The purpose of Interior Routing Protocols (IGP), and routing protocols more generally, is to advertise the existence of destination networks. All protocols then have some method of picking what they would consider to be the best path and maintain the information. By default, all routes will be accepted and, depending on the protocol, either all best paths to destinations—Distance Vector Protocols, Routing Information Protocol (RIP) and Enhanced Interior Gateway Protocol (EIGRP)—or all information will be passed to neighbors—Link State, Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (ISIS). There are occasions where that would be undesirable, so all the IGPs have some method of filtering routing information. The rules are different based on the different protocols.
With RIP and EIGRP, you can control what you advertise to other routers and what you are willing to receive from other routers, including what gets redistributed into the protocol from other sources. All the tools (ACLs for IPv4, Prefix Lists and Route Maps for both IPv4 and IPv6) are available for these distance vector protocols.
With OSPF and ISIS, there are restrictions. With link state protocols, there is an absolute rule that states all routers within the same area have to have common information originating within that area within their databases. Routes that originate within OSPF or ISIS, otherwise known as native routes, cannot be filtered within the area between the routers. You can filter native routes originating within the area from going into the local routing table, but the filtering does not stop the advertisement of the routes to other routers.
You can filter routers from redistribution before those routes become OSPF or ISIS routes. You cannot perform outbound route filtering. OSPF does allow for filtering from one area to another. The filter is known as a Link State Advertisement (LSA) type 3 database filter. LSA3 are routes or prefixes from another area. Since they don’t originate in the “next” area, they can be filtered before they get inserted into the database of that target area. Use the area x filter prefix command to reference a prefix list.
On Cisco routers, we use a distribute list command to filter routes inbound for all IGPs. For IPv4, the command can be followed by either an access control list (ACL) identifier, the keyword prefix-list or keyword route-map. For IPv6, ACL is not used for route filtering, so only prefix lists or route maps are used. If we specify simply that the distribute list is applied inbound, then any routes coming from any route source on any interface will pass through the policy (ACL, prefix list or route map). A match against a permit statement within the policy allows the route to be accepted. If there is a match against a deny statement, the route is rejected.
For OSPF and ISIS, the information will still be placed into the link state database, and the policy is applied when trying to determine what information from the database will be placed into the routing table. Due to link states’ requirement to flood intra-area information to all other routers, the filter will not stop the information from being sent to other routers. If filtering is done on one router in the path to a destination, it should be done on all the routers in the path to keep from confusing those that have to support the routers. If the route intermediately shows up in different routers routing tables, that can be confusing.
The distribute list in can be specific to which interface the update is being received on and only filter those received routes. If the distribute list is applied outbound without reference to interface or protocol, it will cause the protocol to pass the outgoing updates through the policy to see what can be advertised out all interfaces. If you specify an outgoing interface, the policy will only update other routers on that interface. Using a distribute list being to control what is being sent out as an interface or all the interfaces can only be done with RIP and EIGRP. If the distribute list is applied outbound from a protocol, that affects the routes that will be redistributed from the source protocol to the target protocol. This can be used with any IGP to control the redistribution process.
You can use an ACL (IPv4 only), prefix list or route map for filtering. The ACL and prefix list will match on the route to be permitted or denied. ISIS allows us to match on route source with a prefix list by applying and using a gateway filter. Route maps give us more flexibility. With a route map, I can match on the following attributes: route, route source, interface, metric type (OSPF), route type (ISIS), the metric of route and tag. Once you have a match, you can manipulate other attributes, such as metrics, next hop or route tag. Or you can use the route map as a filter.
Here’s an example of how to filter from one area to another in OSPF.
Before the filter:
R1# sh ip ospf data
OSPF Router with ID (10.1.101.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1480 0x80000006 0x002739 2
10.1.101.9 10.1.101.9 1399 0x80000004 0x001467 5
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.2.120.0 10.1.101.1 0 0x80000001 0x009DA8
11.1.1.1 10.1.101.1 0 0x80000001 0x00BEFC
12.1.1.0 10.1.101.1 1480 0x80000004 0x00B503
13.1.1.0 10.1.101.1 1480 0x80000001 0x00AE0C
14.1.1.0 10.1.101.1 1480 0x80000001 0x00A118
15.1.1.0 10.1.101.1 1480 0x80000001 0x009424
16.1.1.0 10.1.101.1 1480 0x80000001 0x008730The database filter:
router ospf 1 area 1 filter-list prefix FromArea1 out network 10.2.100.1 0.0.0.0 area 0 network 10.2.120.1 0.0.0.0 area 1 ! ip prefix-list FromArea1 seq 5 permit 12.1.1.0/24 ipv6 router eigrp 100 !
