Configuring Route Filters

Route filters work by regulating what networks a router will advertise out of an interface to another router or what networks a router will accept on an interface from another router. Route filtering can be used by administrators to manually assure that only certain routes are announced from a specific routing process or interface. This feature allows administrators to configure their routers to prevent malicious routing attempts by intruders.

You can configure route filtering in one of two ways:

∙Inbound route filtering—The router can be configured to permit or deny routes advertised by a neighbor from being installed to the routing process.

∙Outbound route filtering—The route filter can be configured to permit or deny routes from being advertised from the local routing process, preventing neighboring routers from learning the routes.

Configuring Inbound Route Filters

The steps for configuring inbound route filters are as follows:

1.Use the access list global configuration command to configure an access−list that permits or denies the specific routes that are being filtered.

2.Under the routing protocol process, use the following command:

distribute−list <access−list−number> in [interface−name]

In this example, an inbound route filter will be configured on Router B to deny routes from being installed into its routing process (refer to Figure 1.5). Listing 1.15 displays Router A's configuration prior to applying the route filter, and Listing 1.16 displays Router B's.

Figure 1.5: Router B configured with an inbound route filter.

Listing 1.15: Router A configuration.

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Loopback1

ip address 10.10.11.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.12.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 clockrate 64000

!

35

router rip version 2 network 10.0.0.0

network 192.168.10.0 no auto−summary

Listing 1.16: Router B configuration.

interface Loopback0

ip address 10.10.13.1 255.255.255.0

!

interface Loopback1

ip address 10.10.14.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.10.15.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252

!

router rip version 2 network 10.0.0.0

network 192.168.10.0 no auto−summary

Taking a look at the route table of Router B, notice that it has learned of three networks from Router A: 10.10.10.0, 10.10.11.0, and 10.10.12.0. Listing 1.17 displays Router B's route table.

Listing 1.17: Router B's route table.

Router−B#show ip route

......

C 10.10.13.0 is directly connected, Loopback0 C 10.10.14.0 is directly connected, Loopback1

C 10.10.15.0 is directly connected, FastEthernet0/0

R 10.10.10.0 [120/1] via 192.168.10.1, 00:00:16, Serial0/0 R 10.10.11.0 [120/1] via 192.168.10.1, 00:00:16, Serial0/0 R 10.10.12.0 [120/1] via 192.168.10.1, 00:00:16, Serial0/0

Router−B#

Now, a route filter will be configured on Router B to deny the 10.10.10.0 and 10.10.11.0 networks from being installed into the route table. This will allow only the 10.10.12.0 network to be installed into the route table from Router A. Use the access−list <number> command to configure the router with a standard access list and use the distribute−list <list number> in <interface> command to apply the access list under the routing process. Listing 1.18 displays Router B's new configuration.

Listing 1.18: Router B configured with an inbound route filter.

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252

!

router rip version 2 network 10.0.0.0

36

network 192.168.10.0 distribute−list 1 in Serial0/0 no auto−summary

!

access−list 1 permit 10.10.12.0

Looking back again at Router B's route table after applying the route filter, you can see that the 10.10.12.0 network is the only network that Router B is allowing to be installed into its route table. Listing 1.19 displays Router B's route table.

Note Access lists have an implicit deny any as the last configuration line that is not displayed in the output of the configuration. Therefore, there is no need to manually configure the access list to deny the .10 and .11 networks.

Listing 1.19: Router B's route table with inbound route filter permitting only one network.

Router−B#show ip route

......

C 10.10.13.0 is directly connected, Loopback0 C 10.10.14.0 is directly connected, Loopback1

C 10.10.15.0 is directly connected, FastEthernet0/0

R 10.10.12.0 [120/1] via 192.168.10.1, 00:00:16, Serial0/0

Router−B#

Now, suppose Router A needs to learn only the 10.10.15.0 network from Router B and not the 10.10.13.0 and 10.10.14.0 networks. You can configure an inbound router filter on Router A to permit the installation of only the 10.10.15.0 network into the route table. Listing 1.15 displays Router A's configuration prior to the configuration change. Listing 1.20 displays the route table on Router A prior to the configuration change.

Listing 1.20: Route table of Router A.

Router−A#show ip route

......

