CCIE Topic: 1.2f Route Filtering

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone i'm charles judd and in this video we're going to look at the 1.2 f topic of route filtering the ccie blueprint tells us we should be familiar with using route filtering for any protocol and here i want to take a look at a couple of examples of that using prefix lists and route maps so first let's look at prefix lists in many ways prefix lists are similar to an access control list they contain ordered entries that are processed sequentially from top to bottom as soon as a prefix match is found against a prefix list processing will stop and at the end of a prefix list we have an implicit deny any statement so all of those characteristics are similar to acl function however prefix lists can be processed much faster putting less load on the router's cpu also as opposed to access lists where we would use those to filter traffic when applied to an interface prefix lists are mainly used to filter routes themselves whereas a typical acl matches only the bits specified by the wildcard mask prefix list can also match the subnet mask and we can specify that as a range to be either permitted or denied so let's break down the format of a prefix list command and then we'll test that out in the command line we start with the command ip prefix hyphen list followed by a case sensitive name for that prefix list in this example you can see that this is simply called list in all caps after that we can optionally specify a sequence number if we don't then the initial entry will start with sequence number five and that's going to increment by five for each new entry we then would follow that with either a permit or a deny statement and then the network prefix and prefix length this is going to be insider notation so for example here you can see we are denying routes that match the 192.168.10.0 network with a subnet mask of 255.255.255.0 slash 24 insider notation at the end we can optionally use the keywords ge or le which means greater than or equal to and less than or equal to in this case we have the le value less than or equal to meaning that we're going to match routes on the slash 24 prefix length all the way to the slash 32 prefix length now you don't have to specify ge or le and if you don't then the prefix list is going to look for an exact match instead and at the end of course we would need to make sure we allow all other traffic just as we do with an access control list because remember we have an implicit deny any statement at the end so with a prefix list that would look like this that would look like an all zeros network with a slash zero mask matching all the way up to a slash 32 mask so we would say le less than or equal to 32. so here's a very simple topology that we're going to use to take a look at just a couple of interconnected routers and you can see that on router 2 i have five networks configured on loopback interfaces all of these are being advertised into my eigrp process and we of course have an eigrp neighborship between these two routers so that all of the routes are currently being advertised over to r1 let's connect first to router 2 and let's say show ip interface brief and we can see all of our loopback interfaces here configured as we see in our topology now if we say show run pipe pipe2 section router eigrp we're going to be able to see all of these networks being advertised into eigrp as well so we do see that see all of those loopbacks listed here so that's good let's go to router 1 and let's say show ip route and you can see that all of our networks learned via eigrp are here all five of those are in our ip routing table so let's look at filtering these with a prefix list first let's very specifically filter one of these networks so let's say ip prefix hyphen list and we can follow that with a name for our prefix list i'm just going to call this one filter in all caps and if we look at contextual help we can indicate a sequence number optionally if we want to do that we can create a description for the prefix list to help us identify it or we can go to the permit and deny statements now in my case i'm going to skip those optional parameters and i'm just going to say deny followed by the prefix insider notation so let's specifically filter let's actually go back to r2 and take a look let's actually filter the 192.168.10.128 network you can see that that has a slash 28 subnet mask so back on r1 let's say 192.168.10.128.28 and if we look at contextual help again we're gonna see the prefix length options that we mentioned earlier we have the ge and le options for greater than or equal to and less than or equal to now since i'm being very specific here with a single route i'm not going to use that at the moment i'm going to tell it that my route should match exactly what this entry is so i'm going to hit enter and now let's add our permit statement at the end to permit all of our other networks so i'm going to arrow up and instead of deny i'm going to say permit and i'm going to say 0.0.0.0 0 less than or equal to and i'm going to set that to 32. and now we need to actually apply our prefix list and in this case we need to do that under our router eigrp process so let's say router eigrp one and we need to use the command distribute hyphen list here and that's going to add a route filter policy if we look at contextual help in addition to the prefix keyword we can also use a route map you see that at the bottom again what we're going to use is