How to Control IGP Updates with Route Maps and Distribute Lists

The purpose of Interior Routing Protocols (IGP), and routing protocols more generally, is to advertise the existence of destination networks. All protocols then have some method of picking what they would consider to be the best path and maintain the information. By default, all routes will be accepted and, depending on the protocol, either all best paths to destinations—Distance Vector Protocols, Routing Information Protocol (RIP) and Enhanced Interior Gateway Protocol (EIGRP)—or all information will be passed to neighbors—Link State, Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (ISIS). There are occasions where that would be undesirable, so all the IGPs have some method of filtering routing information. The rules are different based on the different protocols.

With RIP and EIGRP, you can control what you advertise to other routers and what you are willing to receive from other routers, including what gets redistributed into the protocol from other sources. All the tools (ACLs for IPv4, Prefix Lists and Route Maps for both IPv4 and IPv6) are available for these distance vector protocols.

With OSPF and ISIS, there are restrictions. With link state protocols, there is an absolute rule that states all routers within the same area have to have common information originating within that area within their databases. Routes that originate within OSPF or ISIS, otherwise known as native routes, cannot be filtered within the area between the routers. You can filter native routes originating within the area from going into the local routing table, but the filtering does not stop the advertisement of the routes to other routers.

You can filter routers from redistribution before those routes become OSPF or ISIS routes. You cannot perform outbound route filtering. OSPF does allow for filtering from one area to another. The filter is known as a Link State Advertisement (LSA) type 3 database filter. LSA3 are routes or prefixes from another area. Since they don’t originate in the “next” area, they can be filtered before they get inserted into the database of that target area. Use the area x filter prefix command to reference a prefix list.

On Cisco routers, we use a distribute list command to filter routes inbound for all IGPs. For IPv4, the command can be followed by either an access control list (ACL) identifier, the keyword prefix-list or keyword route-map. For IPv6, ACL is not used for route filtering, so only prefix lists or route maps are used. If we specify simply that the distribute list is applied inbound, then any routes coming from any route source on any interface will pass through the policy (ACL, prefix list or route map). A match against a permit statement within the policy allows the route to be accepted. If there is a match against a deny statement, the route is rejected.

For OSPF and ISIS, the information will still be placed into the link state database, and the policy is applied when trying to determine what information from the database will be placed into the routing table. Due to link states’ requirement to flood intra-area information to all other routers, the filter will not stop the information from being sent to other routers. If filtering is done on one router in the path to a destination, it should be done on all the routers in the path to keep from confusing those that have to support the routers. If the route intermediately shows up in different routers routing tables, that can be confusing.

The distribute list in can be specific to which interface the update is being received on and only filter those received routes. If the distribute list is applied outbound without reference to interface or protocol, it will cause the protocol to pass the outgoing updates through the policy to see what can be advertised out all interfaces. If you specify an outgoing interface, the policy will only update other routers on that interface. Using a distribute list being to control what is being sent out as an interface or all the interfaces can only be done with RIP and EIGRP. If the distribute list is applied outbound from a protocol, that affects the routes that will be redistributed from the source protocol to the target protocol. This can be used with any IGP to control the redistribution process.

You can use an ACL (IPv4 only), prefix list or route map for filtering. The ACL and prefix list will match on the route to be permitted or denied. ISIS allows us to match on route source with a prefix list by applying and using a gateway filter. Route maps give us more flexibility. With a route map, I can match on the following attributes: route, route source, interface, metric type (OSPF), route type (ISIS), the metric of route and tag. Once you have a match, you can manipulate other attributes, such as metrics, next hop or route tag. Or you can use the route map as a filter.

Here’s an example of how to filter from one area to another in OSPF.

Before the filter:

R1# sh ip ospf data

                    OSPF Router with ID (10.1.101.1) (Process ID 1)

Router Link States (Area 0)

Link ID         ADV Router      Age       Seq#           Checksum    Link count
10.1.101.1      10.1.101.1      1480      0x80000006     0x002739    2
10.1.101.9      10.1.101.9      1399      0x80000004     0x001467    5

Summary Net Link States (Area 0)

Link ID         ADV Router      Age       Seq#           Checksum
10.2.120.0      10.1.101.1      0         0x80000001     0x009DA8
11.1.1.1        10.1.101.1      0         0x80000001     0x00BEFC
12.1.1.0        10.1.101.1      1480      0x80000004     0x00B503
13.1.1.0        10.1.101.1      1480      0x80000001     0x00AE0C
14.1.1.0        10.1.101.1      1480      0x80000001     0x00A118
15.1.1.0        10.1.101.1      1480      0x80000001     0x009424
16.1.1.0        10.1.101.1      1480      0x80000001     0x008730

The database filter:

router ospf 1
 area 1 filter-list prefix FromArea1 out
 network 10.2.100.1 0.0.0.0 area 0
 network 10.2.120.1 0.0.0.0 area 1
!
ip prefix-list FromArea1 seq 5 permit 12.1.1.0/24
ipv6 router eigrp 100
!

