[
interface-type/number]
The power to manipulate the advertised or received metric allows the offset list to be used as route filtering tool. For example: an offset list configured with offset 16 will mark the route as invalid due an infinite metric in RIP. Similarly Offset-list can be used in EIGRP to increase the value of the reported distance of a prefix received from a neighbor. In EIGRP offset-list apply only to the delay component of a composite metric.
If ACL number 0 is specified in the offset-list command then it applies to all routes. Offset list can be applied either globally to the routing process or to routes learned from a specific interface.
Consider figure-1. R1 and R2 are advertising 192.168.1.0 and 172.16.2.0 respectively with default metric.. The routing protocol is RIP.
FIGURE-1: Offset-List Example
|
R2#sh ip route rip
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:19, Serial0/1
|
Now R2 wants to filter (or block) 192.168.1.0/24 from R1. The following illustrates the configuration details. On R2:
|
R2#show running-config | section router rip|ip access-list
router rip
version 2
offset-list R2<-R1_ROUTES in 15 Serial0/1
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip access-list standard R2<-R1_ROUTES
permit 192.168.1.0 0.0.0.255
R2#clear ip route * ß Always refresh the routing table after applying filters
|
Verification
|
R2# debug ip rip
RIP: received v2 update from 10.1.1.1 on Serial0/1
192.168.1.0/24 via 0.0.0.0 in 16 hops (inaccessible)
|
Lets take an another example. This time R2 want R1 to think that 172.16.2.0 is in-accessible. The relevant configuration is as under:
|
R2#show running-config | section router rip|ip access-list
router rip
version 2
offset-list R2_ROUTES->R1 out 15 ß Offset applied (globally) to 172.16.2.0 learned from any RIP neighbor.
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip access-list standard R2_ROUTES->R1
permit 172.16.2.0 0.0.0.255
R2#clear ip route *
|
Distribute List
Distribute list is supported with RIP, EIGRP and OSPF. With RIP and EIGRP it is can affect both the topology table and IP routing table since routes are filtered directly as they received. OSPF is an exception since OSPF advertises link-states not routes and routing table is built using the link state database. So distribute-lists in OSPF can only be used to prevent a route from being installed in the routing table but the actual LS database cannot be altered using the distribute list command.
distribute-list [[access-list-number | name] | [route-map map-tag]] {in|out} [interface-type/number]
Distributes list, like offset list can be applied to all updates or to update send/receive on specific interface. The route-map is only supported with EIGRP and OSPF.
Example
Let us consider figure-1 (again) but R1 is also advertising another network 188.1.1.0/24 to R2. The routing table before filtering is:
|
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets
R 188.1.1.0 [120/1] via 10.1.1.1, 00:00:07, Serial0/0
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Serial0/0
|
Now R2 does not want to receive 188.1.1.0/24 from R1.
|
R2#show running-config | section router rip|ip access-list
router rip
version 2
network 10.0.0.0
network 172.16.0.0
distribute-list R1_188_SUBNET in
no auto-summary
!
ip access-list standard R1_192_SUBNET
permit 188.1.1.0 0.0.0.255
|
The routing table after route filtering:
|
R2#sh ip route rip
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Serial0/0
|
Now if we want to filter on the basis of both the prefix and source advertising it. In this case R1 is the source and 188.1.1.0/24 is the prefix. We would need either prefix list or an extended access list. Only relevant syntax is shown below:
|
R2#show running-config | section router rip|ip access-list
router rip
version 2
network 10.0.0.0
network 172.16.0.0
distribute-list R1_188_SUBNET_ONLY in
no auto-summary
!
ip access-list extended R1_188_SUBNET_ONLY
permit ip host 10.1.1.2 host 188.1.1.0
|
The same effect can also achieve with a prefix list (only relevant command shown):
|
ip prefix-list 188_ROUTE permit 188.1.1.0/24
ip prefix-list SOURCE_R1 permit 10.1.1.2/24
!
router rip
distribute-list prefix 188_ROUTE gateway SOURCE_R1 in
|
Why use an Extended ACL or Prefix-List over Standard ACL?
The problem with standard ACL is that it can match on Address Field only. No consideration to Subnet-Mask. If we have two networks of 188.1.1.0 (say: 188.1.1.0/24 and 188.1.1.0/26) being advertised by R1, both of the network will be filtered if standard ACL is used. An extended ACL or prefix list on the other hand not only matches the subnet number but it also considers the subnet-mask of the specified network.
Further with extended ACL or prefix list, filtering can also be performed on the basis of source advertising the specified prefix.
Distance
Distance or Administrative Distance (AD) defines a trustworthiness of a route. AD is used if same prefix is learned from different routing protocols. For example: if a prefix is learned from both RIP and EIGRP, route learned from EIGRP is preferred (AD=90). Routes with maximum AD = 255 are not installed in the IP routing table. AD is significant locally on a router.. The syntax is as under:
distance distance ip-address wildcard-mask [ip-standard-acl | ip-extended-acl | access-list-name]
Now look at some example, how distance can be used to filter routes. Consider figure-1 (again). First let us see how distance command behaves. The simplest example is provided with RIP.
Example:
Before applying distance:
|
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets
R 188.1.1.0 [120/1] via 10.1.1.1, 00:00:04, Serial0/1
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:04, Serial0/1
|
After applying distance command:
Route table:
|
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets
R 188.1.1.0 [115/1] via 10.1.1.1, 00:00:04, Serial0/1
R 192.168.1.0/24 [115/1] via 10.1.1.1, 00:00:04, Serial0/1
|
We can change the distance of the prefix 188.1.1.0/24 on R2 to the maximum distance such that it is not installed in the routing table.
|
ip access-list standard R1_188_ROUTE
permit 188.1.1.0 0.0.0.255
!
router rip
distance 115
distance 255 10.1.1.1 255.255.255.255 R1_188_ROUTE
|
Let us verify the routing table.
|
R2#clear ip route *
R2#sh ip route rip
R 192.168.1.0/24 [115/1] via 10.1.1.1, 00:00:05, Serial0/1
|
Globally the distance for IP process is set to 115, but 188.1.1.0/24 received from R1 will not be installed since it is set with an AD=255.
This brings us to the end of this article in which we covered different ways of route manipulation and filtering. There are several other ways and techniques to carry out route manipulation and filtering, some are specific to particular routing protocol while others are used for all protocols.