After the filter:
sh ip ospf data
OSPF Router with ID (10.1.101.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1667 0x80000006 0x002739 2
10.1.101.9 10.1.101.9 1586 0x80000004 0x001467 5
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
12.1.1.0 10.1.101.1 1667 0x80000004 0x00B503
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1667 0x80000005 0x00142C 1
10.2.120.3 10.2.120.3 1461 0x8000000A 0x008CBC 7Here’s an example of how to use a route map to filter and set metrics for redistribution:
DSWA#sh run int loopback 99 ! interface Loopback99 ip address 12.1.1.1 255.255.255.0 secondary ip address 13.1.1.1 255.255.255.0 secondary ip address 14.1.1.1 255.255.255.0 secondary ip address 15.1.1.1 255.255.255.0 secondary ip address 16.1.1.1 255.255.255.0 secondary ip address 11.1.1.1 255.255.255.0 router eigrp 100 network 10.0.0.0 redistribute connected route-map MyLoops passive-interface Vlan10 passive-interface Vlan30 passive-interface Vlan20 eigrp stub connected summary ! route-map MyLoops permit 10 match interface Loopback99 set metric 10000 1000 255 1 150 set tag 99 ! DSWA#show ip eigrp topology EIGRP-IPv4 Topology Table for AS(100)/ID(10.2.120.3) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 14.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) P 16.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) P 10.2.130.0/24, 1 successors, FD is 21024512 via 10.2.120.1 (21024512/21024256), GigabitEthernet0/1 P 10.2.100.0/24, 1 successors, FD is 2170112 via 10.2.120.1 (2170112/2169856), GigabitEthernet0/1 P 15.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) P 10.1.101.1/32, 1 successors, FD is 130816 via 10.2.120.1 (130816/128256), GigabitEthernet0/1 P 13.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) P 10.1.101.2/32, 1 successors, FD is 21152256 via 10.2.120.1 (21152256/21152000), GigabitEthernet0/1 P 0.0.0.0/0, 1 successors, FD is 2172672 via 10.2.120.1 (2172672/2172416), GigabitEthernet0/1 P 10.2.110.0/24, 1 successors, FD is 21024256 via 10.2.120.1 (21024256/21024000), GigabitEthernet0/1 P 10.1.101.9/32, 1 successors, FD is 2298112 via 10.2.120.1 (2298112/2297856), GigabitEthernet0/1 P 10.2.120.0/24, 1 successors, FD is 2816 via Connected, GigabitEthernet0/1 P 12.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) P 11.1.1.0/24, 1 successors, FD is 128256 via Rconnected (128256/0) DSWA# show ip eigrp topology 12.1.1.0/24 EIGRP-IPv4 Topology Entry for AS(100)/ID(10.2.120.3) for 12.1.1.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256 Descriptor Blocks: 0.0.0.0, from Rconnected, Send flag is 0x0 Composite metric is (512000/0), route is External Vector metric: Minimum bandwidth is 10000 Kbit Total delay is 10000 microseconds Reliability is 255/255 Load is 1/255 Minimum MTU is 150 Hop count is 0 Originating router is 10.2.120.3 External data: AS number of route is 0 External protocol is Connected, external metric is 0 Administrator tag is 99 (0x00000063)
There may be different reasons for limiting the routes being received or sent to other routers—perhaps a security concern, reduction in complexity of the receiving routers, extranet or Internet routes. Whatever the rationale, there are options.
Want to learn more? Check out these related courses:
CCNAX v3.0 – CCNA Routing and Switching Boot Camp
ICND1 v3.0 – Interconnecting Cisco Networking Devices, Part 1
ROUTE – Implementing Cisco IP Routing v2.0
TSHOOT – Troubleshooting and Maintaining Cisco IP Networks v2.0
ARCH – Designing Cisco Network Service Architectures v3.0
CIERS1 – Cisco Expert-Level Training for CCIE Routing and Switching v5.0