IP Routing Explained

Lesson Contents
 IP Routing Process
o H1
o R1
o R2
o H2
 Conclusion
The actual forwarding of IP packets by routers is called IP routing. This has nothing to
do with the “learning” of network routes through static or dynamic routing protocols
but has everything to do with the steps that routers have to take when they forward
an IP packet from one interface to another.

In this lesson, I will walk you through an example and show you all steps that occur.

To do this, I will use the following topology:

Above we have two host computers and two routers. H1 is going to send an IP
packet to H2 which has to be routed by R1 and R2.

IP Routing Process
Let’s look at this step-by-step, device-by-device.

H1
Let’s start with H1. This host creates an IP packet with its own IP address
(192.168.1.1) as the source and H2 (192.168.2.2) as the destination. The first
question that H1 will ask itself is:

 Is the destination local or remote?

It answers this question by looking at its own IP address, its subnet mask and the
destination IP address:

C:\Users\H1>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet 1:

Connection-specific DNS Suffix . : nwl.local

Link-local IPv6 Address . . . . . : fe80::88fd:962a:44d6:3a1f%4

IPv4 Address. . . . . . . . . . . : 192.168.1.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

H1 is in network 192.168.1.0/24 so all IP addresses in the 192.168.1.1 – 254 range
are local. Our destination (192.168.2.2) is outside of the local subnet so that means
we have to use the default gateway.

H1 will now build an Ethernet frame, enters its own source MAC address and asks
itself the second question, do I know the destination MAC address of the default
gateway?

It checks its ARP table to find the answer:

C:\Users\H1>arp -a

Interface: 192.168.1.1 --- 0x4

Internet Address Physical Address Type

192.168.1.254 fa-16-3e-3f-fd-3c dynamic

192.168.1.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

239.255.255.250 01-00-5e-7f-ff-fa static

H1 has an ARP entry for 192.168.1.254. If not, it would have sent an ARP request. We
now have an Ethernet frame that carries an IP packet with the following addresses:

The frame will be on its way to R1.

R1
This Ethernet frame makes it to R1 which has more work to do than our host. The
first thing it does, is check if the FCS (Frame Check Sequence) of the Ethernet frame
is correct or not:

If the FCS is incorrect, the frame is dropped right away. There is no error recovery for
Ethernet, this is something that is done by protocols on upper layers, like TCP on the
transport layer.

If the FCS is correct, we will process the frame if:

 The destination MAC address is the address of the interface of the router.
 The destination MAC address is a broadcast address of the subnet that the
router interface is connected to.
 The destination MAC address is a multicast address that the router listens to.

In this case, the destination MAC address matches the MAC address of R1’s
GigabitEthernet 0/1 interface so we will process it. We de-encapsulate (extract) the IP
packet out of the Ethernet frame which is then discarded:

The router will now look at the IP packet, and the first thing it does is check if the
header checksum is OK:
If the header checksum is not correct, the IP packet is dropped right away. There is
also no error recovery on the network layer, we rely on upper layers for this. If the
header checksum is correct, we continue by looking at the destination IP address:

R1 now checks its routing table to see if there is a match:

R1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -

BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS

level-2

ia - IS-IS inter area, * - candidate default, U - per-user

static route

o - ODR, P - periodic downloaded static route, H - NHRP, l -

LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from

PfR

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, GigabitEthernet0/1

L 192.168.1.254/32 is directly connected, GigabitEthernet0/1

S 192.168.2.0/24 [1/0] via 192.168.12.2

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, GigabitEthernet0/2

L 192.168.12.1/32 is directly connected, GigabitEthernet0/2

Above you can see that R1 knows how to reach the 192.168.2.0/24 network, the next
hop IP address is 192.168.12.2. It will now do a second routing table lookup to see if
it knows how to reach 192.168.12.2, we call this recursive routing. As you can see,
there is an entry for 192.168.12.0/24 with GigabitEthernet 0/2 as the interface to use.
There is one thing left to do with the IP packet before we can forward it. Since we are
routing it, we have to decrease the TTL (Time to Live) field by one. R1 will do this and
since this changes the IP header, we have to calculate a new header checksum.

Once this is done, R1 checks its ARP table to see if there is an entry for 192.168.12.2:

R1#show ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.1.1 58 fa16.3e87.9c2a ARPA

GigabitEthernet0/1

Internet 192.168.1.254 - fa16.3e3f.fd3c ARPA

GigabitEthernet0/1

Internet 192.168.12.1 - fa16.3e02.83a1 ARPA

GigabitEthernet0/2

Internet 192.168.12.2 95 fa16.3e01.0c98 ARPA

GigabitEthernet0/2

No problem there, we have an entry in the ARP table. If not, R1 will send an ARP
request to find the MAC address of 192.168.12.2. R1 builds a new Ethernet frame
with its own MAC address of the GigabitEthernet 0/2 interface and R2 as the
destination. The IP packet is then encapsulated in this new Ethernet frame.
And the frame will be on its way towards R2.

R2
This Ethernet frame makes it to R2. Like R1 it will first do this:

 Check the FCS of the Ethernet frame.

 De-encapsulates the IP packet, discard the frame.
 Check the IP header checksum.
 Check the destination IP address.

In the routing table, we find this:

R2#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -

BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS

level-2

ia - IS-IS inter area, * - candidate default, U - per-user

static route

o - ODR, P - periodic downloaded static route, H - NHRP, l -

LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from

PfR
Gateway of last resort is not set

S 192.168.1.0/24 [1/0] via 192.168.12.1

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.2.0/24 is directly connected, GigabitEthernet0/1

L 192.168.2.254/32 is directly connected, GigabitEthernet0/1

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, GigabitEthernet0/2

L 192.168.12.2/32 is directly connected, GigabitEthernet0/2

Network 192.168.2.0/24 is directly connected to R2 on its GigabitEthernet 0/1

interface. R2 will now reduce the TTL of the IP packet from 254 to 253, recalculate
the IP header checksum and checks its ARP table to see if it knows how to reach
192.168.2.2:

R2#show ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.2.2 121 fa16.3e4a.f598 ARPA

GigabitEthernet0/1

Internet 192.168.2.254 - fa16.3e3c.7da4 ARPA

GigabitEthernet0/1

Internet 192.168.12.1 111 fa16.3e02.83a1 ARPA

GigabitEthernet0/2

Internet 192.168.12.2 - fa16.3e01.0c98 ARPA

GigabitEthernet0/2

There is an ARP entry there. The new Ethernet frame is created, the IP packet
encapsulated and it has the following addresses:
The frame is then forwarded to H2.

H2
H2 receives the Ethernet frame and will:

 Check the FCS

 Find its own MAC address as the destination MAC address.
 De-encapsulates the IP packet from the frame.
 Finds its own IP address as the destination in the IP packet.

H2 then looks for the protocol field to figure out what transport layer protocol we
are dealing with, what happens next depends on the transport layer protocol that is
used. That’s a story for another time.

Conclusion
You have now learned how an IP packet is forwarded from one router to another,
also known as IP routing.

Let’s summarize this process.

The host has a simple decision to make:

 Is the destination on the local subnet? If yes:

o Check the ARP table to see if the destination IP address is in the table,
and if it is, use the corresponding MAC address in the destination field
of the Ethernet Frame.
 Is the destination on a remote subnet? If yes:
o Check the ARP table to see if the IP address of the default
gateway is in the table, and if it is, use the corresponding MAC
address in the destination field of the Ethernet Frame.

The router has to perform a number of tasks:

 When it receives an Ethernet frame, check if the FCS (Frame Check Sequence)
is correct. If not, drop the frame.
 Check if the destination address of the frame is:
o destined to our MAC address
o destined to a broadcast address of the subnet our interface is in.
 o destined to a multicast address that we listen to.
 De-encapsulate the IP packet from the frame, discard the Ethernet frame.
 Look for a match in the routing table for the destination IP address, figure out
what the outgoing interface and optionally, the next hop IP address is.
 Decrease the TTL (Time to Live) field in the IP header, recalculate the header
checksum.
 Encapsulate the IP packet in a new Ethernet frame.
 Check the ARP table for the destination IP address or next hop IP address.
 Transmit the frame.

I hope this lesson has been useful to understand IP routing. Feel free to share this
post!

Introduction to Administrative Distance

Administrative distance is one of those routing concepts that most CCNA students
have difficulty with understanding. In this short lesson, I’ll explain to you what
administrative distance is and how it works.

Let me show you an example:

Imagine we have a network that is running two routing protocols at the same
time, OSPF and EIGRP. Both routing protocols give information to R1.

 EIGRP tells us the router should send IP packets using the path on the top.
 OSPF tells us the router should send IP packets using the path on the bottom.

What routing information are we going to use? Both? Use OSPF or EIGRP?

The answer is that when two routing protocols are giving us information about the
same destination network, we have to make a choice…you can’t go left and right at
the same time. We need to look at the administrative distance or AD.

Let me show you the administrative distance list:

Administrative Distance

Directly connected 0

Static route 1

EIGRP 90

OSPF 110

RIP 120

The lower the administrative distance, the better. As you can see, a directly
connected route has an AD of 0. This makes sense since there’s nothing better than
having it directly connected to your router. A static route has a very low
administrative distance of 1, which also makes sense since this is something you
configure manually. Sometimes you use a static route to “overrule” a routing
protocol’s decisions.
EIGRP has an administrative distance of 90, which makes sense since it’s a Cisco
routing protocol. OSPF has 110, and RIP has 120. In our example above, we will use
the information EIGRP tells us in the routing table since its AD of 90 is better (lower)
than OSPF, which has 110.

Let’s look at an example of an actual router. This is the topology:

Above we see that R1 is connected to both R2 and R3. Here’s the routing table:

R1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -

BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS

level-2
 ia - IS-IS inter area, * - candidate default, U - per-user
static route

o - ODR, P - periodic downloaded static route, H - NHRP, l -

LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from

PfR

Gateway of last resort is not set

2.0.0.0/24 is subnetted, 1 subnets

R 2.2.2.0 [120/1] via 192.168.12.2, 00:00:21, GigabitEthernet0/1

3.0.0.0/24 is subnetted, 1 subnets

S 3.3.3.0 [1/0] via 192.168.13.3

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, GigabitEthernet0/1

L 192.168.12.1/32 is directly connected, GigabitEthernet0/1

192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.13.0/24 is directly connected, GigabitEthernet0/2

L 192.168.13.1/32 is directly connected, GigabitEthernet0/2

Above you can see that R1 has learned 2.2.2.0 /24 through RIP. Between the
brackets, we find:

[120/1]
120 is the administrative distance, and 1 is the metric. In the case of RIP, that’s the
hop count.

R1 also has a static route for 3.3.3.0 /24 to R3. Between the brackets, we find:

[1/0]

1 is the administrative distance. Since this is a static route, there is no metric, so it’s
0. I hope this has helped to understand the administrative distance.

VRF Lite Configuration on Cisco IOS

In this lesson you will learn about VRFs (Virtual Routing and Forwarding). By
default a router uses a single global routing table that contains all the directly
connected networks and prefixes that it learned through static or dynamic routing
protocols.

VRFs are like VLANs for routers, instead of using a single global routing table we can
use multiple virtual routing tables. Each interface of the router is assigned to a
different VRF.

VRFs are commonly used for MPLS deployments, when we use VRFs without MPLS
then we call it VRF lite. That’s what we will focus on in this lesson. Let’s take a look at
an example topology:
In the topology above we have one ISP router and two customers called “Red” and
“Blue”. Each customer has two sites and those are connected to the ISP router. The
ISP router has only one global routing table so if we connect everything like the
topology above, this is what the routing table will look like:

ISP#show ip route connected

C 192.168.4.0/24 is directly connected, FastEthernet3/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

C 192.168.3.0/24 is directly connected, FastEthernet2/0

The ISP router has a single global routing table that has all 4 directly connected
networks. Let’s use VRFs to change this, I want to create a seperate routing table for
customer “Blue” and “Red”. First we have to create these VRFs:
ISP(config)#ip vrf Red

ISP(config-vrf)#exit

ISP(config)#ip vrf Blue

ISP(config-vrf)#exit

Globally we create the VRFs, one for each customer. Our next step is to add the
interfaces of the ISP router to the correct VRF. Here’s how:

ISP(config)#interface FastEthernet 0/0

ISP(config-if)#ip vrf forwarding Blue

% Interface FastEthernet0/0 IP address 192.168.1.254 removed due to

enabling VRF Blue

ISP(config-if)#ip address 192.168.1.254 255.255.255.0

On the interface level we use the ip vrf forwarding command to assign the
interface to the correct VRF. Once you do this , you’ll have to add the IP address
again. Let’s configure the remaining interfaces:

ISP(config)#interface FastEthernet 1/0

ISP(config-if)#ip vrf forwarding Red

ISP(config-if)#ip address 192.168.2.254 255.255.255.0

ISP(config)#interface FastEthernet 2/0

ISP(config-if)#ip vrf forwarding Blue

ISP(config-if)#ip address 192.168.3.254 255.255.255.0

ISP(config)#interface FastEthernet 3/0

ISP(config-if)#ip vrf forwarding Red

ISP(config-if)#ip address 192.168.4.254 255.255.255.0

All interfaces are now configured. There’s a useful command you can use to see all
the VRFs and their interfaces:

ISP#show ip vrf

Name Default RD Interfaces

Blue Fa0/0

Fa2/0

Red Fa1/0

Fa3/0

Our VRFs are configured, let’s take a look at the global routing table of the ISP router:

ISP#show ip route connected

The global routing table has no entries, this is because all interfaces were added to a
VRF. Let’s check the VRF routing tables:

ISP#show ip route vrf Blue connected

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.3.0/24 is directly connected, FastEthernet2/0

ISP#show ip route vrf Red connected

C 192.168.4.0/24 is directly connected, FastEthernet3/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

We use the show ip route command but you’ll need to specify which VRF you want to
look at. As you can see, each VRF has its own routing table with the interfaces that
we configured earlier.

If you want to do something on the router like sending a ping then you’ll have to
specify which VRF you want to use. By default it will use the global routing table.
Here’s an example how to send a ping:

ISP#ping vrf Blue 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

That’s easy enough, just don’t forget to specify the correct VRF. The same thing
applies to routing (protocols). For example if you want to configure a static route
you’ll have to specify the correct VRF. Take a look at the example below:

Router Blue1 has a loopback interface with IP address 1.1.1.1 /32. Let’s create a
static route on the ISP router so that we can reach it:
ISP(config)#ip route vrf Blue 1.1.1.1 255.255.255.255 192.168.1.1

We use the same ip route command but I specified to what VRF the static route
belongs. Let’s see if this works:

ISP#ping vrf Blue 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/52 ms

Easy enough, the ping works. What about routing protocols? We can use OSPF,
EIGRP, BGP…no problem at all. Let’s look at an example for OSPF:
Customer “Blue” and “Red” both want to use OSPF to advertise their networks. Since
we use VRFs, everything is seperated. Let’s start with the OSPF configuration for
customer Blue:

Blue1(config)#router ospf 1

Blue1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Blue1(config-router)#network 1.1.1.1 0.0.0.0 area 0

Blue2(config)#router ospf 1

Blue2(config-router)#network 192.168.3.0 0.0.0.255 area 0

Blue2(config-router)#network 3.3.3.3 0.0.0.0 area 0

The OSPF configuration for the customer routers is pretty straight-forward. On the
ISP router, we’ll have to specify what VRF we want to use:

ISP(config)#router ospf 1 vrf Blue

ISP(config-router)#network 192.168.1.0 0.0.0.255 area 0

ISP(config-router)#network 192.168.3.0 0.0.0.255 area 0

We configure OSPF process 1 and specify the VRF that we want to use, that’s all there
is to it. Let’s do the same for customer Red:

Red1(config)#router ospf 1

Red1(config-router)#network 192.168.2.0 0.0.0.255 area 0

Red1(config-router)#network 2.2.2.2 0.0.0.0 area 0

Red2(config)#router ospf 1

Red2(config-router)#network 192.168.4.0 0.0.0.255 area 0

Red2(config-router)#network 4.4.4.4 0.0.0.0 area 0

ISP(config)#router ospf 2 vrf Red

ISP(config-router)#network 192.168.2.0 0.0.0.255 area 0

ISP(config-router)#network 192.168.4.0 0.0.0.255 area 0

The configuration is similar, I had to use another process ID on the ISP router since
the first one is used for customer Blue. Here’s what the VRF routing tables on the ISP
router look like now:

ISP#show ip route vrf Blue ospf

Routing Table: Blue

 1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/2] via 192.168.1.1, 00:00:24, FastEthernet0/0

3.0.0.0/32 is subnetted, 1 subnets

O 3.3.3.3 [110/2] via 192.168.3.3, 00:00:24, FastEthernet2/0

ISP#show ip route vrf Red ospf

Routing Table: Red

2.0.0.0/32 is subnetted, 1 subnets

O 2.2.2.2 [110/2] via 192.168.2.2, 00:00:19, FastEthernet1/0

4.0.0.0/32 is subnetted, 1 subnets

O 4.4.4.4 [110/2] via 192.168.4.4, 00:00:19, FastEthernet3/0

Two seperate routing tables with the prefixes from each VRF, this is looking good.

