Latest

Network Traffic Filtering : Access-lists, Route-map and Distribution-lists

Today I am going to talk about the various route filtering method we are using in our network. These can be Access-Lists, Route-map, Distribution-list and Prefix-Lists. 

They are the excellent way to filter out the routes but the way we are implementing is different. Many of you are aware of the access list like standard, extended and so on.

IP Access List Route Filtering
So let's talk about the ACL or so called access-lists. An access-list is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:
  • Found a matching entry and the action is permit
  • Found a matching entry and the action is deny
  • Not found any matching entry

Fig 1.1- Access Lists Inbound and Outbound



Now, because the access-lists simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. 

One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol's messages.

Below is the example showing the Access-list for the specific IP range and allowed in the interface


NDNA(config)# access-list 20 deny 192.168.1.0 0.255.255.255 
NDNA(config)# access-list 20 permit any 
NDNA(config)# int s0/1
NDNA(config-if)# ip access-group 20 in 


In the example above, you are denying hosts 192.168.1.0/24 and permit all to enter interface s 0/1 while allowing everyone else.

Filtering Technique: Route Map
Route-map can be the advance version of the access-list and have some more features added with the access-lists. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router's behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism

If some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.

Thus, the main differences between a route-map and an ACL are:

A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. 

In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces) that are not match-able by an ACL.

A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.

Below is the example showing route-map is applying a BGP attribute to a specific route 


NDNA(config)# access-list 1 permit 20.1.1.0 0.0.0.255 
NDNA(config)# route-map Cisco permit 10 
NDNA(config-route-map)# match ip address 1 
NDNA(config-route-map)# set metric 100 
NDNA(config-route-map)# route-map Cisco permit 20 
NDNA(config)# router bgp 100
NDNA(config-router)# neighbor 192.168.10.1 route-map Cisco out 


Distribution List
The "distribute-list" is a method to filter routing updates, with a direction that could be "in" or "out"; the matching method is a reference to an ACL.

Distribution-list with using the filter IN is to filter routing updates matched by a distribute-list to avoid those updates to be installed in the routing table.

Distribution-list with using the filter Out is to prevent that routing prefixes matched by this distribute-list, could be advertised to a neighbor and to prevent that routing updates that were redistributed by another routing protocol can be installed in the router's routing table 
Below is the configuration example of distribution list in the RIP protocol 


NDNA(config)# access-list 1 permit ip 192.168.10.1 0.255.255.255 
NDNA(config)# router rip
NDNA(config-router)# distribute-list 1 in serial 0/1