prefix so let's say prefix and we're going to reference our prefix list that we created which was named filter and finally we need to indicate a direction we want to do that on this router in the inbound direction so in just a moment we're going to see our eigrp neighbor resync message come into our console and that's going to indicate that our route configuration has changed and we see that just happened as i was saying that so let's break out of here and let's again say show ip route and this time you're going to notice that the route that we specifically filtered the slash 28 route that's missing from the routing table so we see the dot 64 27 and the dot 160 slash 29 we no longer see the dot 128 slash 28 route which is exactly what we would want to see here now we can also filter out a range of networks by using those ge and le modifiers that i mentioned earlier so first let's go back under global configuration mode we'll say ip prefix hyphen list and i'm just going to make a new list here i'm going to call this filter two and let's filter the range from slash 28 to slash 30. so to do that i would say deny 192.168.10.0 24. and i'm going to specify that our route match should be greater than or equal to slash 28 less than or equal to 32. once i hit enter we can now again add our permit all statement at the end so we'll say ip prefix hyphen list filter 2 permit are all zeros network and subnet mask and i'll say less than or equal to 32. now let's again go under router eigrp 1 and let's apply the prefix list by saying distribute hyphen list prefix and the name of course is filter two we'll do that also in the inbound direction we'll hit enter and again we're going to see our resync messages come into the console as the route configuration changes we had those messages so i'll exit and i'll again say show ip route if we take a look at our routing table now you'll see that we only have the slash 26 and slash 27 networks so all of our other routes which were ranging from slash 28 to slash 30 those are now all missing from our ip routing table because we have effectively filtered those out we can also use route maps for filtering as well so let's take a look at that let's actually go in here under my eigrp process and i want to remove this filtering from my configuration currently so that we have all of our routes known again so let me arrow up and i will prepend the no keyword say no distribute hyphen list prefix filter 2 in so that should take care of everything we should see another resync message shortly and if we say show ip route we can take a look at our routing table and we should have full awareness of all of those routes again and we do so that's good we're back to normal now if you're not familiar with the concept of a route map i would say go back and watch my 1.2d policy-based routing video in that video i discussed the structure and the logic of a route map so i'm going to proceed here as if we already understand how to use a route map but again if you need more information about those go and check out the 1.2 d policy based routing video so now that we have all of our routes again let's go under global configuration mode and for this route map let's create an access control list let's say access hyphen list standard and i'm just going to name this list and now we can identify a route for filtering with a permit statement so let's filter out the let's filter out the 192.168. 27 network so i'm gonna say permit 192.168.10.64 with a 0.0.0.31 card mask very simple let's exit here and let's now create our route map so let's say route hyphen map we need to give that a name i'm just going to name this one map in all caps and i'm first going to say deny to create our first deny statement and when i hit enter we're under route map configuration mode so i'm going to match based on the ip address listed in the acl named list that's the name of the acl that we just created so let's hit enter and let's break out of here let's do some verification before we move forward let's say show route hyphen map and so we can see we have our deny policy in place the match clause is set to the ip address indicated by the access control list named list now one thing i still need to do is i need to add a permit statement to my route map so let's do that let's go under global configuration mode route hyphen map map permit and i'll tell you what i'm going to hit enter i shouldn't hit enter here but i'm going to do that i want to show you what happens when we do that if i hit enter and i break out and again say show route map take a look at that command notice that when i hit enter my original match clause was overwritten so now i have a permit sequence here matching on the access control list and that's because i didn't indicate a sequence number when we do these with route maps we need to specifically tell it a sequence number or it's going to automatically overwrite sequence number 10. so let's go back and fix that route hyphen map map i want to deny so this is placing my original sequence number 10 deny statement in there i'm going to match that against the access control list named list and now i can put in my permit all statement by saying route hyphen map map permit but this time i want to indicate my sequence number i'm going to make that sequence number 20 and that's going to make sure that it's at the end of the route map so if i hit enter will break out we'll again do a quick show command and this time we see both of our sequence numbers we see the deny