 are now being filtered. Only the 172.16.0.0/16 routes are being advertised to R3. The two steps above were very simple examples of using a distribute list with an ACL and a prefix list. Both methods achieve the same results of filtering routes. Take note that in large enterprise networks, route filtering can be very complex. The ACL can be very extensive and can tax a lot of router resources. For this reason, Prefix Lists should be used instead of ACLs since they are more efficient and consume less router resources than ACLs.

 

 

Filter Redistributed Routes Using a Route Map

Route maps can also be used to filter redistributed routes and they are also like an ACL because they have permit and deny statements that are read in sequential order  but route maps can match and set specific attributes therefore provide more options and more flexibility when redistributing routes.

As stated above, route maps are not only used for redistribution, they are also commonly used for PBR which allows an administrator to define routing policies other than the basic destination-based routing using the routing table. The route map is applied to an interface using the ip policy route-map command. In BGP route maps are the primary tools for implementing BGP policies and allows an administrator to do path control and provide sophisticated manipulation of BGP path attributes. The route map is applied using the neighbor router command.

For this example I’m going to filter the R3 loopback 25 and 30 networks from being redistributed into EIGRP on R2. On R1, verify that those two routes are currently displayed.

R1# sh ip route eigrp | b Gateway
Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
D 172.16.2.0/24 [90/40640000] via 172.16.12.2, 01:04:55, Serial0/0
D EX 172.16.3.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D 172.16.23.0/24 [90/41024000] via 172.16.12.2, 01:04:55, Serial0/0
D 172.16.100.0/24 [90/40640000] via 172.16.12.2, 01:04:55, Serial0/0
D EX 192.168.20.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D EX 192.168.25.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D EX 192.168.30.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D EX 192.168.35.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D EX 192.168.40.0/24 [170/40537600] via 172.16.12.2, 01:04:55, Serial0/0
D 192.168.48.0/23 is a summary, 01:05:04, Null0
R1#

 

There are several ways to configure this filtering. I’m configuring a named ACL that identifies the two routes to be filtered.

R2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# ip access-list standard R3_ROUTES_ACL 
R2(config-std-nacl)# remark ACL USED TO FILTER R3 ROUTES USED WITH ROUTE MAP
R2(config-std-nacl)# permit 192.168.25.0 0.0.0.255
R2(config-std-nacl)# permit 192.168.30.0 0.0.0.255
R2(config-std-nacl)# exit
R2(config)#

 

Now let’s configure a route map with a statement that denies based on a match with the named ACL. Then add a permit statement without a match statement, acting as an explicit “permit all”.

R2(config)# route-map FILTER_R3_ROUTES deny 10
R2(config-route-map)# description FILTER R3 OSPF ROUTES 192.168.25 AND 192.168.30
R2(config-route-map)# match ip address R3_ROUTES_ACL
R2(config-route-map)# exit
R2(config)# route-map FILTER_R3_ROUTES permit 20 
R2(config-route-map)# description PERMIT ALL OTHER OSPF ROUTES FROM R3
R2(config-route-map)# exit
R2(config)#

 

Now let’s apply the route map into EIGRP process by reentering the redistribute command.

R2(config)# router eigrp 1
R2(config-router)# redistribute ospf 1 route-map FILTER_R3_ROUTES metric 64 100 255 1 1500

 

Now let’s verify that the 192.168.25 and 192.168.30 OSPF routes from R3 are filtered out of R1 routing table.

R1# sh ip route eigrp | b Gateway
Gateway of last resort is not set

172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
D 172.16.2.0/24 [90/40640000] via 172.16.12.2, 00:20:35, Serial0/0
D EX 172.16.3.0/24 [170/40537600] via 172.16.12.2, 00:20:21, Serial0/0
D 172.16.23.0/24 [90/41024000] via 172.16.12.2, 00:20:33, Serial0/0
D 172.16.100.0/24 [90/40640000] via 172.16.12.2, 00:20:35, Serial0/0
D EX 192.168.20.0/24 [170/40537600] via 172.16.12.2, 00:20:21, Serial0/0
D EX 192.168.35.0/24 [170/40537600] via 172.16.12.2, 00:20:21, Serial0/0
D EX 192.168.40.0/24 [170/40537600] via 172.16.12.2, 00:20:21, Serial0/0
D 192.168.48.0/23 is a summary, 00:20:36, Null0
R1# sh ip route 192.168.25.0 
% Network not in table
R1# sh ip route 192.168.30.0
% Network not in table
R1#

 

Notice that the 192.168.25 and 192.168.30 routes are no longer in the routing table. Great, let’s move on!