Configuration

hostname Blue1

ip cef

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!
interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

router ospf 1

network 1.1.1.1 0.0.0.0 area 0

network 192.168.1.0 0.0.0.255 area 0

end

hostname Blue2

ip cef

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface FastEthernet0/0

ip address 192.168.3.3 255.255.255.0

router ospf 1

network 3.3.3.3 0.0.0.0 area 0

network 192.168.3.0 0.0.0.255 area 0

!
end

hostname ISP

ip cef

ip vrf Blue

ip vrf Red

interface FastEthernet0/0

ip vrf forwarding Blue

ip address 192.168.1.254 255.255.255.0

interface FastEthernet1/0

ip vrf forwarding Red

ip address 192.168.2.254 255.255.255.0

interface FastEtherne2/0

ip vrf forwarding Blue

ip address 192.168.3.254 255.255.255.0

interface FastEthernet3/0
 ip vrf forwarding Red

ip address 192.168.4.254 255.255.255.0

router ospf 1 vrf Blue

network 192.168.1.0 0.0.0.255 area 0

network 192.168.3.0 0.0.0.255 area 0

router ospf 2 vrf Red

network 192.168.2.0 0.0.0.255 area 0

network 192.168.4.0 0.0.0.255 area 0

end

hostname Red1

ip cef

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

!
router ospf 1

network 2.2.2.2 0.0.0.0 area 0

network 192.168.2.0 0.0.0.255 area 0

end

hostname Red2

ip cef

interface Loopback0

ip address 4.4.4.4 255.255.255.255

interface FastEthernet0/0

ip address 192.168.4.4 255.255.255.0

router ospf 1

network 4.4.4.4 0.0.0.0 area 0

network 192.168.4.0 0.0.0.255 area 0

end

This is what VRF lite is about, it has one downside though…it’s not a scalable
solution. In our example we only used a single ISP router but what if we want to use
VRFs and multiple ISP routers? That’s something we’ll discuss in the EVN (Easy Virtual
Network) lesson.
 If you have any questions, feel free to leave a comment!

VRF Lite Route Leaking

Lesson Contents
 Configuration
o Static Routes
 Configuration
 Verification
o MP-BGP
 Configuration
 Verification
 Conclusion
VRF Lite allows us to use multiple routing tables on a router, creating a separation
similar to VLANs on switches. Each interface on the router can be assigned to a
different VRF. However, what if you have some shared services or routes that should
be shared between multiple VRFs?

It is possible to “leak” routes from one VRF into another. There are two options to
achieve this:

 Static Routes
 MP-BGP

In this lesson, I’ll show you how to configure both options.

Configuration
This is the topology I will use:
We have an ISP router that is connected to two customers. For each customer, we
use a different VRF:

 VRF “RED” for Red1

 VRF “BLUE” for Blue1

hostname ISP

ip vrf BLUE

ip vrf RED

ip cef

interface GigabitEthernet0/1

ip vrf forwarding RED

ip address 192.168.12.2 255.255.255.0

interface GigabitEthernet0/2

ip vrf forwarding BLUE

ip address 192.168.23.2 255.255.255.0

end

hostname Red1

!
ip cef

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface Loopback1

ip address 11.11.11.11 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.12.1 255.255.255.0

end

hostname Blue1

ip cef

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Loopback1

ip address 33.33.33.33 255.255.255.255

!
interface GigabitEthernet0/1

ip address 192.168.23.3 255.255.255.0

end

With the configuration above, we only have connectivity within a VRF. What if we
want connectivity between VRF RED and BLUE?

Static Routes
Let’s start with the static routes option. According to this Cisco document, static
routes directly between VRFs are not supported. What does work, is routing traffic
from a VRF to the global routing table and then to the destination VRF. One
advantage of using static routes is that you can configure exactly which routes
should be reachable without the hassle of configuring MP-BGP.

I’ll show you how to get connectivity between 1.1.1.1/32 in VRF RED and 3.3.3.3/32 in
VRF BLUE.

Configuration

First, let’s create a default route on the Red1 and Blue1 routers so that they send all
unknown traffic towards the ISP router:

Red1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

Blue1(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

In each VRF, we add a static route for the destination in the other VRF that we want
to reach. This static route is pointed to the global routing table:

ISP(config)#ip route vrf RED 3.3.3.3 255.255.255.255 192.168.23.3

global

ISP(config)#ip route vrf BLUE 1.1.1.1 255.255.255.255 192.168.12.1

global

Let me explain what you see above:

  In VRF RED, we have a static route to destination 3.3.3.3/32 that uses next hop
IP address 192.168.23.3 in the global routing table.
 In VRF BLUE, we have a static route for destination 1.1.1.1/32 that uses next
hop IP address 192.168.12.1 in the global routing table.

These two static routes will route traffic from the VRFs to the global routing table.
These next hop addresses, however, are not in the global routing table but in the
VRFs.

We need to add two static routes in the global routing table of the ISP router so that
it knows how to reach the next hop addresses:

ISP(config)#ip route 192.168.12.1 255.255.255.255 GigabitEthernet 0/1

ISP(config)#ip route 192.168.23.3 255.255.255.255 GigabitEthernet 0/2

That completes our configuration.

Verification

Let’s look at the routing tables of our ISP router. Here’s the routing table of VRF RED:

ISP#show ip route vrf RED static

3.0.0.0/32 is subnetted, 1 subnets

S 3.3.3.3 [1/0] via 192.168.23.3

Above we see the static route for 3.3.3.3/32 that points to 192.168.23.3. It doesn’t
show it, but this static route points to the global routing table. Here is the route for
1.1.1.1/32 in routing table VRF BLUE:

ISP#show ip route vrf BLUE static

1.0.0.0/32 is subnetted, 1 subnets

S 1.1.1.1 [1/0] via 192.168.12.1

Here is the global routing table:

ISP#show ip route static

192.168.12.0/32 is subnetted, 1 subnets

S 192.168.12.1 is directly connected, GigabitEthernet0/1

192.168.23.0/32 is subnetted, 1 subnets

S 192.168.23.3 is directly connected, GigabitEthernet0/2

Above, we see the entries for the next hop addresses in the global routing table.

The ISP router is now able to route from one VRF into the global routing table and
into another VRF. Let’s try a quick ping:

Red1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/10 ms

Mission accomplished.

Want to take a look for yourself? Here you will find the startup configuration of each
device.

hostname Blue1

!
ip cef

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Loopback1

ip address 33.33.33.33 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.23.3 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.23.2

end

hostname ISP

ip vrf BLUE

ip vrf RED

ip cef

!
interface GigabitEthernet0/1

ip vrf forwarding RED

ip address 192.168.12.2 255.255.255.0

interface GigabitEthernet0/2

ip vrf forwarding BLUE

ip address 192.168.23.2 255.255.255.0

ip route 192.168.12.1 255.255.255.255 GigabitEthernet0/1

ip route 192.168.23.3 255.255.255.255 GigabitEthernet0/2

ip route vrf BLUE 1.1.1.1 255.255.255.255 192.168.12.1 global

ip route vrf RED 3.3.3.3 255.255.255.255 192.168.23.3 global

end

hostname Red1

ip cef

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface Loopback1
 ip address 11.11.11.11 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.12.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.12.2

end

MP-BGP
Let’s see how we can get connectivity between the VRFs by using MP-BGP. This is
pretty much the same as MPLS VPN PE CE but without MPLS. We will use MP-BGP to
redistribute routes from one VRF into another.

To demonstrate this, I will redistribute static routes that I create on the ISP router
into MP-BGP. Of course, you can also use a routing protocol like OSPF or EIGRP
between the ISP and customer routers.

Configuration

Let’s create a default route on the customer routers that point to the ISP:

Red1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

Blue1(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

On the ISP router, I have to do two things under the VRF configuration:

 We need an RD (Route Distinguisher) for each VRF.

 We need an RT (Route Target) and export/import our routes.

This is what we’ll do:

 VRF RED will use RD 1:1 and VRF BLUE uses RD 3:3
 Routes from VRF RED will be exported using RT 1:1
  Routes from VRF BLUE will be exported using RT 3:3

Let’s start with the configuration for VRF RED:

ISP(config)#ip vrf RED

ISP(config-vrf)#rd 1:1

ISP(config-vrf)#route-target export 1:1

ISP(config-vrf)#route-target import 3:3

VRF RED exports its routes with RT 1:1 and imports routes with RT 3:3. Here’s VRF
BLUE:

ISP(config)#ip vrf BLUE

ISP(config-vrf)#rd 3:3

ISP(config-vrf)#route-target export 3:3

ISP(config-vrf)#route-target import 1:1

Now we can worry about getting the routes into each other’s VRF. Within each VRF, I
will create a static route that points to the loopback 0 interface of the other VRF:

ISP(config)#ip route vrf RED 1.1.1.1 255.255.255.255 192.168.12.1

ISP(config)#ip route vrf BLUE 3.3.3.3 255.255.255.255 192.168.23.3

Now we can redistribute these into MP-BGP. Let’s start a new BGP process. It doesn’t
matter what AS number you use since we won’t have any neighbors. Since I don’t
have any IP addresses in my global routing table, BGP will complain about being
unable to pick a router ID so I’ll configure one manually:

ISP(config)#router bgp 2

ISP(config-router)#bgp router-id 2.2.2.2

Under the address-family of each VRF, we have to redistribute two things:

  Static route: this is the static route we just configured within each VRF. It
points to the loopback 0 interface of the other customer router.
 Directly connected route: required because the next hop IP address for the
static route is on this network.

ISP(config-router)#address-family ipv4 vrf RED

ISP(config-router-af)#redistribute static

ISP(config-router-af)#redistribute connected

ISP(config-router)#address-family ipv4 vrf BLUE

ISP(config-router-af)#redistribute static

ISP(config-router-af)#redistribute connected

Our static and directly connected routes are now in MP-BGP and will be
exported/imported according to the route-targets we configured.

Verification

Let’s take a look at the VPN routes of each VRF:

ISP#show bgp vpnv4 unicast vrf RED

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf RED)

*> 1.1.1.1/32 192.168.12.1 0 32768 ?

*> 3.3.3.3/32 192.168.23.3 0 32768 ?

*> 192.168.12.0 0.0.0.0 0 32768 ?

*> 192.168.23.0 0.0.0.0 0 32768 ?

VRF RED has learned the 3.3.3.3/32 and 192.168.23.0/24 prefixes. Here’s VRF BLUE:
ISP#show bgp vpnv4 unicast vrf BLUE

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 3:3 (default for vrf BLUE)

*> 1.1.1.1/32 192.168.12.1 0 32768 ?

*> 3.3.3.3/32 192.168.23.3 0 32768 ?

*> 192.168.12.0 0.0.0.0 0 32768 ?

*> 192.168.23.0 0.0.0.0 0 32768 ?

VRF BLUE has the 1.1.1.1/32 and 192.168.12.0/24 prefixes. We can also see these in
the routing table of each VRF:

ISP#show ip route vrf RED bgp

3.0.0.0/32 is subnetted, 1 subnets

B 3.3.3.3 [20/0] via 192.168.23.3 (BLUE), 00:06:41

192.168.23.0/24 is variably subnetted, 2 subnets, 2 masks

B 192.168.23.0/24 is directly connected, 00:08:20,

GigabitEthernet0/2

ISP#show ip route vrf BLUE bgp

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 192.168.12.1 (RED), 00:07:23

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

B 192.168.12.0/24 is directly connected, 00:09:00,
GigabitEthernet0/1

Let’s see if we have connectivity between VRF RED and BLUE:

Red1#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/9 ms

Excellent, this is working.

Want to take a look for yourself? Here you will find the final configuration of each
device.

hostname Blue1

ip cef

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Loopback1

ip address 33.33.33.33 255.255.255.255

!
interface GigabitEthernet0/1

ip address 192.168.23.3 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.23.2

end

hostname ISP

ip vrf BLUE

rd 3:3

route-target export 3:3

route-target import 1:1

ip vrf RED

rd 1:1

route-target export 1:1

route-target import 3:3

ip cef

interface GigabitEthernet0/1

ip vrf forwarding RED

 ip address 192.168.12.2 255.255.255.0

interface GigabitEthernet0/2

ip vrf forwarding BLUE

ip address 192.168.23.2 255.255.255.0

router bgp 2

bgp router-id 2.2.2.2

bgp log-neighbor-changes

address-family ipv4 vrf BLUE

redistribute connected

redistribute static

exit-address-family

address-family ipv4 vrf RED

redistribute connected

redistribute static

exit-address-family

ip route vrf BLUE 3.3.3.3 255.255.255.255 192.168.23.3

ip route vrf RED 1.1.1.1 255.255.255.255 192.168.12.1

!

end

hostname Red1

ip cef

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface Loopback1

ip address 11.11.11.11 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.12.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.12.2

end

Conclusion
You have now learned how to leak routes from one VRF into another:

 How to use static routes to route from a VRF into the global routing table and
into another VRF.
 How to use MP-BGP to exchange routes from one VRF into another.
Static route on Cisco IOS Router
In this lesson, we’ll take a look at static routes and in particular, how to configure
them.

Let me show you the following topology:

Look at the network in the picture above. We have a network with two sites,
headquarters, and a branch office.

The headquarters is connected to the Branch office. Behind the branch office is a
network with the 2.2.2.0 /24 network. We want to ensure that the headquarters can
reach the 2.2.2.0 /24 network.

Let me show you how we configure this network using a static route:

HQ>enable
HQ#configure terminal

First, I’ll go to enable mode and enter configuration mode.

HQ(config)#interface FastEthernet 0/0

HQ(config-if)#no shutdown

HQ(config-if)#ip address 192.168.12.1 255.255.255.0

Branch>enable

Branch#configure terminal

Branch(config)#interface fastEthernet0/0

Branch(config-if)#no shutdown

Branch(config-if)#ip address 192.168.12.2 255.255.255.0

Branch(config-if)#exit

Branch(config)#interface fastEthernet 1/0

Branch(config-if)#no shutdown

Branch(config-if)#ip address 2.2.2.2 255.255.255.0

Then I’ll configure the IP addresses on the interfaces; don’t forget to do a no

shutdown on the interfaces.

Let’s take a look at the routing tables of both routers:

HQ#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

 E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1,

ia - IS-IS inter area, * - candidate default,

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet0/0

Branch#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1,

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet0/0

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, FastEthernet1/0

Use the show ip route command to view the routing table. This is what a router
uses to make decisions about where to forward IP packets to. By default, a router
only knows its directly connected networks. We configured an IP address with a
subnet mask on the interface, so the router also knows the network address.

