The purpose of Interior Routing Protocols (IGP), and routing protocols more generally, is to advertise the existence of destination networks. All protocols then have some method of picking what they would consider to be the best path and maintain the information. By default, all routes will be accepted and, depending on the protocol, either all best paths to destinations—Distance Vector Protocols, Routing Information Protocol (RIP) and Enhanced Interior Gateway Protocol (EIGRP)—or all information will be passed to neighbors—Link State, Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (ISIS). There are occasions where that would be undesirable, so all the IGPs have some method of filtering routing information. The rules are different based on the different protocols.
With RIP and EIGRP, you can control what you advertise to other routers and what you are willing to receive from other routers, including what gets redistributed into the protocol from other sources. All the tools (ACLs for IPv4, Prefix Lists and Route Maps for both IPv4 and IPv6) are available for these distance vector protocols.
With OSPF and ISIS, there are restrictions. With link state protocols, there is an absolute rule that states all routers within the same area have to have common information originating within that area within their databases. Routes that originate within OSPF or ISIS, otherwise known as native routes, cannot be filtered within the area between the routers. You can filter native routes originating within the area from going into the local routing table, but the filtering does not stop the advertisement of the routes to other routers.
You can filter routers from redistribution before those routes become OSPF or ISIS routes. You cannot perform outbound route filtering. OSPF does allow for filtering from one area to another. The filter is known as a Link State Advertisement (LSA) type 3 database filter. LSA3 are routes or prefixes from another area. Since they don’t originate in the “next” area, they can be filtered before they get inserted into the database of that target area. Use the area x filter prefix command to reference a prefix list.
On Cisco routers, we use a distribute list command to filter routes inbound for all IGPs. For IPv4, the command can be followed by either an access control list (ACL) identifier, the keyword prefix-list or keyword route-map. For IPv6, ACL is not used for route filtering, so only prefix lists or route maps are used. If we specify simply that the distribute list is applied inbound, then any routes coming from any route source on any interface will pass through the policy (ACL, prefix list or route map). A match against a permit statement within the policy allows the route to be accepted. If there is a match against a deny statement, the route is rejected.
For OSPF and ISIS, the information will still be placed into the link state database, and the policy is applied when trying to determine what information from the database will be placed into the routing table. Due to link states’ requirement to flood intra-area information to all other routers, the filter will not stop the information from being sent to other routers. If filtering is done on one router in the path to a destination, it should be done on all the routers in the path to keep from confusing those that have to support the routers. If the route intermediately shows up in different routers routing tables, that can be confusing.
The distribute list in can be specific to which interface the update is being received on and only filter those received routes. If the distribute list is applied outbound without reference to interface or protocol, it will cause the protocol to pass the outgoing updates through the policy to see what can be advertised out all interfaces. If you specify an outgoing interface, the policy will only update other routers on that interface. Using a distribute list being to control what is being sent out as an interface or all the interfaces can only be done with RIP and EIGRP. If the distribute list is applied outbound from a protocol, that affects the routes that will be redistributed from the source protocol to the target protocol. This can be used with any IGP to control the redistribution process.
You can use an ACL (IPv4 only), prefix list or route map for filtering. The ACL and prefix list will match on the route to be permitted or denied. ISIS allows us to match on route source with a prefix list by applying and using a gateway filter. Route maps give us more flexibility. With a route map, I can match on the following attributes: route, route source, interface, metric type (OSPF), route type (ISIS), the metric of route and tag. Once you have a match, you can manipulate other attributes, such as metrics, next hop or route tag. Or you can use the route map as a filter.
Here’s an example of how to filter from one area to another in OSPF.
Before the filter:
R1# sh ip ospf dataOSPF Router with ID (10.1.101.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1480 0x80000006 0x002739 2
10.1.101.9 10.1.101.9 1399 0x80000004 0x001467 5Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.2.120.0 10.1.101.1 0 0x80000001 0x009DA8
11.1.1.1 10.1.101.1 0 0x80000001 0x00BEFC
12.1.1.0 10.1.101.1 1480 0x80000004 0x00B503
13.1.1.0 10.1.101.1 1480 0x80000001 0x00AE0C
14.1.1.0 10.1.101.1 1480 0x80000001 0x00A118
15.1.1.0 10.1.101.1 1480 0x80000001 0x009424
16.1.1.0 10.1.101.1 1480 0x80000001 0x008730
The database filter:
router ospf 1
area 1 filter-list prefix FromArea1 out
network 10.2.100.1 0.0.0.0 area 0
network 10.2.120.1 0.0.0.0 area 1
!
ip prefix-list FromArea1 seq 5 permit 12.1.1.0/24
ipv6 router eigrp 100
!