After the filter:

sh ip ospf data

                     OSPF Router with ID (10.1.101.1) (Process ID 1)

Router Link States (Area 0)

Link ID          ADV Router     Age      Seq#            Checksum     Link count
10.1.101.1       10.1.101.1     1667     0x80000006      0x002739     2
10.1.101.9       10.1.101.9     1586     0x80000004      0x001467     5

Summary Net Link States (Area 0)

Link ID          ADV Router     Age      Seq#            Checksum
12.1.1.0         10.1.101.1     1667     0x80000004      0x00B503

Router Link States (Area 1)

Link ID          ADV Router     Age      Seq#            Checksum     Link count
10.1.101.1       10.1.101.1     1667     0x80000005      0x00142C     1
10.2.120.3       10.2.120.3     1461     0x8000000A      0x008CBC     7

Here’s an example of how to use a route map to filter and set metrics for redistribution:

DSWA#sh run int loopback 99
!
interface Loopback99
 ip address 12.1.1.1 255.255.255.0 secondary
 ip address 13.1.1.1 255.255.255.0 secondary
 ip address 14.1.1.1 255.255.255.0 secondary
 ip address 15.1.1.1 255.255.255.0 secondary
 ip address 16.1.1.1 255.255.255.0 secondary
 ip address 11.1.1.1 255.255.255.0
router eigrp 100
 network 10.0.0.0
 redistribute connected route-map MyLoops passive-interface Vlan10
 passive-interface Vlan30
 passive-interface Vlan20
 eigrp stub connected summary
!
route-map MyLoops permit 10
 match interface Loopback99
 set metric 10000 1000 255 1 150
 set tag 99
!
DSWA#show ip eigrp topology 
EIGRP-IPv4 Topology Table for AS(100)/ID(10.2.120.3)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status

P 14.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
P 16.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
P 10.2.130.0/24, 1 successors, FD is 21024512
 via 10.2.120.1 (21024512/21024256), GigabitEthernet0/1
P 10.2.100.0/24, 1 successors, FD is 2170112
 via 10.2.120.1 (2170112/2169856), GigabitEthernet0/1
P 15.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
P 10.1.101.1/32, 1 successors, FD is 130816
 via 10.2.120.1 (130816/128256), GigabitEthernet0/1
P 13.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
P 10.1.101.2/32, 1 successors, FD is 21152256
 via 10.2.120.1 (21152256/21152000), GigabitEthernet0/1
P 0.0.0.0/0, 1 successors, FD is 2172672
 via 10.2.120.1 (2172672/2172416), GigabitEthernet0/1
P 10.2.110.0/24, 1 successors, FD is 21024256
 via 10.2.120.1 (21024256/21024000), GigabitEthernet0/1
P 10.1.101.9/32, 1 successors, FD is 2298112
 via 10.2.120.1 (2298112/2297856), GigabitEthernet0/1
P 10.2.120.0/24, 1 successors, FD is 2816
 via Connected, GigabitEthernet0/1
P 12.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
P 11.1.1.0/24, 1 successors, FD is 128256
 via Rconnected (128256/0)
DSWA# show ip eigrp topology 12.1.1.0/24 
EIGRP-IPv4 Topology Entry for AS(100)/ID(10.2.120.3) for 12.1.1.0/24
 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128256
 Descriptor Blocks:
 0.0.0.0, from Rconnected, Send flag is 0x0
 Composite metric is (512000/0), route is External
 Vector metric:
 Minimum bandwidth is 10000 Kbit
 Total delay is 10000 microseconds
 Reliability is 255/255
 Load is 1/255
 Minimum MTU is 150
 Hop count is 0
 Originating router is 10.2.120.3
 External data:
 AS number of route is 0
 External protocol is Connected, external metric is 0
 Administrator tag is 99 (0x00000063)

There may be different reasons for limiting the routes being received or sent to other routers—perhaps a security concern, reduction in complexity of the receiving routers, extranet or Internet routes. Whatever the rationale, there are options.

Want to learn more? Check out these related courses:

CCNAX v3.0 – CCNA Routing and Switching Boot Camp
ICND1 v3.0 – Interconnecting Cisco Networking Devices, Part 1
ROUTE – Implementing Cisco IP Routing v2.0
TSHOOT – Troubleshooting and Maintaining Cisco IP Networks v2.0
ARCH – Designing Cisco Network Service Architectures v3.0
CIERS1 – Cisco Expert-Level Training for CCIE Routing and Switching v5.0

In this article

Join the Conversation