 Router HQ knows about network 192.168.12.0/24.

 Router Branch knows about network 192.168.12.0/24 and 2.2.2.0/24.

At this moment our HQ router has no idea how to reach network 2.2.2.0/24 because
there is no entry in the routing table. What will happen when we try to reach it? Let’s
check:

HQ#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

The ping will fail. This router checks its routing table, and discovers that it doesn’t
know how to reach network 2.2.2.0 /24, and will drop the traffic. Let’s use a static
route to tell router HQ how to reach this network!

HQ(config)#ip route 2.2.2.0 255.255.255.0 192.168.12.2

We use the ip route command to create a static route. Let me break it down for you:

 2.2.2.0 is the network we want to reach.

 255.255.255.0 is the subnet mask of the network.
 192.168.12.2 is called the next hop IP address. It’s the IP address where we
want to send traffic to. In this example, that’s the branch router.

I’m telling router HQ that it can reach network 2.2.2.0 /24 by sending traffic to IP
address 192.168.12.2 (the Branch router).

Let’s take another look at the routing table to see if anything has changed:

HQ#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS

inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet1/0

1.0.0.0/24 is subnetted, 1 subnets

C 1.2.3.0 is directly connected, FastEthernet0/0

2.0.0.0/24 is subnetted, 1 subnets

S 2.2.2.0 [1/0] via 192.168.12.2

We can now see an entry for network 2.2.2.0/24 in our routing table. Whenever
router HQ has traffic for network 2.2.2.0 /24, it will send it to IP address 192.168.12.2
(router Branch). Let’s see if our ping is now working:

HQ#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

Bingo, now it’s working. Router HQ knows how to reach network 2.2.2.0 /24 because
of our static route.

Are you following me so far? Whenever an IP packet arrives at a router, it will check
its routing table to see if it knows about the destination network. If it does, it will
forward the IP packet, and if it has no idea where to send traffic, it will drop the IP
packet.

Want to take a look for yourself? Here you will find the startup configuration of each
device.

hostname HQ

interface FastEthernet 0/0

ip address 192.168.12.1 255.255.255.0

ip route 2.2.2.0 255.255.255.0 192.168.12.2

end

hostname Branch

interface fastEthernet0/0

ip address 192.168.12.2 255.255.255.0

interface fastEthernet 1/0

 ip address 2.2.2.2 255.255.255.0

end

There is another situation where a static route might be useful. Let me demonstrate
another network:

In the picture above, our HQ router is connected to an ISP (Internet Service

Provider). There are many networks on the Internet, so do we require all of those
networks on the Internet in our routing table? The answer is no because we can use
a default route. Let me show you what it is:

HQ(config)#interface fastEthernet 1/0

HQ(config-if)#ip address 1.2.3.2 255.255.255.0

HQ(config-if)#no shutdown

HQ(config-if)#exit

First, we’ll configure an IP address on the FastEthernet 1/0 of the HQ router.

HQ#ping 1.2.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.2.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

It’s always a good idea to check connectivity. A quick ping to the ISP router proves
that we can reach the ISP.

HQ#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS

inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 1.2.3.0 is directly connected, FastEthernet1/0

Right now, the HQ router only knows how to reach network 1.2.3.0/24 because it’s
directly connected. Let’s configure a default route so that we can reach the Internet:

HQ(config)#ip route 0.0.0.0 0.0.0.0 1.2.3.1

Let me explain this one:

 The first 0.0.0.0 is the network address; in this case, it means all networks.
 The second 0.0.0.0 is the subnet mask; all zeroes means all subnet masks.
 1.2.3.1 is the next hop IP address. In this case, the IP address of the ISP
router.

In other words, this static route will match all networks, and that’s why we call it a
default route. When our router doesn’t know where to deliver IP packets to, we’ll
throw it over the fence towards the ISP and it will be their job to deliver it…sounds
good, right?
 Configurations
 HQ

hostname HQ

interface FastEthernet 1/0

ip address 1.2.3.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.2.3.1

end

 ISP

hostname ISP

interface FastEthernet 0/0

ip address 1.2.3.1 255.255.255.0

end

It is important to know that routers will always use the most specific match in their
routing table. Let me give you an example:
Router#show ip route static

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

S 192.168.1.0/24 [1/0] via 10.2.2.2

S 192.168.1.128/25 [1/0] via 10.3.3.2

S 192.168.0.0/16 [1/0] via 10.1.1.2

Imagine the router above receives an IP packet with destination IP address

192.168.1.140. Will it send the IP packet towards 10.2.2.2, 10.3.3.2, or 10.1.1.2?

All three entries in the routing table match this destination IP address, but
192.168.1.128 /25 is the most specific entry in this case. The IP packets will be
forwarded to 10.3.3.2.

Now you know how a router uses its routing table and how to configure a static
route. Are there any disadvantages to static routes? Let me show you an example:

In the picture above, I have many routers and a lot of networks. If I want to configure
full reachability between the routers, then I have to configure many static routes to
make this work, and you don’t have any backups. If a link fails, you’ll need to edit
your static route and send traffic in another direction. The picture above would be
more suitable for dynamic routing.

I hope this lesson has been helpful to you. If you have any questions, please leave a
comment.

How to configure IPv6 Static Route

 Lesson Contents
 Configuration
o Static route for a prefix
 Static route for a prefix – outgoing interface
 Static route for a prefix – global unicast next hop
 Static route for a prefix – link-local next hop
o Static default route
 Static default route – outgoing interface
 Static default route – global unicast next hop
 Static default route – link-local next hop
o Static host route
 Static host route – outgoing interface
 Static host route – global unicast next hop
 Static host route – link-local next hop
o Static floating route
 Static floating route – outgoing interface
 Static floating route – global unicast next hop
 Static floating route – link-local next hop
 Conclusion
If you know how to configure a static route for IPv4, you shouldn’t have any issues
with IPv6 static routes. The configuration and syntax are similar. There are only
some minor differences. In this lesson, I will show you how to configure all IPv6 static
route types.

Configuration
To demonstrate this topology, I will use the following topology:

R1 and R2 are connected with a serial link. R2 has a loopback interface with IPv6
address 2001:DB8:2:2::2/64. Let’s see if we can reach this address.

Static route for a prefix

Let’s start with a simple example where we create a static route for the prefix we
want to reach: 2001:DB8:2:2::/64.
Static route for a prefix – outgoing interface

Like with IPv4, it is possible to use an interface as the next hop. This will only work
with point-to-point interfaces:

R1(config)#ipv6 route 2001:DB8:2:2::/64 Serial 0/0/0

Here’s what the routing table looks like:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [1/0]

via Serial0/0/0, directly connected

Let’s see if it works:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Our ping is working.

If you try this with a FastEthernet interface, you’ll see that the router will accept the
command, but the ping won’t work. You can’t use this for multi-access interfaces.
Static route for a prefix – global unicast next hop

Instead of an outgoing interface, we can also specify the global unicast address as
the next hop:

R1(config)#ipv6 route 2001:DB8:2:2::/64 2001:DB8:12:12::2

Here’s what the routing table looks like:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [1/0]

via 2001:DB8:12:12::2

Let’s see if it works:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

No problem at all…

Instead of global unicast addresses, you can also use unique local addresses. These
are the IPv6 equivalent of IPv4 private addresses.
Static route for a prefix – link-local next hop

One of the differences between IPv4 and IPv6 is that IPv6 generates a link-local
address for each interface. These link-local addresses are also used by routing
protocols like RIPng, EIGRP, OSPFv3, etc, as the next-hop addresses. Let’s see what
the link-local address is of R2:

R2#show ipv6 interface Serial 0/0/0 | include link-local

IPv6 is enabled, link-local address is FE80::21C:F6FF:FE11:41F0

Let’s use this as the next-hop address. When you use a global unicast address as the
next hop, your router can look at the routing table and figure out what outgoing
interface to use to reach this global unicast address. With link-local addresses, the
router has no clue which outgoing interface to use so you will have to specify both
the outgoing interface and the link-local address:

R1(config)#ipv6 route 2001:DB8:2:2::/64 Serial 0/0/0

FE80::21C:F6FF:FE11:41F0

Here’s what the routing table looks like:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [1/0]

via FE80::21C:F6FF:FE11:41F0, Serial0/0/0

Just to be sure, let’s try a ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

No problems there.

Static default route

Just like IPv4, we can also create static default routes. A default route has only zeroes
(::) and a /0 prefix length. This is the equivalent of 0.0.0.0/0 in IPv4. We can do this
with an interface, global unicast, or link-local address. Let’s try all options!

Static default route – outgoing interface

Let’s start with the outgoing interface first:

R1(config)#ipv6 route ::/0 Serial 0/0/0

Here’s the routing table:

R1#show ipv6 route static

S ::/0 [1/0]

via Serial0/0/0, directly connected

Let’s try a quick ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static default route – global unicast next hop

Instead of an outgoing interface, let’s try a global unicast next-hop address:

R1(config)#ipv6 route ::/0 2001:DB8:12:12::2

Here’s the routing table:

R1#show ipv6 route static

S ::/0 [1/0]

via 2001:DB8:12:12::2
Let’s try a quick ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Time for the next option.

Static default route – link-local next hop

Let’s replace the global unicast next hop address with a link-local address:

R1(config)#ipv6 route ::/0 Serial 0/0/0 FE80::21C:F6FF:FE11:41F0

Here’s the routing table:

R1#show ipv6 route static

S ::/0 [1/0]

via FE80::21C:F6FF:FE11:41F0, Serial0/0/0

Let’s try a quick ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Our ping is working.

Static host route

We can also create static routes for a single IPv6 address, called a static host route.
These examples are the same as the ones you have seen before, but this time, we
will create an entry for 2001:DB8:2:2::2/128, which is similar to using a /32 subnet
mask in IPv4.

Static host route – outgoing interface

First, we will try the outgoing interface:

R1(config)#ipv6 route 2001:DB8:2:2::2/128 Serial 0/0/0

Here is the routing table:

R1#show ipv6 route static

S 2001:DB8:2:2::2/128 [1/0]

via Serial0/0/0, directly connected

Let’s try a quick ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static host route – global unicast next hop

Let’s try a global unicast address as the next hop:

R1(config)#ipv6 route 2001:DB8:2:2::2/128 2001:DB8:12:12::2

Here is the routing table:

R1#show ipv6 route static

S 2001:DB8:2:2::2/128 [1/0]

via 2001:DB8:12:12::2

And let’s try a quick ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static host route – link-local next hop

Last but not least, a link-local address as the next hop address:

R1(config)#ipv6 route 2001:DB8:2:2::2/128 Serial 0/0/0

FE80::21C:F6FF:FE11:41F0

Here’s R1’s routing table:

R1#show ipv6 route static

S 2001:DB8:2:2::2/128 [1/0]

via FE80::21C:F6FF:FE11:41F0, Serial0/0/0

Let’s try another ping:

R1#ping 2001:DB8:2:2::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:2:2::2, timeout is 2

seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Static floating route

We can also configure floating static routes. To test this, I have to add another
router:
R3 is added to our topology, and I configured the same loopback address
(2001:DB8:23:23::23/128) on both routers. R3 will be used as our main path to reach
this address. When the link is down, we want to use R2.

Here’s the static route that is used to use R3 as the primary path:

R1(config)#ipv6 route 2001:DB8:23:23::/64 2001:DB8:13:13::3

Static floating route – outgoing interface

Let’s try the outgoing interface first. The static route looks like this:

R1(config)#ipv6 route 2001:DB8:23:23::/64 Serial 0/0/0 2

Note that at the end of the line above, I specified the administrative distance with a
value of 2. With both interfaces up, R1 will send all traffic to R3:
R1#show ipv6 route static

S 2001:DB8:23:23::/64 [1/0]

via 2001:DB8:13:13::3

Above, you can see that the default administrative distance is 1. Let’s shut the
FastEthernet 0/0 interface to test our static floating route:

R1(config)#interface FastEthernet 0/0

R1(config-if)#shutdown

Let’s look at the routing table again:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [2/0]

via Serial0/0/0, directly connected

The entry to R2 is now installed. You can also see the administrative distance value
of two in the routing table.

Static floating route – global unicast next hop

Instead of the outgoing interface, we can also use a global unicast address as the
next hop:

R1(config)#ipv6 route 2001:DB8:2:2::/64 2001:DB8:12:12::2 2

The routing table will then look like this:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [2/0]

via 2001:DB8:12:12::2

Static floating route – link-local next hop

Or use a link-local address as the next hop:

R1(config)#ipv6 route 2001:DB8:2:2::/64 Serial 0/0/0

FE80::21C:F6FF:FE11:41F0 2

Here is the routing table:

R1#show ipv6 route static

S 2001:DB8:2:2::/64 [2/0]

via FE80::21C:F6FF:FE11:41F0, Serial0/0/0

Conclusion
You have now learned how to configure the following IPv6 static routes:

 Static route for a prefix

 Static default route
 Static host route
 Static floating route

And how to do this with different next-hop types:

 Outgoing interface (only for point-to-point interfaces)

 Global unicast address
 Link-local address

I hope these examples have been useful to you!

 How to configure Policy Based Routing
Lesson Contents
 Configuration
 Conclusion
Policy-based routing can be used to change the next hop IP address for traffic
matching certain criteria. This can be useful to overrule your routing table for certain
traffic types. I will show you how to configure policy based routing.

Configuration
here’s the topology that we will use:

Take a look at the topology picture above. OSPF is configured on all routers. Since
we are using Gigabit interfaces everywhere, traffic from R1 destined to 4.4.4.4 would
normally be load balanced between R2 and R3. However, I changed the cost on the
Gigabit Ethernet 0/3 interface of R1 so that all traffic will go from R1 > R2 > R4.
 Configurations
 H1
 R1
 R2
 R3
 R4
Want to try this for yourself? Here you will find the startup configuration of each
device.

Let’s verify this:

R1#show ip ospf interface GigabitEthernet 0/2 | include Cost:

Process ID 1, Router ID 192.168.13.1, Network Type BROADCAST, Cost: 1

R1#show ip ospf interface GigabitEthernet 0/3 | include Cost:

Process ID 1, Router ID 192.168.13.1, Network Type BROADCAST, Cost:

1000

Above you can see the increased cost. Let’s try a quick traceroute from H1:

H1#traceroute 4.4.4.4 probe 1

Type escape sequence to abort.

Tracing the route to 4.4.4.4

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.1.254 7 msec

2 192.168.12.2 6 msec

3 192.168.24.4 8 msec

Now let’s say I want to use the link between R1 and R3 to reach 4.4.4.4. I could
influence the metric for OSPF, but this applies to all traffic. What if I wanted to use
this link for certain traffic only?
We could use the link between R1/R2 for the majority of our traffic and use the link
between R1/R3 only for certain traffic. This can be very useful. For example, imagine
that the link between R1/R3 is a dedicated link that offers QoS for VoIP traffic.

This is something we can achieve with PBR (Policy Based Routing). Let me show
you how!

Right now, all traffic is sent toward R2:

R1#show ip route | include 4.4.4.4

O 4.4.4.4 [110/3] via 192.168.12.2, 00:16:48, GigabitEthernet0/2

Now let’s say that we want all ICMP traffic from H1 destined for 4.4.4.4 to cross the
link between R1/R3. Here’s how to do this:

R1(config)#ip access-list extended ICMP_H1

R1(config-ext-nacl)#permit icmp host 192.168.1.100 host 4.4.4.4

First, I create an access-list that matches my traffic. Now we have to create a route-
map:

R1(config)#route-map PBR_H1 permit 10

R1(config-route-map)#match ip address ICMP_H1

R1(config-route-map)#set ip next-hop 192.168.13.3

Whenever the traffic matches the access-list, we will change the next hop to
192.168.13.3 (R3).