C 10.10.10.0 is directly connected, Loopback0 C 10.10.11.0 is directly connected, Loopback1

C 10.10.12.0 is directly connected, Ethernet0/0

R 10.10.13.0 [120/1] via 192.168.10.2, 00:00:17, Serial0/0 R 10.10.14.0 [120/1] via 192.168.10.2, 00:00:17, Serial0/0 R 10.10.15.0 [120/1] via 192.168.10.2, 00:00:17, Serial0/0 Router−A#

Listing 1.21 displays the configuration change needed on Router A.

Listing 1.21: Router A configured with an inbound route filter.

interface Serial0/0

ip address 192.168.10.1 255.255.255.252

!

router rip version 2 network 10.0.0.0

network 192.168.10.0

37

distribute−list 1 in Serial0/0 no auto−summary

!

access−list 1 permit 10.10.15.0

Taking another look at Router A's route table, you can see that the only network that is permitted into the route table is the 10.10.15.0 network. Listing 1.22 displays Router A's route table after the inbound route filter had been applied.

Listing 1.22: Router A's route table with inbound route filter permitting only one network.

Router−A#show ip route

......

C 10.10.10.0 is directly connected, Loopback0 C 10.10.11.0 is directly connected, Loopback1

C 10.10.12.0 is directly connected, Ethernet0/0

R 10.10.15.0 [120/1] via 192.168.10.2, 00:00:17, Serial0/0 Router−A#

Configuring Outbound Route Filters

In the preceding section, you learned how to configure a router to accept only routes that the administrator deems necessary. However, Router A advertised the 10.10.10.0 and 10.10.11.0 networks all the way across the network only to have them dropped upon reaching Router B. Router B did the same with networks 10.10.13.0 and 10.10.14.0. The same results can be accomplished by configuring an outbound route filter. This filter will not allow the route to advertised across the network and gives the administrator finer granularity of control for advertising networks to external partners. The steps to configure outbound route filters are described here:

1.Use the access−list global configuration command to configure an access list that permits or denies the specific routes that are being filtered.

2.Under the routing protocol process, use the following command:

distribute−list access−list−number out [interface−name| − routing − process|autonomous−system−number]

Continuing with the example, in the last section, you can configure Router A and Router B to accomplish the same results, using the reverse logic of inbound route filters and configure an outbound route filter. Router A, in Listing 1.22, was configured to accept only the 10.10.15.0 network into its routing process, and Router B was configured to accept only the 10.10.12.0 network into its routing process. This was accomplished by configuring an inbound route filter on each respective router. However, a kind of reverse logic will be used in this next example to achieve the exact same result. Listing 1.23 and Listing 1.24 display Router A's and Router B's configuration prior to making the necessary changes.

Listing 1.23: Router A's configuration.

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface Loopback1

ip address 10.10.11.1 255.255.255.0

!

interface Ethernet0/0

38

ip address 10.10.12.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.1 255.255.255.252 clockrate 64000

!

router eigrp 50 network 10.0.0.0 network 192.168.10.0 no auto−summary

eigrp log−neighbor−changes

Listing 1.24: Router B's configuration.

interface Loopback0

ip address 10.10.13.1 255.255.255.0

!

interface Loopback1

ip address 10.10.14.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.10.15.1 255.255.255.0

!

interface Serial0/0

ip address 192.168.10.2 255.255.255.252

!

router eigrp 50 network 10.0.0.0 network 192.168.10.0 no auto−summary

eigrp log−neighbor−changes

Notice that both routers are now using a different routing protocol. This was done to demonstrate that route filters work with any routing protocol. First, Router A will be configured such that it will advertise only the 10.10.12.0 network to Router B. This can be accomplished using the commands in Listing 1.25.

Listing 1.25: Router A configured with an outbound route filter.

interface Serial0/0

ip address 192.168.10.1 255.255.255.252

!

router eigrp 50 network 10.0.0.0 network 192.168.10.0

distribute−list 3 out Serial0/0 no auto−summary

!

access−list 3 permit 10.10.12.0

Router A is configured with access list 3, which permits only the 10.10.12.0 network and has an outbound distribute−list applied to the EIGRP routing process. This should achieve the necessary results. You can check to see if the results have been met by looking at the route table of Router B, which is displayed in Listing 1.26.

Listing 1.26: Route table of Router B after applying an outbound route filter on Router A.

39