 

Filter Redistributed Routes and Set Attributes Using Route Map

Now, I’m going to filter a route from R1 to change its metric and metric type. On R3 verify the routing table entry for the external type 2 entries.

R3# sh ip route ospf | i E2 
 E1 - OSPF external type 1, E2 - OSPF external type 2
O E2 172.16.1.0/24 [110/20] via 172.16.23.2, 00:25:47, Serial0/1
O E2 172.16.2.0/24 [110/20] via 172.16.23.2, 00:25:48, Serial0/1
O E2 172.16.12.0/24 [110/20] via 172.16.23.2, 00:25:45, Serial0/1
R3#

 

The 172.16.12.0/24 route, the segment between R1 and R2, will be configured with additional attributes.

Now, I’ll configure a prefix list identifying the route to be filtered. Then configure a route map matching the identified route in the prefix list and assign a cost of 25 and change its metric type to external type 1. Then add a permit statement without a match again, as an explicit permit all.

R2(config)# ip prefix-list R1-R2_SEGMENT permit 172.16.12.0/24
R2(config)# route-map R1-R2_SEGMENT permit 10
R2(config-route-map)# description FILTER AND ADD ATTRIBUTE TO 172.16.12.0/24 SEGMENT
R2(config-route-map)# match ip address prefix-list R1-R2_SEGMENT
R2(config-route-map)# set metric 25
R2(config-route-map)# set metric-type type-1 
R2(config-route-map)# exit
R2(config)# route-map R1-R2_SEGMENT permit 20 
R2(config-route-map)# description PERMIT ALL OTHER R1 EIGRP INTO OSPF ROUTES
R2(config-route-map)# exit
R2(config)#

 

Now I’m going to apply the route map to OSPF by reentering the redistribute command.

R2(config)# router ospf 1
R2(config-router)# redistribute eigrp 1 subnets route-map R1-R2_SEGMENT
R2(config-router)# exit
R2(config)#

 

Now let’s verify that the 172.16.12.0/24 network between R1 s0/0 and R2 s0/0 interface is being filter and set with the newly configured attributes.

R3# sh ip route ospf | b Gateway 
Gateway of last resort is not set

 172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
O E2 172.16.1.0/24 [110/20] via 172.16.23.2, 00:35:53, Serial0/1
O E2 172.16.2.0/24 [110/20] via 172.16.23.2, 00:35:53, Serial0/1
O E1 172.16.12.0/24 [110/1587] via 172.16.23.2, 00:33:04, Serial0/1
O IA 172.16.100.0/24 [110/1563] via 172.16.23.2, 00:35:53, Serial0/1
O 192.168.8.0/22 is a summary, 00:35:53, Null0
R3#
R3# sh ip ospf database external 172.16.12.0

 OSPF Router with ID (192.168.40.1) (Process ID 1)

 Type-5 AS External Link States

 Routing Bit Set on this LSA in topology Base with MTID 0
 LS age: 370
 Options: (No TOS-capability, DC, Upward)
 LS Type: AS External Link
 Link State ID: 172.16.12.0 (External Network Number )
 Advertising Router: 172.16.100.1
 LS Seq Number: 8000000E
 Checksum: 0x1B09
 Length: 36
 Network Mask: /24
 Metric Type: 1 (Comparable directly to link state metric)
 MTID: 0 
 Metric: 25 
 Forward Address: 0.0.0.0
 External Route Tag: 0

R3#

 

Perfect! The route is now being learned as an OSPF external type 1 with a metric of 25. Which indicates that the actual metric is being calculated. As you can remember, external type 1 routes increment the metric throughout the network as oppose to external type 2 which do not increment the metric.

 

Hope this helps someone else!

Advertisements

One response to “CCNP ROUTE 300-101 Prt 3.9 – Configure and Verify Filtering with any Protocol

  1. Pingback: CCNP ROUTE 300-101 Prt 3.10,11 – Configure and Verify Redistribution | ethernuno

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s