Last but not least, let’s activate it:

R1(config)#interface GigabitEthernet 0/1

R1(config-if)#ip policy route-map PBR_H1

Let’s see if it works. To see it in action, I will enable a debug on R1:

R1#debug ip policy

Policy routing debugging is on

Now let’s send a ping from H1:

H1#ping 4.4.4.4 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

Success rate is 100 percent (1/1), round-trip min/avg/max = 13/13/13 ms

The ping is working. Let’s see what R1 thinks of it:

R1#

IP: s=192.168.1.100 (GigabitEthernet0/1), d=4.4.4.4, len 100, FIB

policy match

IP: s=192.168.1.100 (GigabitEthernet0/1), d=4.4.4.4, len 100, PBR_H1

Counted

IP: s=192.168.1.100 (GigabitEthernet0/1), d=4.4.4.4, g=192.168.13.3,

len 100, FIB policy routed

Above, you can see that it has been policy routed towards 192.168.13.3. We can also
verify this by looking at the route-map:

R1#show route-map PBR_H1

route-map PBR_H1, permit, sequence 10

Match clauses:

ip address (access-lists): ICMP_H1

Set clauses:

ip next-hop 192.168.13.3

Nexthop tracking current: 0.0.0.0

192.168.13.3, fib_nh:0,oce:0,status:0

Policy routing matches: 1 packets, 114 bytes

Let’s try some traffic that doesn’t match our access-list. Telnet, for example:

H1#telnet 4.4.4.4

Trying 4.4.4.4 ... Open

H1 can connect but it’s not policy routed:

R1#

IP: s=192.168.1.100 (GigabitEthernet0/1), d=4.4.4.4, len 40, FIB policy

rejected(no match) - normal forwarding

As you can see above, this telnet traffic is routed using the normal path.

There is one more thing I’d like to show you. With policy-based routing, there is a
difference between traffic going through the router and traffic originating from
the router.

The example above is for traffic that went through our router. What if we want to
policy route traffic that originated from R1? We will have to use another command to
activate it. Let’s create another route-map:
R1(config)#ip access-list extended ICMP_R1

R1(config-ext-nacl)#permit icmp host 192.168.12.1 host 4.4.4.4

R1(config-ext-nacl)#permit icmp host 192.168.13.1 host 4.4.4.4

R1(config)#route-map PBR_R1 permit 10

R1(config-route-map)#match ip address ICMP_R1

R1(config-route-map)#set ip next-hop 192.168.13.3

The route-map above will redirect all traffic from R1 to 4.4.4.4 toward R3. To activate
this, we need to use another command:

R1(config)#ip local policy route-map PBR_R1

This time, we need to use the ip local policy command. Let’s test this:

R1#ping 4.4.4.4 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

Success rate is 100 percent (1/1), round-trip min/avg/max = 19/19/19 ms

R1#

IP: s=192.168.12.1 (local), d=4.4.4.4, len 100, policy match

IP: route map PBR_R1, item 10, permit

IP: s=192.168.12.1 (local), d=4.4.4.4 (GigabitEthernet0/3), len 100,

policy routed

IP: local to GigabitEthernet0/3 192.168.13.3

 Great, our traffic from R1 is policy routed.

Great, our traffic from R1 is policy routed.

 Configurations
 H1

hostname H1

no ip routing

no ip cef

interface GigabitEthernet0/1

ip address 192.168.1.100 255.255.255.0

ip default-gateway 192.168.1.254

end

 R1

hostname R1

ip cef

!
interface GigabitEthernet0/1

ip address 192.168.1.254 255.255.255.0

ip policy route-map PBR_H1

interface GigabitEthernet0/2

ip address 192.168.12.1 255.255.255.0

interface GigabitEthernet0/3

ip address 192.168.13.1 255.255.255.0

ip ospf cost 1000

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 192.168.12.0 0.0.0.255 area 0

network 192.168.13.0 0.0.0.255 area 0

ip local policy route-map PBR_R1

ip access-list extended ICMP_H1

permit icmp host 192.168.1.100 host 4.4.4.4

ip access-list extended ICMP_R1

permit icmp host 192.168.12.1 host 4.4.4.4

 permit icmp host 192.168.13.1 host 4.4.4.4

route-map PBR_H1 permit 10

match ip address ICMP_H1

set ip next-hop 192.168.13.3

route-map PBR_R1 permit 10

match ip address ICMP_R1

set ip next-hop 192.168.13.3

end

 R2

hostname R2

ip cef

interface GigabitEthernet0/1

ip address 192.168.12.2 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.24.2 255.255.255.0

 !

router ospf 1

network 192.168.12.0 0.0.0.255 area 0

network 192.168.24.0 0.0.0.255 area 0

end

 R3

hostname R3

ip cef

interface GigabitEthernet0/1

ip address 192.168.13.3 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.34.3 255.255.255.0

router ospf 1

network 192.168.13.0 0.0.0.255 area 0

network 192.168.34.0 0.0.0.255 area 0

!
 end

 R4

hostname R4

ip cef

interface Loopback0

ip address 4.4.4.4 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.24.4 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.34.4 255.255.255.0

router ospf 1

network 4.4.4.4 0.0.0.0 area 0

network 192.168.24.0 0.0.0.255 area 0

network 192.168.34.0 0.0.0.255 area 0

line vty 0 4
 login

transport input telnet

end

Want to take a look for yourself? Here you will find the final configuration of each
device.

Conclusion
Policy-based routing allows us to overrule the global routing table for traffic that
matches our access-list. This can be a great way to redirect traffic for certain
applications. To activate PBR, there is a difference for traffic that is going through the
router or that is originated by the router:

 Use the ip policy command under the interface for traffic that is going
through the router.
 Use the ip local policy command globally for traffic that originated by the
router.

How to Filter Prefixes with Distribute-list

Prefixes that are advertised by routing protocols like OSPF, EIGRP, or RIP can be
filtered. One way of doing this is by using a distribute list. In this lesson, I’ll give you
an example of how to filter certain prefixes with a distribute-list.

Filtering can occur inbound or outbound. If you have an inbound route filter, we
will first check if the network is permitted or not before we will accept it. Let’s take a
look at a network topology so I can give you a demonstration:
R1 and R2 are connected and run EIGRP. On R2, I have added a couple of loopback
interfaces with prefixes that we will advertise in EIGRP. Here is the configuration:

R1(config)#router eigrp 12

R1(config-router)#no auto-summary

R1(config-router)#network 192.168.12.0

R2(config)#router eigrp 12

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.12.0

R2(config-router)#network 172.16.0.0 0.0.3.255

Above, you can see that we advertise all prefixes in EIGRP.

R1#show ip route eigrp

172.16.0.0/24 is subnetted, 4 subnets

D 172.16.0.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.1.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.2.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.3.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0
If we look at the routing table of router R1, we can see all those networks on the
loopback interfaces as they should be. Now we’ll see if we can do some filtering.

R1(config)#router eigrp 12

R1(config-router)#distribute-list ?

<1-199> IP access list number

<1300-2699> IP expanded access list number

WORD Access-list name

gateway Filtering incoming updates based on gateway

prefix Filter prefixes in routing updates

route-map Filter prefixes based on the route-map

Go to the configuration of the EIGRP process and use the distribute-

list command to see your options. As you can see, we can choose between
an access-list, a prefix list, or a route-map. Let’s start with the access-list. You are
probably familiar with access lists if you studied CCNA.

R1(config-router)#distribute-list 1 ?

in Filter incoming routing updates

out Filter outgoing routing updates

If you specify an access-list number, you can choose if this route filter has to
be inbound or outbound.

R1(config-router)#distribute-list 1 in ?

Async Async interface

BVI Bridge-Group Virtual Interface

CDMA-Ix CDMA Ix interface

 CTunnel CTunnel interface

Dialer Dialer interface

FastEthernet FastEthernet IEEE 802.3

Lex Lex interface

Loopback Loopback interface

MFR Multilink Frame Relay bundle interface

Multilink Multilink-group interface

Null Null interface

Port-channel Ethernet Channel of interfaces

Tunnel Tunnel interface

Vif PGM Multicast Host interface

Virtual-PPP Virtual PPP interface

Virtual-Template Virtual Template interface

Virtual-TokenRing Virtual TokenRing

<cr>

If you want, you can choose the interface to which to apply the inbound route filter
to. If you don’t specify an interface, it will apply to all interfaces.

R1(config-router)#distribute-list 1 in FastEthernet 0/0

I’m going to apply it to the FastEthernet 0/0 interface since that’s the one on which
we receive information from router R2 on.

R1(config)#access-list 1 deny 172.16.1.0 0.0.0.255

R1(config)#access-list 1 permit any

Let’s create an access-list that will filter 172.16.1.0 /24 and permit all the other
networks.

R1#

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 12: Neighbor 192.168.12.2

(FastEthernet0/0) is resync: route configuration changed

You’ll see a message showing you that the route filter has changed.

R1#show ip route eigrp

172.16.0.0/24 is subnetted, 3 subnets

D 172.16.0.0 [90/156160] via 192.168.12.2, 00:06:26,

FastEthernet0/0

D 172.16.2.0 [90/156160] via 192.168.12.2, 00:06:26,

FastEthernet0/0

D 172.16.3.0 [90/156160] via 192.168.12.2, 00:06:26,

FastEthernet0/0

R1#show access-lists

Standard IP access list 1

10 deny 172.16.1.0, wildcard bits 0.0.0.255 (2 matches)

20 permit any (3 matches)

You can see 172.16.1.0 /24 has been filtered from the routing table. The matches in
the access-list also tell us we have filtered this network. Using an access-list is the
most simple method of route filtering. There are two other options. Let me show
you:

R1(config-router)#distribute-list ?

<1-199> IP access list number

<1300-2699> IP expanded access list number

 WORD Access-list name

gateway Filtering incoming updates based on gateway

prefix Filter prefixes in routing updates

route-map Filter prefixes based on the route-map

 Configurations
 Want to take a look for yourself? Here you will find the final configuration of
each device.
 R1

hostname R1

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

router eigrp 12

distribute-list 1 in FastEthernet0/0

network 192.168.12.0

access-list 1 deny 172.16.1.0 0.0.0.255

access-list 1 permit any

end

 R2
hostname R2

interface Loopback0

ip address 172.16.0.1 255.255.255.0

interface Loopback1

ip address 172.16.1.1 255.255.255.0

interface Loopback2

ip address 172.16.2.1 255.255.255.0

interface Loopback3

ip address 172.16.3.1 255.255.255.0

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

router eigrp 12

network 172.16.0.0 0.0.3.255

network 192.168.12.0

end
Using an access-list is the simplest method of filtering. The two other options are

prefix-lists and route-maps. I’ll cover those two in another lesson 🙂 If you have any
questions feel free to leave a comment!

How to configure Prefix-List on Cisco Router

Prefix-lists can be used to filter prefixes and are far more powerful than simple
access-lists. Let’s say I want to filter all prefixes that fall within the 10.0.0.0 range and
that have a subnet mask between /24 and /28. Do you think you could do this with
an access-list? It won’t be easy, right…with a prefix-list this is very easy to do!

Most CCNP students find prefix-lists difficult to understand so in this lesson I’ll show
you how prefix-lists work by using them as route filters.

I will show you different scenarios and different filters. Here is the topology that we
will use:

Above you see two routers called “R1” and “R2”. On R2, we have a couple of loopback
interfaces with prefixes that we will advertise in EIGRP. I’m doing this, so we have
several prefixes to play with. Here is the configuration:

R1(config)#router eigrp 12

R1(config-router)#no auto-summary
R1(config-router)#network 192.168.12.0

R2(config)#router eigrp 12

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.12.0

R2(config-router)#network 172.16.0.0 0.0.3.255

EIGRP is configured, so all networks are advertised.

R1#show ip route eigrp

172.16.0.0/24 is subnetted, 4 subnets

D 172.16.0.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.1.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.2.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

D 172.16.3.0 [90/156160] via 192.168.12.2, 00:01:07,

FastEthernet0/0

If we look at the routing table of R1 we can see all those networks on the loopback
interfaces as they should be. Now we’ll see if we can do some filtering. Let’s start
with a simple prefix-list that filters 172.16.1.0 /24 but permits everything else:

R1(config)#ip prefix-list FILTERTHIS seq 5 deny 172.16.1.0/24

R1(config)#ip prefix-list FILTERTHIS seq 10 permit 0.0.0.0/0 le 32

By using the ip prefix-list command, you can create prefix lists. As you can see
it looks a bit similar to my access-list but instead of typing wildcards we just specify
the number of bits. The first line denies 172.16.1.0/24 and the second line permits
0.0.0.0/0 (all networks) if they have a subnet mask of /32 or smaller…in other words
“everything”. This line is the equivalent of permit ip any any.
Let’s enable it on R1 to see what the result is:

R1(config)#router eigrp 12

R1(config-router)#distribute-list prefix FILTERTHIS in

And we’ll enable the new prefix-list.

R1#show ip route eigrp

172.16.0.0/24 is subnetted, 3 subnets

D 172.16.0.0 [90/156160] via 192.168.12.2, 00:01:54,

FastEthernet0/0

D 172.16.2.0 [90/156160] via 192.168.12.2, 00:01:54,

FastEthernet0/0

D 172.16.3.0 [90/156160] via 192.168.12.2, 00:01:54,

FastEthernet0/0

As you can see, 172.16.1.0/24 has been filtered, and all the other networks are
permitted.

The true power of the prefix list is in the ge (Greater than or Equal to) and le (less
than or equal to) operators. Let’s look at some examples:

R1(config)#ip prefix-list RENETEST permit 10.0.0.0/8 le 19

In this example, I’m using the le operator. This prefix-list statement says that all
networks that fall within the 10.0.0.0/8 range AND that have a subnet mask of /19 or
less are permitted.

If I have a network with 10.0.0.0 /21, it will be denied by this prefix list. It falls within
the 10.0.0.0 /8 range, but it has a subnet mask of /21. I’m using the le operator,
which says that the subnet mask should be /19 or smaller.

Let’s say I have another network with 10.0.0.0 /17 then it will be permitted by this
prefix-list. It falls within the 10.0.0.0/8 range and has a subnet mask that is smaller
than /19.
Are you following me here? Let me give you an example on our routers:

R2(config)#interface loopback 10

R2(config-if)#ip address 10.1.1.1 255.255.0.0

R2(config-if)#interface loopback 11

R2(config-if)#ip address 10.2.2.2 255.255.128.0

R2(config-if)#interface loopback 12

R2(config-if)#ip address 10.3.3.3 255.255.192.0

R2(config-if)#interface loopback 13

R2(config-if)#ip address 10.4.4.4 255.255.224.0

R2(config-if)#interface loopback 14

R2(config-if)#ip address 10.5.5.5 255.255.240.0

R2(config-if)#interface loopback 15

R2(config-if)#ip address 10.6.6.6 255.255.248.0

First, we’ll add a couple of loopback interfaces on R2. If you look closely, you can see
I’m using different subnet masks.

R2(config)#router eigrp 12

R2(config-router)#network 10.0.0.0

And I’ll advertise them in EIGRP.

R1(config)#router eigrp 12

R1(config-router)#no distribute-list prefix FILTERTHIS in

Let’s get rid of the prefix-list on R1…

R1#show ip route eigrp

172.16.0.0/24 is subnetted, 4 subnets

D 172.16.0.0 [90/156160] via 192.168.12.2, 00:06:11,

FastEthernet0/0

D 172.16.1.0 [90/156160] via 192.168.12.2, 00:00:35,

FastEthernet0/0

D 172.16.2.0 [90/156160] via 192.168.12.2, 00:06:11,

FastEthernet0/0

D 172.16.3.0 [90/156160] via 192.168.12.2, 00:06:11,

FastEthernet0/0

10.0.0.0/8 is variably subnetted, 6 subnets, 6 masks

D 10.2.0.0/17 [90/156160] via 192.168.12.2, 00:02:22,

FastEthernet0/0

D 10.3.0.0/18 [90/156160] via 192.168.12.2, 01:14:57,

FastEthernet0/0

D 10.1.0.0/16 [90/156160] via 192.168.12.2, 00:06:11,

FastEthernet0/0

D 10.6.0.0/21 [90/156160] via 192.168.12.2, 01:02:35,

FastEthernet0/0

D 10.4.0.0/19 [90/156160] via 192.168.12.2, 01:14:46,

FastEthernet0/0

D 10.5.0.0/20 [90/156160] via 192.168.12.2, 01:02:35,

FastEthernet0/0

Now we see all the networks that fall within the 172.16.0.0/16 and 10.0.0.0/8 range.
Time to enable that prefix-list I just created:

R1(config)#router eigrp 12

R1(config-router)#distribute-list prefix RENETEST in

This is how we activate it, and this is what we end up with:

R1#show ip route eigrp

10.0.0.0/8 is variably subnetted, 4 subnets, 4 masks

D 10.2.0.0/17 [90/156160] via 192.168.12.2, 00:03:27,

FastEthernet0/0

D 10.3.0.0/18 [90/156160] via 192.168.12.2, 01:16:03,

FastEthernet0/0

D 10.1.0.0/16 [90/156160] via 192.168.12.2, 00:07:16,

FastEthernet0/0

D 10.4.0.0/19 [90/156160] via 192.168.12.2, 01:15:51,

FastEthernet0/0

Only four entries remain…why?

R1#show ip prefix-list RENETEST

ip prefix-list RENETEST: 1 entries

seq 5 permit 10.0.0.0/8 le 19

Here’s the prefix-list again. Let me explain what happened:

 Everything in the 172.16.0.0/16 range is filtered because it’s not permitted in

our prefix-list.
 10.2.0.0/17 is permitted because it’s in the 10.0.0.0/8 range and has a /17
subnet mask.
 10.3.0.0/18 is permitted because it’s in the 10.0.0.0/8 range and has a /18
subnet mask.
 10.1.0.0/16 is permitted because it’s in the 10.0.0.0/8 range and has a /16
subnet mask.
 10.4.0.0/16 is permitted because it’s in the 10.0.0.0/8 range and has a /19
subnet mask.
 10.5.0.0/20 is filtered, it’s in the 10.0.0.0/8 range but has a /20 subnet mask.
 10.6.0.0/21 is filtered, it’s in the 10.0.0.0/8 range but has a /21 subnet mask.

Does this make sense? Let’s walk through a couple more examples together!

R1(config)#ip prefix-list RENETEST2 permit 10.0.0.0/8 ge 20

This time I’m using the ge operator. Ge 20 means that the network needs to have a
subnet mask of /20 or larger to be permitted. 10.0.0.0 /8 is the range we are going to
check.

A network with 10.55.55.0 /25 will be permitted because it falls within the 10.0.0.0 /8
range and has a subnet mask of /25, which is larger than /20.

What about 10.60.0.0 /19? It falls within the 10.0.0.0 /8 range but it is not permitted
because it has a subnet mask of /19…our ge operator says it should be /20 or larger.

Hmm, interesting…what about 192.168.12.0 /25? The subnet mask of /25 matches
our ge operator, but it doesn’t fall within the 10.0.0.0 /8 range, so it’s not permitted.
Let’s see what happens if I activate this prefix-list on R1:

R1(config)#router eigrp 12

R1(config-router)#no distribute-list prefix RENETEST in

R1(config-router)#distribute-list prefix RENETEST2 in

First, disable the old prefix-list and secondly, enable the new one.

R1#show ip route eigrp

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

D 10.6.0.0/21 [90/156160] via 192.168.12.2, 00:01:03,

FastEthernet0/0

D 10.5.0.0/20 [90/156160] via 192.168.12.2, 00:01:03,

FastEthernet0/0

Only two entries remain…why?

 Everything in the 172.16.0.0/16 range is filtered because it’s not permitted in

our prefix-list.
 All networks in the 10.0.0.0/8 range with a subnet mask that is smaller than
20 are filtered.
 All networks in the 10.0.0.0/8 range with a subnet mask that is 20 or larger
are permitted, which means only 10.6.0.0/21 and 10.5.0.0/20.
R1(config)#ip prefix-list RENETEST3 permit 10.0.0.0/8 ge 16 le 18

We can also combine the ge and le operators. Look at my prefix-list above. It’s
permitting all networks that fall within the 10.0.0.0 /8 range and that have a subnet
mask of /16, /18, and everything in between.

10.22.0.0 /18 will be permitted because it falls within the 10.0.0.0 /8 range and has a
subnet mask of /18.

10.55.0.0 / 26 will be denied. It falls within the 10.0.0.0 /8 range, but the subnet mask
is /26, which doesn’t match my ge or le operators.

10.4.4.0 /14 will be denied. It falls within the 10.0.0.0 /8 range, but the subnet mask
is /14, which doesn’t match my ge or le operators.

192.168.12.0 /18 will be denied. It matches my ge and le operators, but it doesn’t fall
within the 10.0.0.0 /8 range.

Let’s activate it on R1 and see what the result is:

R1(config)#router eigrp 12

R1(config-router)#no distribute-list prefix RENETEST2 in

R1(config-router)#distribute-list prefix RENETEST3 in

First, we’ll remove the old prefix-list and activate the new one…

R1#show ip route eigrp

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

D 10.2.0.0/17 [90/156160] via 192.168.12.2, 00:00:36,

FastEthernet0/0

D 10.3.0.0/18 [90/156160] via 192.168.12.2, 00:00:36,

FastEthernet0/0

D 10.1.0.0/16 [90/156160] via 192.168.12.2, 00:00:36,

FastEthernet0/0
And here’s the result. What happened?

 Everything in the 172.16.0.0/16 range is filtered because it’s not permitted in

our prefix-list.
 Only networks in the 10.0.0.0/8 range with a subnet mask of /16, /17, or /18
are permitted. Everything else is filtered.

Do you see how powerful these prefix-lists are? With a single line, I can create very
flexible permit or deny statements! Let me show you a couple more examples of
prefix-lists:

R1(config)#ip prefix-list CLASSB permit 128.0.0.0/2 ge 17

This one is interesting…let’s break it down in pieces. It’s permitting 128.0.0.0 /2, and
the ge operator says the subnet mask should be /17 or larger. 128.0.0.0 is the start
of the class B range, and the /2 says that we have to check the first two bits.
128.0.0.0 /2 covers the entire class B network range. This prefix-list will permit any
subnet in the class B network range that has a subnet mask of /17 or larger.

R1(config)#ip prefix-list ALL permit 0.0.0.0/0 le 32

I showed you this one before…this one says permit 0.0.0.0 /0, which covers the
entire network range. We have a le 32 operator that says the subnet mask should be
/32 or smaller. What does this mean? It means its matches ALL networks!

R1(config)#ip prefix-list DEFAULTROUTE permit 0.0.0.0/0

We don’t have any ge or le operators, and this prefix-list shows 0.0.0.0 /0. It’s only
permitting the default route…

R1(config)#ip prefix-list CLASSA permit 0.0.0.0/1 le 27

Last one…promise! The network range to check is 0.0.0.0, and we have /1, which
means we are only checking the first bit. This effectively matches the whole class A
range.
We have a le operator with 27, which tells us the subnet mask should be /27 or
smaller. This prefix-list matches all subnets within the class A range with a subnet
mask of /27 or smaller.
 Configurations
Want to take a look for yourself? Here you will find the final configuration of each
device.

 R2

hostname R2

interface Loopback0

ip address 172.16.0.1 255.255.255.0

interface Loopback1

ip address 172.16.1.1 255.255.255.0

interface Loopback2

ip address 172.16.2.1 255.255.255.0

interface Loopback3

ip address 172.16.3.1 255.255.255.0

interface Loopback10

ip address 10.1.1.1 255.255.0.0

interface Loopback11

ip address 10.2.2.2 255.255.128.0

!

interface Loopback12

ip address 10.3.3.3 255.255.192.0

interface Loopback13

ip address 10.4.4.4 255.255.224.0

interface Loopback14

ip address 10.5.5.5 255.255.240.0

interface Loopback15

ip address 10.6.6.6 255.255.248.0

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

duplex auto

speed auto

media-type rj45

router eigrp 12

network 10.0.0.0

network 172.16.0.0 0.0.3.255

 network 192.168.12.0

end

 R1

hostname R1

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

router eigrp 12

distribute-list prefix RENETEST3 in

network 192.168.12.0

ip prefix-list ALL seq 5 permit 0.0.0.0/0 le 32

ip prefix-list CLASSA seq 5 permit 0.0.0.0/1 le 27

ip prefix-list CLASSB seq 5 permit 128.0.0.0/2 ge 17

ip prefix-list DEFAULTROUTE seq 5 permit 0.0.0.0/0

!
ip prefix-list FILTERTHIS seq 5 deny 172.16.1.0/24

ip prefix-list FILTERTHIS seq 10 permit 0.0.0.0/0 le 32

ip prefix-list RENETEST seq 5 permit 10.0.0.0/8 le 19

ip prefix-list RENETEST2 seq 5 permit 10.0.0.0/8 ge 20

ip prefix-list RENETEST3 seq 5 permit 10.0.0.0/8 ge 16 le 18

end

I hope you now have a better understanding of prefix-lists. Don’t just read this
lesson and forget about it. It’s best to boot up your own routers and configure
some prefix-lists. If you have any more questions, please leave a comment!

EIGRP Route-Map Filtering

EIGRP supports filtering with access-lists and prefix-lists but you can also use route-
maps. In this lesson I’ll show you how to use a route-map to filter in- and outbound
route advertisements. We will use the following topology for this:
We only need two routers for this demonstration. R1 has some networks that it will
advertise to R2 through EIGRP. Here’s what the routing table of R2 looks like:

R2#show ip route eigrp

1.0.0.0/24 is subnetted, 1 subnets

D 1.1.1.0 [90/409600] via 192.168.12.1, 00:00:45, FastEthernet0/0

172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks

D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:00:14,

FastEthernet0/0

D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:00:08,

FastEthernet0/0

D 172.16.2.0/26 [90/409600] via 192.168.12.1, 00:00:14,

FastEthernet0/0

D 172.16.3.0/27 [90/409600] via 192.168.12.1, 00:00:13,

FastEthernet0/0

D 192.168.1.0/24 [90/409600] via 192.168.12.1, 00:00:13,

FastEthernet0/0

Above you see that R2 has learned all networks behind R1. Let’s start with something
simple…let’s say we want to configure R1 so that 192.168.1.0 /24 won’t be advertised
to R2. Here’s how we do this:

R1(config)#router eigrp 1

R1(config-router)#distribute-list ?
 <1-199> IP access list number

<1300-2699> IP expanded access list number

WORD Access-list name

gateway Filtering incoming updates based on gateway

prefix Filter prefixes in routing updates

route-map Filter prefixes based on the route-map

We have to use the distribute-list command under the EIGRP process but as you can
see it supports a route-map. Let’s use that and give it a name:

R1(config-router)#distribute-list route-map FILTER_OUT ?

in Filter incoming routing updates

out Filter outgoing routing updates

I’ll call my route-map “FILTER_OUT” and we will choose outgoing updates:

R1(config-router)#distribute-list route-map FILTER_OUT out

Now we can create the route-map:

R1(config)#route-map FILTER_OUT ?

<0-65535> Sequence to insert to/delete from existing route-map entry

deny Route map denies set operations

permit Route map permits set operations

<cr>

We will start with a deny statement:

R1(config)#route-map FILTER_OUT deny 10

The route-map will require a match statement. There are a lot of things you can
select for the match statement:

R1(config-route-map)#match ?

as-path Match BGP AS path list

clns CLNS information

community Match BGP community list

extcommunity Match BGP/VPN extended community list

interface Match first hop interface of route

ip IP specific information

ipv6 IPv6 specific information

length Packet length

local-preference Local preference for route

metric Match metric of route

mpls-label Match routes which have MPLS labels

nlri BGP NLRI type

policy-list Match IP policy list

route-type Match route-type of route

source-protocol Match source-protocol of route

tag Match tag of route

Not all of these options are possible when you use the route-map for filtering. Let’s
start with a simple example, let’s look at the IP options:
R1(config-route-map)#match ip address ?

<1-199> IP access-list number

<1300-2699> IP access-list number (expanded range)

WORD IP access-list name

prefix-list Match entries of prefix-lists

<cr>

Here we can use an access-list or prefix-list. Let’s try the access-list:

R1(config-route-map)#match ip address NET_192

Don’t forget to create the actual access-list:

R1(config)#ip access-list standard NET_192

R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255

The route-map is almost complete. We have a deny statement that matches

everything in our access-list. There’s one problem though, our route-map doesn’t
have any permit statements. If we don’t add one then everything will be blocked.
Let’s add it:

R1(config)#route-map FILTER_OUT permit 20

R1(config-route-map)#exit

This permit statement doesn’t require any matches. Let me show you an overview of
our configuration so far:

R1#show running-config | section eigrp

router eigrp 1

network 0.0.0.0
 distribute-list route-map FILTER_OUT out FastEthernet0/0

no auto-summary

R1#show route-map

route-map FILTER_OUT, deny, sequence 10

Match clauses:

ip address (access-lists): NET_192

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map FILTER_OUT, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Above you can see that the route-map is attached to the distribute-list command in
EIGRP. Our route-map will deny everything that matches our access-list while
everything else is permitted. Let’s take a look at R2 to see if this works:

R2#show ip route eigrp

1.0.0.0/24 is subnetted, 1 subnets

D 1.1.1.0 [90/409600] via 192.168.12.1, 00:01:01, FastEthernet0/0

172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks

D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:01:01,

FastEthernet0/0

D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:01:01,

FastEthernet0/0
D 172.16.2.0/26 [90/409600] via 192.168.12.1, 00:01:01,
FastEthernet0/0

D 172.16.3.0/27 [90/409600] via 192.168.12.1, 00:01:01,

FastEthernet0/0

That’s looking good, everything is in the routing table except 192.168.1.0 /24. Now
you might be thinking that this was a lot of work just to filter one network…

You are right, this was a lot of work. The power of using a route-map for filtering is
that we can use multiple statements and use a mix of filtering techniques.

For example let’s say that we also want to deny all prefixes in the 172.16.0.0 /16
range that use a /26 subnet or smaller subnet. We can do this by creating a prefix-
list and attaching it to our route-map:

R1(config)#route-map FILTER_OUT deny 20

R1(config-route-map)#match ip address prefix-list SMALL_PREFIXES

R1(config)#ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

R1(config)#route-map FILTER_OUT permit 30

Above I changed route-map entry 20 to a deny statement that checks for our prefix-
list called “SMALL_PREFIXES”. The last permit statement (sequence number 30)
doesn’t have any match statements and is required to permit all other route
advertisements. Here’s what the complete route-map looks like:

R1#show route-map

route-map FILTER_OUT, deny, sequence 10

Match clauses:

ip address (access-lists): NET_192

 Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map FILTER_OUT, deny, sequence 20

Match clauses:

ip address prefix-lists: SMALL_PREFIXES

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map FILTER_OUT, permit, sequence 30

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Our first sequence number (10) is used to filter with an access-list, the second one
(20) uses our prefix-list and the last one (30) permits everything else. Let’s check the
result of R2:

R2#show ip route eigrp

1.0.0.0/24 is subnetted, 1 subnets

D 1.1.1.0 [90/409600] via 192.168.12.1, 00:38:18, FastEthernet0/0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:38:18,

FastEthernet0/0

D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:38:18,

FastEthernet0/0

Great, as you can see network 172.16.2.0 /26 and 172.16.3.0 /27 are gone fishing,
they have been filtered because of the prefix-list. I think this example should give
you a good idea about the flexibility of a route-map, you can use a variety of filtering
techniques.

Let’s try one more thing…we can also use a route-map for inbound filtering. Let’s
filter network 1.1.1.0 /24 on R2, to keep things interesting i’ll use the route-map in a
different way:

R2(config)#ip access-list standard NET_1

R2(config-std-nacl)#deny 1.1.1.0 0.0.0.255

R2(config-std-nacl)#permit any

First we create an access-list. This access-list denies 1.1.1.0 /24 and permits
everything else. Now we create the route-map:

R2(config)#route-map FILTER_IN permit 10

R2(config-route-map)#match ip address NET_1

This route-map has only one permit statement. Everything that matches our access-
list will be permitted. Let’s attach it to EIGRP:

R2(config)#router eigrp 1

R2(config-router)#distribute-list route-map FILTER_IN in

Now we can check the routing table of R2:

R2#show ip route eigrp

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:56:08,

FastEthernet0/0

D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:56:08,

FastEthernet0/0

As you can see 1.1.1.0 /24 is not in the routing table anymore.
 Configurations
 R1

hostname R1

interface Loopback0

ip address 1.1.1.1 255.255.255.0

interface Loopback1

ip address 172.16.0.1 255.255.255.0

interface Loopback2

ip address 172.16.1.1 255.255.255.128

interface Loopback3

ip address 172.16.2.1 255.255.255.192

interface Loopback4

ip address 172.16.3.1 255.255.255.224

interface Loopback5

ip address 192.168.1.1 255.255.255.0

!
interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

router eigrp 1

distribute-list route-map FILTER_OUT out

network 1.0.0.0

network 172.16.0.0 0.0.3.255

network 192.168.1.0

network 192.168.12.0

ip access-list standard NET_192

permit 192.168.1.0 0.0.0.255

ip prefix-list SMALL_PREFIXES seq 5 permit 172.16.0.0/16 ge 26

route-map FILTER_OUT deny 10

match ip address NET_192

route-map FILTER_OUT deny 20

match ip address prefix-list SMALL_PREFIXES

route-map FILTER_OUT permit 30

 !

end

 R2

hostname R2

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

router eigrp 1

distribute-list route-map FILTER_IN in

network 192.168.12.0

ip access-list standard NET_1

deny 1.1.1.0 0.0.0.255

permit any

route-map FILTER_IN permit 10

match ip address NET_1

end
That’s all there is to it. I hope these examples have been useful to understand EIGRP
filtering with a route-map. If you have any questions, feel free to leave a comment.

OSPF Distribute-List Filtering

OSPF supports a number of methods to filter routes but it is more restrictive
compared to distance vector routing protocols like RIP or EIGRP.

As a link-state routing protocol OSPF uses LSAs to build its LSDB (Link State
Database). Routers will run the SPF algorithm to find the shortest path to each
destination, the topology in the LSDB has to be the same on all routers or SPF will
fail.

However OSPF routers only know what the topology looks like within the area. They
don’t know what the topology looks like for other areas. For inter-area routes OSPF
only knows the prefix and the ABR (Area Border Router) to reach it.

You could say that OSPF acts like a distance vector routing protocol for inter-area
routes. It only knows the metric (distance) and the ABR to get there (vector).

Unlike RIP or EIGRP, OSPF doesn’t advertise routes but LSAs so if we want to filter
something we’ll have to filter the advertisement of LSAs.

Since the LSDB within the area has to be the same we can’t filter LSAs within the
area, we can however filter routes from entering the routing table. Filtering LSAs
between areas on an ABR or ASBR is no problem.

In this lesson I’ll show you how we can filter routes from entering the routing table
within the area. In other lessons I will explain how to filter type 3 LSAs and type 5
LSAs.

Here’s the topology I will use:

Nothing fancy, we have three routers running OSPF in the same area. R1 has a
loopback interface that is advertised in OSPF, we’ll see if we can filter this network.

Configuration
Here’s the OSPF configuration:

R1#show running-config | section ospf

router ospf 1

network 1.1.1.0 0.0.0.255 area 0

network 192.168.12.0 0.0.0.255 area 0

R2#show running-config | section ospf

router ospf 1

network 192.168.12.0 0.0.0.255 area 0

network 192.168.23.0 0.0.0.255 area 0

R3#show running-config | section ospf

router ospf 1

network 192.168.23.0 0.0.0.255 area 0

Let’s verify if R2 and R3 have learned 1.1.1.1 /32:

R2#show ip route ospf

1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/2] via 192.168.12.1, 00:00:27, FastEthernet0/0

R3#show ip route ospf

1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/3] via 192.168.23.2, 00:00:28, FastEthernet0/0

O 192.168.12.0/24 [110/2] via 192.168.23.2, 00:00:28,

FastEthernet0/0

Let’s see if we can get rid of this network on R3:

R3(config)#router ospf 1

R3(config-router)#distribute-list ?

<1-199> IP access list number

<1300-2699> IP expanded access list number

WORD Access-list name

gateway Filtering incoming updates based on gateway

prefix Filter prefixes in routing updates

route-map Filter prefixes based on the route-map

We can use a distribute-list for this, to keep it simple I’ll combine it with an access-
list;
R3(config-router)#distribute-list R1_L0 in

When we want to remove something from the routing table we have to apply it
inbound. The outbound distribute-list is used for LSA type 5 filtering.

Let’s create that access-list:

R3(config)#ip access-list standard R1_L0

R3(config-std-nacl)#deny host 1.1.1.1

R3(config-std-nacl)#permit any

It will now be gone from the routing table:

R3#show ip route 1.1.1.1

% Network not in table

As you can see it’s gone…it’s still in the LSDB though:

R3#show ip ospf database router 192.168.12.1

OSPF Router with ID (192.168.23.3) (Process ID 1)

Router Link States (Area 0)

LS age: 664

Options: (No TOS-capability, DC)

LS Type: Router Links

Link State ID: 192.168.12.1

 Advertising Router: 192.168.12.1

LS Seq Number: 80000003

Checksum: 0xF14F

Length: 48

Number of Links: 2

Link connected to: a Stub Network

(Link ID) Network/subnet number: 1.1.1.1

(Link Data) Network Mask: 255.255.255.255

Number of MTID metrics: 0

TOS 0 Metrics: 1

Link connected to: a Transit Network

(Link ID) Designated Router address: 192.168.12.2

(Link Data) Router Interface address: 192.168.12.1

Number of MTID metrics: 0

TOS 0 Metrics: 1

You have to be very careful if you use this command. If you are not careful you can
end up in a scenario where you blackhole some traffic. For example, let’s see what
happens when I filter this network on R2 instead of R3. Let’s remove the distribute-
list on R3:

R3(config)#router ospf 1

R3(config-router)#no distribute-list R1_L0 in

Now I will add it to R2:

R2(config)#ip access-list standard R1_L0

R2(config-std-nacl)#deny host 1.1.1.1

R2(config-std-nacl)#permit any

R2(config)#router ospf 1

R2(config-router)#distribute-list R1_L0 in

R2 now no longer has it in its routing table:

R2#show ip route 1.1.1.1

% Network not in table

However the LSA is still flooded to R3:

R3#show ip route ospf

1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/3] via 192.168.23.2, 00:02:45, FastEthernet0/0

O 192.168.12.0/24 [110/2] via 192.168.23.2, 00:02:45,

FastEthernet0/0

Once R3 tries to reach this network we will have a problem:

R3#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

R3 will forward these packets to R2 which drops it.

Configurations

Want to take a look for yourself? Here you will find the final configuration of each
device.

R1

hostname R1

ip cef

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

router ospf 1

network 1.1.1.0 0.0.0.255 area 0

network 192.168.12.0 0.0.0.255 area 0

end
R2

hostname R2

ip cef

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

interface FastEthernet1/0

ip address 192.168.23.2 255.255.255.0

router ospf 1

network 192.168.12.0 0.0.0.255 area 0

network 192.168.23.0 0.0.0.255 area 0

distribute-list R1_L0 in

ip access-list standard R1_L0

deny 1.1.1.1

permit any

end

R3
hostname R3

ip cef

interface FastEthernet0/0

ip address 192.168.23.3 255.255.255.0

router ospf 1

network 192.168.23.0 0.0.0.255 area 0

ip access-list standard R1_L0

deny 1.1.1.1

permit any

end

That’s all there is to it, you have now seen how you can filter routes within your OSPF
area. Make sure you also check my other two lessons on OSPF filtering:

 OSPF LSA type 3 filtering

 OSPF LSA type 5 filtering

If you have any questions, feel free to leave a comment!

 OSPF ABR Type 3 LSA Filtering on Cisco
IOS
Lesson Contents
 OSPF Area Configuration
 Inbound Area LSA Type 3 filtering
 Outbound Area LSA Type 3 filtering
OSPF uses LSA type 3 for inter-area prefixes and if you want, you can filter these
between OSPF areas. Since you can only filter between areas you’ll have to configure
this on the ABR. Filtering is possible inbound or outbound an area by using the
area filter-list command.

In this lesson I will demonstrate how you can use this command to filter LSA type 3
between different areas. This is the topology that I will be using:
R1,R2 and R3 are located in their corresponding area number and have a loopback 0
interface each. The prefix on this loopback will be advertised in OSPF. In the middle
you can see which is the ABR for area 1,2 and 3. We’ll create some filter on R4 to
demonstrate the area filter-list command. Let me show you the OSPF configuration
first:

OSPF Area Configuration

I will show you all the network commands that I used so you can replicate this if you
want. R1,R2 and R3 will be in their own area and R4 is the ABR:

R1(config)#router ospf 1

R1(config-router)#network 1.1.1.1 0.0.0.0 area 1

R1(config-router)#network 192.168.14.0 0.0.0.255 area 1

R2(config)#router ospf 1

R2(config-router)#network 2.2.2.2 0.0.0.0 area 2

R2(config-router)#network 192.168.24.0 0.0.0.255 area 2

R3(config)#router ospf 1

R3(config-router)#network 3.3.3.3 0.0.0.0 area 3

R3(config-router)#network 192.168.34.0 0.0.0.255 area 3

R4(config)#router ospf 1

R4(config-router)#network 4.4.4.4 0.0.0.0 area 0

R4(config-router)#network 192.168.14.0 0.0.0.255 area 1

R4(config-router)#network 192.168.24.0 0.0.0.255 area 2

R4(config-router)#network 192.168.34.0 0.0.0.255 area 3

Before we continue it’s best to verify that we have working OSPF neighbor
adjacencies:

R4#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address

Interface

1.1.1.1 1 FULL/BDR 00:00:33 192.168.14.1

FastEthernet0/0
2.2.2.2 1 FULL/BDR 00:00:39 192.168.24.2
FastEthernet0/1

3.3.3.3 1 FULL/BDR 00:00:39 192.168.34.3

FastEthernet1/0

The ABR has 3 working OSPF neighbor adjacencies. Now it’s time to create some
filters. We’ll start with inbound filtering.

Inbound Area LSA Type 3 filtering

I will start by filtering some prefixes that are headed towards area 3. The inbound
filter will filter prefixes from all areas that are sent to 1 area. First we’ll take a look at
the routing table of R3 in area 3:

R3#show ip route ospf

1.0.0.0/32 is subnetted, 1 subnets

O IA 1.1.1.1 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0

2.0.0.0/32 is subnetted, 1 subnets

O IA 2.2.2.2 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0

O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:03:50,

FastEthernet0/0

4.0.0.0/32 is subnetted, 1 subnets

O IA 4.4.4.4 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0

O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:03:50,

FastEthernet0/0

All prefixes that R3 has learned are inter-area prefixes (LSA Type 3). Let’s filter 2.2.2.2
/32 from entering area 3. First we’ll create a prefix-list:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32

R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

This prefix-list will deny 2.2.2.2 /32 and allow all other prefixes. Now we have to
apply it to the area:

R4(config)#router ospf 1

R4(config-router)#area 3 filter-list prefix INTO-AREA3 in

If you want you can verify that the area filter is active with the show ip ospf
command:

R4#show ip ospf 1 | begin Area 3

Area 3

Number of interfaces in this area is 1

Area has no authentication

SPF algorithm last executed 00:01:50.060 ago

SPF algorithm executed 3 times

Area ranges are

Area-filter INTO-AREA3 in

Number of LSA 5. Checksum Sum 0x03C737

Number of opaque link LSA 0. Checksum Sum 0x000000

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

Now take a look at the routing table of R3 again:

R3#show ip route ospf

 1.0.0.0/32 is subnetted, 1 subnets

O IA 1.1.1.1 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0

4.0.0.0/32 is subnetted, 1 subnets

O IA 4.4.4.4 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0

O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:07:19,

FastEthernet0/0

O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:07:19,

FastEthernet0/0

Prefix 2.2.2.2 /32 is gone from the routing table as it has been filtered by the ABR
(R4). The nice thing about inbound filtering is that it doesn’t matter from which area
the prefix came, everything that goes into area 3 will hit the prefix-list and will be
filtered. I can demonstrate this to you by filtering something else, for example the
two prefixes 192.168.14.0 /24 (area 1) and 192.168.24.0 /24 (area 2). Let’s change our
prefix-list:

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24

R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

Now take a look again at the routing table of R3:

R3#show ip route ospf

1.0.0.0/32 is subnetted, 1 subnets

O IA 1.1.1.1 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0

4.0.0.0/32 is subnetted, 1 subnets

O IA 4.4.4.4 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0

The 192.168.14.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing
table. It doesn’t matter from which area they come from…
hostname R1

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 192.168.14.1 255.255.255.0

router ospf 1

network 1.1.1.1 0.0.0.0 area 1

network 192.168.14.0 0.0.0.255 area 1

end

hostname R2

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface FastEthernet0/0

ip address 192.168.24.2 255.255.255.0

router ospf 1
 network 2.2.2.2 0.0.0.0 area 2

network 192.168.24.0 0.0.0.255 area 2

end

hostname R3

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface FastEthernet0/0

ip address 192.168.34.3 255.255.255.0

router ospf 1

network 3.3.3.3 0.0.0.0 area 3

network 192.168.34.0 0.0.0.255 area 3

end

hostname R4

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!
interface FastEthernet0/0

ip address 192.168.14.4 255.255.255.0

interface FastEthernet0/1

ip address 192.168.24.4 255.255.255.0

interface FastEthernet1/0

ip address 192.168.34.4 255.255.255.0

router ospf 1

area 3 filter-list prefix INTO-AREA3 in

network 4.4.4.4 0.0.0.0 area 0

network 192.168.14.0 0.0.0.255 area 1

network 192.168.24.0 0.0.0.255 area 2

network 192.168.34.0 0.0.0.255 area 3

ip prefix-list INTO-AREA3 seq 5 deny 2.2.2.2/32

ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24

ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

ip prefix-list INTO-AREA3 seq 10 permit 0.0.0.0/0 le 32

end
Now you know how inbound filtering works, let’s take a look at outbound filtering.
Outbound Area LSA Type 3 filtering
The outbound filter lets us filter a prefix from 1 area to all other areas. Let’s see if we
can filter 3.3.3.3 /32 so that R1 and R2 won’t have it in their routing table anymore.
First we’ll verify if they have learned about this prefix:

R1#show ip route 3.3.3.3

Routing entry for 3.3.3.3/32

Known via "ospf 1", distance 110, metric 3, type inter area

Last update from 192.168.14.4 on FastEthernet0/0, 00:03:07 ago

Routing Descriptor Blocks:

* 192.168.14.4, from 4.4.4.4, 00:03:07 ago, via FastEthernet0/0

Route metric is 3, traffic share count is 1

R2#show ip route 3.3.3.3

Routing entry for 3.3.3.3/32

Known via "ospf 1", distance 110, metric 3, type inter area

Last update from 192.168.24.4 on FastEthernet0/0, 00:03:23 ago

Routing Descriptor Blocks:

* 192.168.24.4, from 4.4.4.4, 00:03:23 ago, via FastEthernet0/0

Route metric is 3, traffic share count is 1

R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list
that matches 3.3.3.3 /32:

R4(config)#ip prefix-list OUT-AREA3 deny 3.3.3.3/32

R4(config)#ip prefix-list OUT-AREA3 permit 0.0.0.0/0 le 32

 We’ll deny 3.3.3.3 /32 and permit all other prefixes. Now activate it for area 3:

R4(config)#router ospf 1

R4(config-router)#area 3 filter-list prefix OUT-AREA3 out

This will ensure that all other areas won’t learn about 3.3.3.3 /32 once it leaves area
3. R1 and R2 won’t know about this network anymore…

R1#show ip route 3.3.3.3

% Network not in table

R2#show ip route 3.3.3.3

% Network not in table

So basically, this is how the area filter-list works:

 The inbound area filter-list will filter prefixes from all areas that are sent to
1 area.
 The outbound area filter-list will filter prefixes from 1 area sent to all other
areas.

 Configurations
 R1

hostname R1

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 192.168.14.1 255.255.255.0

 !

router ospf 1

network 1.1.1.1 0.0.0.0 area 1

network 192.168.14.0 0.0.0.255 area 1

end

 R2

hostname R2

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface FastEthernet0/0

ip address 192.168.24.2 255.255.255.0

router ospf 1

network 2.2.2.2 0.0.0.0 area 2

network 192.168.24.0 0.0.0.255 area 2

end
 R3

hostname R3

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface FastEthernet0/0

ip address 192.168.34.3 255.255.255.0

router ospf 1

network 3.3.3.3 0.0.0.0 area 3

network 192.168.34.0 0.0.0.255 area 3

end

 R4

hostname R4

interface Loopback0

ip address 4.4.4.4 255.255.255.255

interface FastEthernet0/0
 ip address 192.168.14.4 255.255.255.0

interface FastEthernet0/1

ip address 192.168.24.4 255.255.255.0

interface FastEthernet1/0

ip address 192.168.34.4 255.255.255.0

router ospf 1

area 3 filter-list prefix INTO-AREA3 in

area 3 filter-list prefix OUT-AREA3 out

network 4.4.4.4 0.0.0.0 area 0

network 192.168.14.0 0.0.0.255 area 1

network 192.168.24.0 0.0.0.255 area 2

network 192.168.34.0 0.0.0.255 area 3

ip prefix-list INTO-AREA3 seq 5 deny 2.2.2.2/32

ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24

ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

ip prefix-list INTO-AREA3 seq 10 permit 0.0.0.0/0 le 32

ip prefix-list OUT-AREA3 seq 5 deny 3.3.3.3/32

 ip prefix-list OUT-AREA3 seq 10 permit 0.0.0.0/0 le 32

end

I hope this has been useful for you to understand OSPF’s capability to filter LSA type
3 prefixes. If you have any questions feel free to leave a comment.

OSPF LSA Type 5 Filtering on Cisco IOS

Lesson Contents
 Configuration
o Distribute-list Filtering
o Redistribution with Route-Map
o Summary No-Advertise
 Conclusion
In previous lessons I explained how you can filter routes within the OSPF area and
how you can filter type 3 LSAs. This time we’ll take a look how you can filter type 5
LSAs using three different methods.

Here’s the topology we will use for this:

Above we have three routers in two different areas. R1 has some loopback
interfaces that we will redistribute into OSPF. We’ll use these to play with some of
the filtering techniques.

Configuration
Here’s the OSPF configuration of all routers:

R1#show running-config | section ospf

router ospf 1

redistribute connected subnets

network 192.168.12.0 0.0.0.255 area 0

R2#show running-config | section ospf

router ospf 1

network 192.168.12.0 0.0.0.255 area 0

network 192.168.23.0 0.0.0.255 area 1

R3#show running-config | section ospf

router ospf 1

network 192.168.23.0 0.0.0.255 area 1

R1 is using the redistribute connected subnets command to get the networks on

the loopback interfaces in OSPF. Let’s see if R2 and R3 have these networks in their
routing table:

R2#show ip route ospf

172.16.0.0/32 is subnetted, 4 subnets

O E2 172.16.0.1 [110/20] via 192.168.12.1, 00:00:03,

FastEthernet0/0
O E2 172.16.1.1 [110/20] via 192.168.12.1, 00:00:03,
FastEthernet0/0

O E2 172.16.2.1 [110/20] via 192.168.12.1, 00:00:03,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.12.1, 00:00:03,

FastEthernet0/0

R3#show ip route ospf

172.16.0.0/32 is subnetted, 4 subnets

O E2 172.16.0.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O E2 172.16.1.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O E2 172.16.2.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:04:25,

FastEthernet0/0

Everything is there. Now let’s see if we can filter these…

Distribute-list Filtering
The first method is the distribute-list. We can use this on the ASBR to filter certain
networks from entering the area. Let’s configure one to get rid of 172.16.0.1 /32:

R1(config)#ip access-list standard R1_L0

R1(config-std-nacl)#deny host 172.16.0.1

R1(config-std-nacl)#permit any
R1(config)#router ospf 1

R1(config-router)#distribute-list R1_L0 out

We will use an outbound distribute-list with an access-list that matches the network
(host route). Let’s see if it works:

R2#show ip route ospf

172.16.0.0/32 is subnetted, 3 subnets

O E2 172.16.1.1 [110/20] via 192.168.12.1, 00:10:12,

FastEthernet0/0

O E2 172.16.2.1 [110/20] via 192.168.12.1, 00:10:12,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.12.1, 00:10:12,

FastEthernet0/0

R3#show ip route ospf

172.16.0.0/32 is subnetted, 3 subnets

O E2 172.16.1.1 [110/20] via 192.168.23.2, 00:10:12,

FastEthernet0/0

O E2 172.16.2.1 [110/20] via 192.168.23.2, 00:10:12,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.23.2, 00:10:12,

FastEthernet0/0

O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:14:30,

FastEthernet0/0

The entry has dissapeared from the routing tables of R2 and R3.

Redistribution with Route-Map

The previous example works but there’s a better solution. Why not prevent certain
routes from being redistributed in the first place? Technically this isn’t “filtering” but
it works very well.

Let’s see what the current redistribute command looks like now:

R1#show running-config | include redistribute

redistribute connected subnets

We’ll create a route-map that denies 172.16.1.1 /32 from being redistributed while
we allow everything else. When it’s finished we’ll attach it to the redistribute
command above:

R1(config)#ip access-list standard R1_L1

R1(config-std-nacl)#permit host 172.16.1.1

R1(config)#route-map CONNECTED_TO_OSPF deny 10

R1(config-route-map)#match ip address R1_L1

R1(config)#route-map CONNECTED_TO_OSPF permit 20

R1(config)#router ospf 1

R1(config-router)#redistribute connected subnets route-map

CONNECTED_TO_OSPF

The route-map above will deny 172.16.1.1 /32 and permits everything else. After
attaching it to the redistribute command you’ll see this on R2 and R3:

R2#show ip route ospf

 172.16.0.0/32 is subnetted, 2 subnets

O E2 172.16.2.1 [110/20] via 192.168.12.1, 00:00:03,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.12.1, 00:00:03,

FastEthernet0/0

R3#show ip route ospf

172.16.0.0/32 is subnetted, 2 subnets

O E2 172.16.2.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O E2 172.16.3.1 [110/20] via 192.168.23.2, 00:00:07,

FastEthernet0/0

O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:20:34,

FastEthernet0/0

It’s gone from the routing table…mission accomplished! Let’s take a look at the final
method…

Summary No-Advertise
The last method to filter a type 5 LSA is a nice trick that you can do with the
summary-address command. Let me show you how to use this to filter 172.16.2.1
/32:

R1(config)#router ospf 1

R1(config-router)#summary-address 172.16.2.1 255.255.255.255 not-

advertise

The trick is to add the not-advertise parameter to the summary-address command.

Whatever matches the summary route will no longer be advertised:

R2#show ip route ospf

 172.16.0.0/32 is subnetted, 1 subnets

O E2 172.16.3.1 [110/20] via 192.168.12.1, 00:01:40,

FastEthernet0/0

R3#show ip route ospf

172.16.0.0/32 is subnetted, 1 subnets

O E2 172.16.3.1 [110/20] via 192.168.23.2, 00:01:44,

FastEthernet0/0

O IA 192.168.12.0/24 [110/2] via 192.168.23.2, 00:22:11,

FastEthernet0/0

There we go, it’s gone from the routing tables!

Conclusion
You have now seen three different methods how you can get rid of type 5 LSAs.
Another method that prevents LSA type 5 from entering the area is using a stub
area.

Be careful what filtering technique you use if you learn this for a CCIE R&S lab. The
devil is in the details…the distribute-list is actually filtering the network while the
route-map and summary-address prevent the router from advertising something.

 Configurations
 R1

hostname R1

ip cef

interface Loopback0
 ip address 172.16.0.1 255.255.255.255

interface Loopback1

ip address 172.16.1.1 255.255.255.255

interface Loopback2

ip address 172.16.2.1 255.255.255.255

interface Loopback3

ip address 172.16.3.1 255.255.255.255

interface GigabitEthernet0/1

ip address 192.168.12.1 255.255.255.0

router ospf 1

summary-address 172.16.2.1 255.255.255.255 not-advertise

redistribute connected subnets route-map CONNECTED_TO_OSPF

network 192.168.12.0 0.0.0.255 area 0

distribute-list R1_L0 out

ip access-list standard R1_L0

deny 172.16.0.1
 permit any

ip access-list standard R1_L1

permit 172.16.1.1

route-map CONNECTED_TO_OSPF deny 10

match ip address R1_L1

route-map CONNECTED_TO_OSPF permit 20

end

 R2

hostname R2

ip cef

interface GigabitEthernet0/1

ip address 192.168.12.2 255.255.255.0

interface GigabitEthernet0/2

ip address 192.168.23.2 255.255.255.0

 !

router ospf 1

network 192.168.12.0 0.0.0.255 area 0

network 192.168.23.0 0.0.0.255 area 1

end

 R3

hostname R3

ip cef

interface GigabitEthernet0/1

ip address 192.168.23.3 255.255.255.0

router ospf 1

network 192.168.23.0 0.0.0.255 area 1

end

I hope this has been useful, if you have any questions just leave a comment!
 BGP Extended Access-List Filtering
Lesson Contents
 Configuration
o Filter specific prefixes
o Filter all 192.168.x.0 networks with a /24 prefix length
o Filter all 10.x.x.0 networks with a /24 prefix length
o Filter all 10.x.x.x networks with a /25 prefix length
o Filter all 192.168.7.x networks with any prefix length
o Filter anything with a /24 to /32 prefix length
o Filter anything with a /26 to /32 prefix length
o Filter 172.16.x.x networks with a /27 to /32 prefix length
 Conclusion
Nowadays we use prefix-lists to filter BGP prefixes. Prefix-lists are very convenient
since they allow you to specify a network address with a specific prefix length or a
range of prefix lengths. Back in the days, before prefix-lists existed on Cisco IOS you
had to use extended access-lists for this.

You really don’t want to use these anymore since the prefix-list does the same
thing and the configuration is much easier. However, when you face a CCIE lab it
might be possible that a task requires you to filter certain prefixes but you are not
allowed to use the prefix-list. The extended access-list will be your only option then…

Having said that, let’s take a look how extended access-list filtering works. The
“behavior” of the extended access-list is different compared to when you use it for
filtering IP packets.

When you use IP as the protocol, here’s what the extended access-list normally looks
like:

Above you see the source address with the source wildcard bits and the destination
address with destination wildcard bits. Now forget what you have seen above, this is
how the extended access-list works for BGP filtering:
Let me explain these fields:

 The first field is for the network address, for example 10.0.0.0.
 The second field is used to define what part of the network address to check.
For example, when we specify 10.0.0.0 then we use wildcard bits to tell the
router if we want to look for 10.0.0.0, 10.0.0.x, 10.0.x.x or 10.x.x.x.
 The subnet mask and its wildcard bits are used to define the prefix length, we
can use this to tell the router to look for /24, /25, /26 or a range like /24 to /32.

Using the extended access-list for BGP filtering is something that is best explained
with some examples. I’ll use two routers and some prefixes and we’ll walk through
some different filtering examples.

Configuration
I will use the following two routers for this:

R2 has a bunch of loopback interfaces with different networks, we’ll use these to
play with filtering.

Here’s what R2 advertises to R1:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes

BGP table version is 35, local router ID is 192.168.7.25

Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0/24 0.0.0.0 0 32768 i

*> 10.1.0.0/24 0.0.0.0 0 32768 i

*> 10.2.0.0/24 0.0.0.0 0 32768 i

*> 10.3.0.0/25 0.0.0.0 0 32768 i

*> 10.3.0.128/25 0.0.0.0 0 32768 i

*> 10.4.0.0/25 0.0.0.0 0 32768 i

*> 10.4.0.128/25 0.0.0.0 0 32768 i

*> 10.5.0.0/26 0.0.0.0 0 32768 i

*> 10.6.0.0/27 0.0.0.0 0 32768 i

*> 10.7.0.0/28 0.0.0.0 0 32768 i

*> 10.8.1.0/24 0.0.0.0 0 32768 i

*> 10.8.2.0/24 0.0.0.0 0 32768 i

*> 20.0.0.0 0.0.0.0 0 32768 i

*> 30.0.0.0 0.0.0.0 0 32768 i

*> 172.16.0.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/25 0.0.0.0 0 32768 i

*> 172.16.3.0/25 0.0.0.0 0 32768 i

*> 172.16.4.0/26 0.0.0.0 0 32768 i

*> 172.16.5.0/27 0.0.0.0 0 32768 i

*> 172.16.6.0/28 0.0.0.0 0 32768 i

*> 172.16.7.0/29 0.0.0.0 0 32768 i

*> 192.168.0.0 0.0.0.0 0 32768 i

*> 192.168.1.0 0.0.0.0 0 32768 i

*> 192.168.2.0/25 0.0.0.0 0 32768 i

*> 192.168.3.0/25 0.0.0.0 0 32768 i

*> 192.168.4.0/26 0.0.0.0 0 32768 i

*> 192.168.5.0/27 0.0.0.0 0 32768 i

*> 192.168.6.0/28 0.0.0.0 0 32768 i

*> 192.168.7.0/29 0.0.0.0 0 32768 i

*> 192.168.7.8/29 0.0.0.0 0 32768 i

*> 192.168.7.16/29 0.0.0.0 0 32768 i

*> 192.168.7.24/30 0.0.0.0 0 32768 i

*> 192.168.12.0 0.0.0.0 0 32768 i

Total number of prefixes 34

Let’s start with some simple examples…

Filter specific prefixes

Let’s say that we to filter some specific prefixes, let’s pick:

 20.0.0.0 /8
 172.16.0.0 /24
 192.168.1.0 /24

Here’s what the access-list will look like:

R1(config)#access-list 100 permit ip 20.0.0.0 0.0.0.0 255.0.0.0 0.0.0.0

R1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.0 255.255.255.0

0.0.0.0

R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.0 255.255.255.0

0.0.0.0

R1(config)#router bgp 1

R1(config-router)#distribute-list 100 in

R1#clear ip bgp *

Before we check the result, let me explain the access-list:

 In the first entry we want an exact match for “20.0.0.0” so we use network
20.0.0.0 with wildcard 0.0.0.0. The prefix-length has to be exactly /8 so we use
subnet mask 255.0.0.0 with wildcard 0.0.0.0.
 In the second entry we want an exact match for “172.16.0.0” so we use
network 172.16.0.0 with wildcard 0.0.0.0. The prefix-length has to be
exactly /24 so we use subnet mask 255.255.255.0 with wildcard 0.0.0.0.
 In the last entry we want an exact match for “192.168.1.0” so we use network
192.168.1.0 with wildcard 0.0.0.0. The prefix-length has to be exactly /24 so
we use subnet mask 255.255.255.0 with wildcard 0.0.0.0.

