Thursday, July 30, 2009

Route Filtering - Route-map, prefix-list, distribute-list, access-list....

Route Filtering –
1. In Route Map, always use permit ACL or permit prefix-list and choose action by route-map. Deny ACL or deny prefix-list means skip the entry.
2. In Distribute-list, only ACLs can be used. ACL acts as through filter ACL. Any traffic permitted, route is permitted and vice-versa. (Remember implicit-deny in the end of acl will deny all routes, so routes must be specifically permitted).

There are advantages of usingf prefix-lists in thhe sense we can define the range of subnet e.g. “/8 le 24”. This means 255.0.0.0 to 255.255.255.0 in one line. Any thing more than /24 is not touched.
In acl /24 (255.255.255.0) will mean “/24 to /32” in prefix-list terms.



Case1: Route-map deny 10 + permit ACL
Route-map perm 20
All traffic permitted by ACL will not be sent. (ACL wrks as pass through filter). All denied ACL traffic will be sent by RM entry 20.

Case2: Route-map perm 10 + deny ACL -> wont work at all the way we expect
For Permitted RM entry - denied entry in acl are simply skipped to the next route-map entry if exists). If 2nd route-map entry doesn’t exist, all routes nor implicit denied by RM.

If the acl has only deny entries, route-map won’t be able to apply the permit logic as there are no permit acl entries. Hency all routes will be dropped.
If acl has one permit ACE in the end, all routes are permitted (even the denied AcE are permitted)

Case3: Route-map deny 10 + deny ACL
This means deny all routes tht r permitted by acl. If no routes r permitted, all get dropped if a 2nd RM permit entry isn’t there. If 2nd permit entry is there, it’ll permit everything tht is permitted by match clause. If no match clause means everything permitted.

In Prefix-list:
To match 112.0.0.0 – Use 112.0.0.0/8 in PFL
To match 112.0.0.0 and 112.0.0.1 – use 112.0.0.0/8 le 32
To match anything, use 0.0.0.0/0 le 32

Prefix-list advanced – it can check network and subnet mask separately in one ACE
10.0.0.0/X le LE ge GE -:
here X means match the network-bits (e.g. 10.0.0.0) from left to right
LE means less than or equal to. If LE = 24 and X= 8 and GE not defined, it’ll check for subnet masks from /8 to/24
GE means greater than or equal to. If GE=24, means /24-/32 will be checked for subnet masks.
172.16.8.0/24 ge 25 le 27 = 172.16.8.0 with masks from /25 to /27.

No comments:

Post a Comment