statement matching on the access control list and we see our permit all statement at the end of that also notice our permit all statement by the way that doesn't require any match statement to be set we don't have to match that to an acl or a prefix list at all so from here it's basically the same to apply this to our eigrp process as we looked at with prefix lists let's go under router eigrp 1 and we'll say distribute hyphen list and this time instead of saying prefix we want to say route hyphen map followed by the name which is of course map and we want to do that in the inbound direction once again we're going to see some resync messages happening as this process resets and our route configuration changes we'll see those come into our console shortly and we see that now so now if we say show ip route you'll see that of course we've filtered out that slash 27 route we have slash 28 26 we've effectively filtered that out now at this point you're probably thinking well why would i use a route map that's a lot more work than just doing a normal prefix list there's a lot more configuration involved there and that's true but we're not really using the route map to its full potential here now these are very commonly used for route redistribution between protocols and we can get really specific and complicated by using combinations of filtering techniques here so one way we can do that let's actually go ahead and create a new prefix list and i'll say ip prefix hyphen list i'll name that filter 3 and i'm going to say permit this time a very important note we're using the permit statement because i'm going to attach this to the route map so this is the same principle as we see with an acl we're simply identifying traffic we're not filtering it in this case so that's why we're using permit here instead of when we saw the deny statement that we used when we're only referencing a prefix list without a route map so i'm going to say permit and i'm going to match on 192.168.10.0 24 and i'm going to say greater than or equal to 28 less than or equal to 32. so essentially all of our routes greater or equal to slash 28 should be filtered when we're finished here the only route left in our routing table should be the slash 26 route because remember we've already filtered the slash 27 route with our normal route map sequencing so now let's say route hyphen map the name of that is of course map i'm going to say deny now remember if i hit enter here that's going to overwrite sequence number 10. so i want to specifically state the sequence number here i definitely want that to be above my permit all statement that's already in my route map so i'm going to say sequence number 20 here so that's going to put it right underneath the processing of my access control list so i'll hit enter and i'm going to match ip address and instead of referencing an access control list here i can say prefix hyphen list and i can call out the name of the prefix list that i just created which is filter 3. now if i hit enter we want to be sure since we just overwrote our original permit statement in the route map we want to put that back as well so let's say route hyphen map the name is map and you did just see the route configuration change so we do have some things happening in the background and we want to say permit and this time we want to say 30 to add that to the end of our route map so now if we say show route map and take a look at that configuration now we have three different sequences happening first we're matching and denying based on the access control list named list second we're also denying and matching on the prefix list called filter 3 and then finally we have our permit any statement at the end of that route map so now let's say show iprout and what we should see we should only see that slash 26 network left in our routing table let's see if that's true yes that is true we only see the 192.168.10.0.26 route as we would expect with the configuration that we have in place so that's a look at route filtering using prefix lists and route maps i hope you found this content useful and i want to thank you sincerely for watching
Info
Channel: Charles Judd
Views: 1,018
Rating: undefined out of 5
Keywords: cisco, ccie, cisco enarsi, ccie enterprise infrastructure, cisco enarsi 300-410, cisco encor 350-401, ccie lab, my ccie journey, ccie training, ccie blueprint, section 1.2, routing concepts, 1.2 routing concepts, cisco routing, routing table, route filtering, route maps, prefix list, eigrp, distribute list, access control list, ACL
Id: Rv3f2cEOhP0
Channel Id: undefined
Length: 18min 27sec (1107 seconds)
Published: Mon Sep 07 2020
Related Videos
CCIE Topic: 1.2j Bidirectional Forwarding Detection
Charles Judd
1.6K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Networking Week: Understanding and Implementing Spanning-Tree Protocol
INEtraining
9.4K
CCIE Topic: 1.1a Switch Administration
Charles Judd
3.9K
CCIE Topic: 1.4d OSPF Operations
Charles Judd
951
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
13M
Network Discovery with NMAP
Charles Judd
304
Configure Policy Based Routing on Cisco Router with IP SLA
MAICT Consult
294
How does a USB keyboard work?
Ben Eater
1M
CCIE Topic: 1.2c Static Routing
Charles Judd
1.1K
The OSI Model Demystified
Eli the Computer Guy
1.5M
Using Postman with the Cisco Meraki API
Charles Judd
1.4K
$250 Slab To $7700 Table
Blacktail Studio
3.6M
OSPF Route Filtering
Kevin Wallace Training, LLC
57K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.