After the filter:
sh ip ospf dataOSPF Router with ID (10.1.101.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1667 0x80000006 0x002739 2
10.1.101.9 10.1.101.9 1586 0x80000004 0x001467 5Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
12.1.1.0 10.1.101.1 1667 0x80000004 0x00B503Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
10.1.101.1 10.1.101.1 1667 0x80000005 0x00142C 1
10.2.120.3 10.2.120.3 1461 0x8000000A 0x008CBC 7
Here’s an example of how to use a route map to filter and set metrics for redistribution:
DSWA#sh run int loopback 99
!
interface Loopback99
ip address 12.1.1.1 255.255.255.0 secondary
ip address 13.1.1.1 255.255.255.0 secondary
ip address 14.1.1.1 255.255.255.0 secondary
ip address 15.1.1.1 255.255.255.0 secondary
ip address 16.1.1.1 255.255.255.0 secondary
ip address 11.1.1.1 255.255.255.0
router eigrp 100
network 10.0.0.0
redistribute connected route-map MyLoops passive-interface Vlan10
passive-interface Vlan30
passive-interface Vlan20
eigrp stub connected summary
!
route-map MyLoops permit 10
match interface Loopback99
set metric 10000 1000 255 1 150
set tag 99
!
DSWA#show ip eigrp topology
EIGRP-IPv4 Topology Table for AS(100)/ID(10.2.120.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia StatusP 14.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
P 16.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
P 10.2.130.0/24, 1 successors, FD is 21024512
via 10.2.120.1 (21024512/21024256), GigabitEthernet0/1
P 10.2.100.0/24, 1 successors, FD is 2170112
via 10.2.120.1 (2170112/2169856), GigabitEthernet0/1
P 15.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
P 10.1.101.1/32, 1 successors, FD is 130816
via 10.2.120.1 (130816/128256), GigabitEthernet0/1
P 13.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
P 10.1.101.2/32, 1 successors, FD is 21152256
via 10.2.120.1 (21152256/21152000), GigabitEthernet0/1
P 0.0.0.0/0, 1 successors, FD is 2172672
via 10.2.120.1 (2172672/2172416), GigabitEthernet0/1
P 10.2.110.0/24, 1 successors, FD is 21024256
via 10.2.120.1 (21024256/21024000), GigabitEthernet0/1
P 10.1.101.9/32, 1 successors, FD is 2298112
via 10.2.120.1 (2298112/2297856), GigabitEthernet0/1
P 10.2.120.0/24, 1 successors, FD is 2816
via Connected, GigabitEthernet0/1
P 12.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
P 11.1.1.0/24, 1 successors, FD is 128256
via Rconnected (128256/0)
DSWA# show ip eigrp topology 12.1.1.0/24
EIGRP-IPv4 Topology Entry for AS(100)/ID(10.2.120.3) for 12.1.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256
Descriptor Blocks:
0.0.0.0, from Rconnected, Send flag is 0x0
Composite metric is (512000/0), route is External
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 10000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 150
Hop count is 0
Originating router is 10.2.120.3
External data:
AS number of route is 0
External protocol is Connected, external metric is 0
Administrator tag is 99 (0x00000063)
There may be different reasons for limiting the routes being received or sent to other routers—perhaps a security concern, reduction in complexity of the receiving routers, extranet or Internet routes. Whatever the rationale, there are options.
Want to learn more? Check out these related courses:
CCNAX v3.0 - CCNA Routing and Switching Boot Camp
ICND1 v3.0 - Interconnecting Cisco Networking Devices, Part 1
ROUTE - Implementing Cisco IP Routing v2.0
TSHOOT - Troubleshooting and Maintaining Cisco IP Networks v2.0
ARCH - Designing Cisco Network Service Architectures v3.0
CIERS1 – Cisco Expert-Level Training for CCIE Routing and Switching v5.0