Route Filtering « Stephen Bowes CCIE SP Lab Blog

Route Filtering

So much to cover so little space and time – Let’s get started.

Access-Lists: Used to filter network traffic [other purposes outside Lab Scope], Several Types => Standard ACLs, Extended ACLs, Dynamic (lock and key) ACLs, IP-named ACLs, Reflexive ACLs, Time-based ACLs that use time ranges, Commented IP ACL entries, Context-based ACLs, Authentication proxy, Turbo ACLs, Distributed time-based ACLs. Standard syntax format =>

access-list access-list-number {permit|deny} {host|source source-wildcard|any}

Standard ACLs control traffic by comparing the source address of the IP packets to the addresses configured in the ACL. Extended ACLs control traffic by comparing the source and destination addresses of the IP packets to the addresses configured in the ACL. You can also make extended ACLs more granular and configured to filter traffic by criteria such as Protocol, Port numbers, Differentiated services code point (DSCP) value, Precedence value, State of the synchronize sequence number (SYN) bit.

Some examples – enable ping response packets to come in on interface Ethernet 0 in addition to a number of other well know IP services

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 21
access-list 102 permit tcp any any eq 20 <- Remember active & passive FTP
access-list 102 permit icmp any any echo-reply

Extending this – permit some routing protocols

access-list 102 permit udp any any eq rip <- Permit RIP
access-list 102 permit eigrp any any <- Permit EIGRP
access-list 102 permit ospf any any <- Permit OSPF
access-list 102 permit tcp any any eq 179 <- Permit BGP
access-list 102 permit tcp any eq 179 any <- Permit BGP

Remember the implicit deny all clause at the end of an ACL denies all other traffic, which does not match the permit clauses.

Route-Maps: Otherwise known as network duct tape [Not the most pretty but fairly effective], used in various ways -> Route filtering during redistribution between routing protocols – Route control and attribute modification on BGP neighbors – Route metric modification or tagging during redistribution between routing protocols – Policy-based routing (PBR).

Route maps work in the following manner:

1 A process—whether it is a redistribution process, policy routing, or some other process such as Network Address Translation (NAT)—calls a route map by a text-based name.

2 The route map, in turn, has conditions or match statements, which are usually, but not always, an access list or extended access list. Border Gateway Protocol (BGP), for instance, can match on an autonomous system number (ASN) or different attributes.

The match statement(s) can be followed by set statements. If the match statement returns a true result, the set statement(s) are executed.

e.g. Let’s look at an SP example from Internetworkexpert SP Lab Workbook Lab 5 Section 3.5 involving ACL’s & Route-Maps for BGP.

Question – For load distribution purposes configure AS 100 so that traffic going to destinations learned from AS 54 that have an odd number in the first octet use the Frame Relay link between R6 and BB1 – Use the minimum amount of access-lists and access-list statements necessary to accomplish this on R7.

Solution:

R7:ip access-list standard ODD_FIRST_OCTET

permit 1.0.0.0 254.255.255.255

!Matching on 1st octet

route-map SET_LOCAL_PREFERENCE permit 10

match ip address ODD_FIRST_OCTET

set local-preference 50

!Sets local-pref value to 50 for routes matching ACL ODD_FIRST_OCTET

!Remember default is 100 and the highest value preferred!

route-map SET_LOCAL_PREFERENCE permit 1000

router bgp 64578

neighbor 204.12.1.254 route-map SET_LOCAL_PREFERENCE in

!— Configures inbound policy as defined by

!— route-map “SET_LOCAL_PREFERENCE ” when peering with BB1.

Prefix-lists: are used to match on prefix and prefix-length pairs. Normal prefix-list syntax is as follows:

ip prefix-list LIST permit w.x.y.z/len => Where w.x.y.z is your exact prefix & where len is your exact prefix-length

“ip prefix-list LIST permit 1.2.3.0/24″ would be an exact match for the prefix 1.2.3.0 with a subnet mask of 255.255.255.0. This does not match 1.2.0.0/24, nor does it match 1.2.3.4/32, nor anything in between.

When you add the keywords “GE” and “LE” to the prefix-list, the “len” value changes its meaning. When using GE and LE, the len value specifies how many bits of the prefix you are checking, starting with the most significant bit.

ip prefix-list LIST permit 1.2.3.0/24 le 32 ==> Check the first 24 bits of the prefix 1.2.3.0, The subnet mask must be less than or equal to 32, This equates to the access-list syntax: access-list 1 permit 1.2.3.0 0.0.0.255

[More information at Brian McGahan's reference link below]

Distribute-List: is used to filter networks received in updates, inbound & outbound options, not supported with Link State Protocols as they use LSA packets as against routes in routing tables, syntax is ->

distribute-list {access-list-number | prefix prefix-list-name [gateway prefix-list-name]} in [interface-type interface-number]

e.g. The BGP routing process accepts only two networks—network 0.0.0.0 and network 131.108.0.0:

access-list 1 permit 0.0.0.0

access-list 1 permit 131.108.0.0

access-list 1 deny 0.0.0.0 255.255.255.255

router bgp

network 131.108.0.0

distribute-list 1 in

Conclusion: Obviously no where near full coverage of this topic but mastery essential for points in the lab.

Reference Links: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

http://blog.internetworkexpert.com/2007/12/26/how-do-prefix-lists-work/

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml