Network Traffic Filtering : Access-lists, Route-map and Distribution-lists
Today I am going to talk about the various route filtering method we are using in our network. These can be Access-Lists, Route-map, Distribution-list and Prefix-Lists.
They are the excellent way to filter out the routes but the way we are implementing is different. Many of you are aware of the access list like standard, extended and so on.
IP Access List Route Filtering
So let's talk about the ACL or so called access-lists. An access-list is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:
- Found a matching entry and the action is permit
- Found a matching entry and the action is deny
- Not found any matching entry
Fig 1.1- Access Lists Inbound and Outbound |
Now, because the access-lists simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required.
One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol's messages.
Below is the example showing the Access-list for the specific IP range and allowed in the interface
NDNA(config)# access-list 20 deny 192.168.1.0 0.255.255.255
NDNA(config)# access-list 20 permit any
NDNA(config)# int s0/1
NDNA(config-if)# ip access-group 20 in
In the example above, you are denying hosts 192.168.1.0/24 and permit all to enter interface s 0/1 while allowing everyone else.
Filtering Technique: Route Map
Route-map can be the advance version of the access-list and have some more features added with the access-lists. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router's behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism
If some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.
Thus, the main differences between a route-map and an ACL are:
A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents.
In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces) that are not match-able by an ACL.
A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.
Below is the example showing route-map is applying a BGP attribute to a specific route
NDNA(config)# access-list 1 permit 20.1.1.0 0.0.0.255
NDNA(config)# route-map Cisco permit 10
NDNA(config-route-map)# match ip address 1
NDNA(config-route-map)# set metric 100
NDNA(config-route-map)# route-map Cisco permit 20
NDNA(config)# router bgp 100
NDNA(config-router)# neighbor 192.168.10.1 route-map Cisco out
Distribution List
The "distribute-list" is a method to filter routing updates, with a direction that could be "in" or "out"; the matching method is a reference to an ACL.
Distribution-list with using the filter IN is to filter routing updates matched by a distribute-list to avoid those updates to be installed in the routing table.
Distribution-list with using the filter Out is to prevent that routing prefixes matched by this distribute-list, could be advertised to a neighbor and to prevent that routing updates that were redistributed by another routing protocol can be installed in the router's routing table
Below is the configuration example of distribution list in the RIP protocol
NDNA(config)# access-list 1 permit ip 192.168.10.1 0.255.255.255
NDNA(config)# router rip
NDNA(config-router)# distribute-list 1 in serial 0/1