Let’s see what we get:

R1#show ip bgp

BGP table version is 4, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 20.0.0.0 192.168.12.2 0 0 2 i

r> 172.16.0.0/24 192.168.12.2 0 0 2 i

r> 192.168.1.0 192.168.12.2 0 0 2 i

Great, we only see our three specific prefixes.

In my BGP table, you can see R1 is unable to install these prefixes because of a RIB-
failure. This seems to occur because the router refuses to use the next hop IP
address unless you permit it. I couldn’t find anything about this in the Cisco
documentation but you can solve it by adding this statement to access-list
100: permit ip host 192.168.12.2 any

One little “extra” that the access-list offers us that the prefix-list doesn’t is that it
shows matches:

R1#show access-lists 100

Extended IP access list 100

10 permit ip host 20.0.0.0 host 255.0.0.0 (2 matches)

20 permit ip host 172.16.0.0 host 255.255.255.0 (1 match)

30 permit ip host 192.168.1.0 host 255.255.255.0 (2 matches)

Let’s try something else now!

Filter all 192.168.x.0 networks with a /24 prefix length

Let’s say that we want to filter all networks in the 192.168.x.0 range that have a /24
prefix length. R2 is currently advertising these networks:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes | include

192.168.

BGP table version is 36, local router ID is 192.168.7.17

*> 192.168.0.0 0.0.0.0 0 32768 i

*> 192.168.1.0 0.0.0.0 0 32768 i

*> 192.168.2.0/25 0.0.0.0 0 32768 i

*> 192.168.3.0/25 0.0.0.0 0 32768 i

*> 192.168.4.0/26 0.0.0.0 0 32768 i

*> 192.168.5.0/27 0.0.0.0 0 32768 i

*> 192.168.6.0/28 0.0.0.0 0 32768 i

*> 192.168.7.0/29 0.0.0.0 0 32768 i

*> 192.168.7.8/29 0.0.0.0 0 32768 i

*> 192.168.7.16/29 0.0.0.0 0 32768 i

*> 192.168.7.24/30 0.0.0.0 0 32768 i

*> 192.168.12.0 0.0.0.0 0 32768 i

We only want to see 192.168.0.0 /24, 192.168.1.0 /24 and 192.168.12.0 /24 on R1.
Here’s the access-list we will create:

R1(config)#access-list 101 permit ip 192.168.0.0 0.0.255.0

255.255.255.0 0.0.0.0

R1(config)#router bgp 1

R1(config-router)#distribute-list 101 in
R1#clear ip bgp *

Let me explain the access-list:

 The network address we want to check is 192.168.0.0.

 The wildcard is 0.0.255.0 which means the 1st, 2nd and 4th octet have to
match. We don’t care about the 3rd octet.
 The subnet mask is 255.255.255.0 and this has to match exactly which is why
we use a 0.0.0.0 wildcard.

Here’s the result:

R1#show ip bgp

BGP table version is 4, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 192.168.0.0 192.168.12.2 0 0 2 i

r> 192.168.1.0 192.168.12.2 0 0 2 i

r> 192.168.12.0 192.168.12.2 0 0 2 i

Great, these are the only 192.168.x.0 /24 networks that we have. Time for the next
example…

Filter all 10.x.x.0 networks with a /24 prefix length

This one is similar to the previous example but this time we check the 10.x.x.0 range.
Here are the networks that R2 is advertising:
R2#show ip bgp neighbors 192.168.12.1 advertised-routes | include 10.

*> 10.0.0.0/24 0.0.0.0 0 32768 i

*> 10.1.0.0/24 0.0.0.0 0 32768 i

*> 10.2.0.0/24 0.0.0.0 0 32768 i

*> 10.3.0.0/25 0.0.0.0 0 32768 i

*> 10.3.0.128/25 0.0.0.0 0 32768 i

*> 10.4.0.0/25 0.0.0.0 0 32768 i

*> 10.4.0.128/25 0.0.0.0 0 32768 i

*> 10.5.0.0/26 0.0.0.0 0 32768 i

*> 10.6.0.0/27 0.0.0.0 0 32768 i

*> 10.7.0.0/28 0.0.0.0 0 32768 i

*> 10.8.1.0/24 0.0.0.0 0 32768 i

*> 10.8.2.0/24 0.0.0.0 0 32768 i

Let’s build an access-list:

R1(config)#access-list 102 permit ip 10.0.0.0 0.255.255.0 255.255.255.0

0.0.0.0

R1(config)#router bgp 1

R1(config-router)#distribute-list 102 in

R1#clear ip bgp *

Let me explain the access-list:

  The network we want to check is 10.0.0.0 but we only care about the 1st and
4th octet, the 2nd and 3rd octet can be everything so we use wildcard
0.255.255.0.
 We want all networks with a /24 prefix length so we use 255.255.255.0 as the
subnet mask. This has to be an exact match so we use 0.0.0.0 as the wildcard.

Here’s what we get:

R1#show ip bgp

BGP table version is 6, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 10.0.0.0/24 192.168.12.2 0 0 2 i

r> 10.1.0.0/24 192.168.12.2 0 0 2 i

r> 10.2.0.0/24 192.168.12.2 0 0 2 i

r> 10.8.1.0/24 192.168.12.2 0 0 2 i

r> 10.8.2.0/24 192.168.12.2 0 0 2 i

Great, these are all networks in the 10.x.x.0 range with a /24 prefix length. Let’s try
something else…

Filter all 10.x.x.x networks with a /25 prefix length

This time I want to see all networks in the 10.x.x.x range with a /25 prefix length.
Here are all 10.x.x.x networks that R2 is advertising again:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes | include 10.

*> 10.0.0.0/24 0.0.0.0 0 32768 i

*> 10.1.0.0/24 0.0.0.0 0 32768 i

*> 10.2.0.0/24 0.0.0.0 0 32768 i

*> 10.3.0.0/25 0.0.0.0 0 32768 i

*> 10.3.0.128/25 0.0.0.0 0 32768 i

*> 10.4.0.0/25 0.0.0.0 0 32768 i

*> 10.4.0.128/25 0.0.0.0 0 32768 i

*> 10.5.0.0/26 0.0.0.0 0 32768 i

*> 10.6.0.0/27 0.0.0.0 0 32768 i

*> 10.7.0.0/28 0.0.0.0 0 32768 i

*> 10.8.1.0/24 0.0.0.0 0 32768 i

*> 10.8.2.0/24 0.0.0.0 0 32768 i

Here’s the access-list:

R1(config)#access-list 103 permit ip 10.0.0.0 0.255.255.255

255.255.255.128 0.0.0.0

R1(config)#router bgp 1

R1(config-router)#distribute-list 103 in

R1#clear ip bgp *

Let me explain the access-list:

 We want to check the 10.0.0.0 network but we don’t care about the 2nd, 3th
or 4th octet. That’s why we use a 0.255.255.255 wildcard.
  The subnet mask is 255.255.255.128 which equals /25. It has to be an exact
match so we use wildcard 0.0.0.0.

Here’s what you will find:

R1#show ip bgp

BGP table version is 5, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 10.3.0.0/25 192.168.12.2 0 0 2 i

r> 10.3.0.128/25 192.168.12.2 0 0 2 i

r> 10.4.0.0/25 192.168.12.2 0 0 2 i

r> 10.4.0.128/25 192.168.12.2 0 0 2 i

Excellent, these are all 10.x.x.x networks with a /25 prefix length.

Filter all 192.168.7.x networks with any prefix length

This example will be a bit different. This time I want to filter all networks that start
with 192.168.7.x but I don’t care about the prefix length. We are talking about the
following prefixes:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes | incl

192.168.7

BGP table version is 36, local router ID is 192.168.7.17

*> 192.168.7.0/29 0.0.0.0 0 32768 i

*> 192.168.7.8/29 0.0.0.0 0 32768 i

*> 192.168.7.16/29 0.0.0.0 0 32768 i

*> 192.168.7.24/30 0.0.0.0 0 32768 i

Here’s the access-list:

R1(config)#access-list 104 permit ip 192.168.7.0 0.0.0.255

255.255.255.0 0.0.0.255

R1(config)#router bgp 1

R1(config-router)#distribute-list 104 in

R1#clear ip bgp *

Let me walk you through the access-list:

 We are looking for network 192.168.7.0 but we only want to check the first
three octets, that’s why we use wildcard 0.0.0.255.
 We don’t care about the prefix length, it should be at least a /24 since we are
looking at the 192.168.7.x range but it doesn’t matter if it’s a /25, /26, etc. This
is why we use subnet mask 255.255.255.0 with wildcard 0.0.0.255. It means
that we don’t care about the prefix length in the 4th octet.

Here’s the result:

R1#show ip bgp

BGP table version is 5, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 192.168.7.0/29 192.168.12.2 0 0 2 i

r> 192.168.7.8/29 192.168.12.2 0 0 2 i

r> 192.168.7.16/29 192.168.12.2 0 0 2 i

r> 192.168.7.24/30 192.168.12.2 0 0 2 i

R1 will only have these networks in its BGP table now, everything else will be filtered.

Filter anything with a /24 to /32 prefix length

Time for something different, we don’t care about the network address but we only
want to see networks with a prefix length between /24 and /32. Let’s take a look
again what R2 is advertising to us:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes

BGP table version is 35, local router ID is 192.168.7.25

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0/24 0.0.0.0 0 32768 i

*> 10.1.0.0/24 0.0.0.0 0 32768 i

*> 10.2.0.0/24 0.0.0.0 0 32768 i

*> 10.3.0.0/25 0.0.0.0 0 32768 i

*> 10.3.0.128/25 0.0.0.0 0 32768 i

*> 10.4.0.0/25 0.0.0.0 0 32768 i

*> 10.4.0.128/25 0.0.0.0 0 32768 i

*> 10.5.0.0/26 0.0.0.0 0 32768 i

*> 10.6.0.0/27 0.0.0.0 0 32768 i

*> 10.7.0.0/28 0.0.0.0 0 32768 i

*> 10.8.1.0/24 0.0.0.0 0 32768 i

*> 10.8.2.0/24 0.0.0.0 0 32768 i

*> 20.0.0.0 0.0.0.0 0 32768 i

*> 30.0.0.0 0.0.0.0 0 32768 i

*> 172.16.0.0/24 0.0.0.0 0 32768 i

Network Next Hop Metric LocPrf Weight Path

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/25 0.0.0.0 0 32768 i

*> 172.16.3.0/25 0.0.0.0 0 32768 i

*> 172.16.4.0/26 0.0.0.0 0 32768 i

*> 172.16.5.0/27 0.0.0.0 0 32768 i

*> 172.16.6.0/28 0.0.0.0 0 32768 i

*> 172.16.7.0/29 0.0.0.0 0 32768 i

*> 192.168.0.0 0.0.0.0 0 32768 i

*> 192.168.1.0 0.0.0.0 0 32768 i

*> 192.168.2.0/25 0.0.0.0 0 32768 i

*> 192.168.3.0/25 0.0.0.0 0 32768 i

*> 192.168.4.0/26 0.0.0.0 0 32768 i

*> 192.168.5.0/27 0.0.0.0 0 32768 i

*> 192.168.6.0/28 0.0.0.0 0 32768 i

*> 192.168.7.0/29 0.0.0.0 0 32768 i

*> 192.168.7.8/29 0.0.0.0 0 32768 i

*> 192.168.7.16/29 0.0.0.0 0 32768 i

*> 192.168.7.24/30 0.0.0.0 0 32768 i

*> 192.168.12.0 0.0.0.0 0 32768 i

Total number of prefixes 34

We have a big list with prefixes, most of them have a prefix length that is larger
than /24. We do have 20.0.0.0 /8 and 30.0.0.0 /8 that will be gone when we create
this filter. Time to find out:

R1(config)#access-list 105 permit ip 0.0.0.0 255.255.255.255

255.255.255.0 0.0.0.255

R1(config)#router bgp 1

R1(config-router)#distribute-list 105 in

R1#clear ip bgp *

Here’s how the access-list works:

  We don’t care about the network so the network address is 0.0.0.0 with
wildcard 255.255.255.255.
 We want all prefixes with a prefix length of at least /24, that’s why we pick a
subnet mask of 255.255.255.0 and a wildcard of 0.0.0.255. This means we
don’t care about the 4th octet so it will match everything from /24 to /32.

Let’s find out if it works:

R1#show ip bgp

BGP table version is 33, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 10.0.0.0/24 192.168.12.2 0 0 2 i

r> 10.1.0.0/24 192.168.12.2 0 0 2 i

r> 10.2.0.0/24 192.168.12.2 0 0 2 i

r> 10.3.0.0/25 192.168.12.2 0 0 2 i

r> 10.3.0.128/25 192.168.12.2 0 0 2 i

r> 10.4.0.0/25 192.168.12.2 0 0 2 i

r> 10.4.0.128/25 192.168.12.2 0 0 2 i

r> 10.5.0.0/26 192.168.12.2 0 0 2 i

r> 10.6.0.0/27 192.168.12.2 0 0 2 i

r> 10.7.0.0/28 192.168.12.2 0 0 2 i

r> 10.8.1.0/24 192.168.12.2 0 0 2 i

r> 10.8.2.0/24 192.168.12.2 0 0 2 i

r> 172.16.0.0/24 192.168.12.2 0 0 2 i

r> 172.16.1.0/24 192.168.12.2 0 0 2 i

r> 172.16.2.0/25 192.168.12.2 0 0 2 i

r> 172.16.3.0/25 192.168.12.2 0 0 2 i

r> 172.16.4.0/26 192.168.12.2 0 0 2 i

r> 172.16.5.0/27 192.168.12.2 0 0 2 i

r> 172.16.6.0/28 192.168.12.2 0 0 2 i

r> 172.16.7.0/29 192.168.12.2 0 0 2 i

r> 192.168.0.0 192.168.12.2 0 0 2 i

r> 192.168.1.0 192.168.12.2 0 0 2 i

r> 192.168.2.0/25 192.168.12.2 0 0 2 i

r> 192.168.3.0/25 192.168.12.2 0 0 2 i

r> 192.168.4.0/26 192.168.12.2 0 0 2 i

r> 192.168.5.0/27 192.168.12.2 0 0 2 i

r> 192.168.6.0/28 192.168.12.2 0 0 2 i

r> 192.168.7.0/29 192.168.12.2 0 0 2 i

r> 192.168.7.8/29 192.168.12.2 0 0 2 i

r> 192.168.7.16/29 192.168.12.2 0 0 2 i

r> 192.168.7.24/30 192.168.12.2 0 0 2 i

r> 192.168.12.0 192.168.12.2 0 0 2 i

Our 20.0.0.0 /8 and 30.0.0.0 /8 prefixes are now gone from the BGP table, everything
you see above has at least a /24 prefix length.

Filter anything with a /26 to /32 prefix length

This example is exactly the same as the previous example but this time the prefix
length has to be at least a /26. Here’s the list with advertised prefixes from R2 again:

R2#show ip bgp neighbors 192.168.12.1 advertised-routes

BGP table version is 35, local router ID is 192.168.7.25

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0/24 0.0.0.0 0 32768 i

*> 10.1.0.0/24 0.0.0.0 0 32768 i

*> 10.2.0.0/24 0.0.0.0 0 32768 i

*> 10.3.0.0/25 0.0.0.0 0 32768 i

*> 10.3.0.128/25 0.0.0.0 0 32768 i

*> 10.4.0.0/25 0.0.0.0 0 32768 i

*> 10.4.0.128/25 0.0.0.0 0 32768 i

*> 10.5.0.0/26 0.0.0.0 0 32768 i

*> 10.6.0.0/27 0.0.0.0 0 32768 i

*> 10.7.0.0/28 0.0.0.0 0 32768 i

*> 10.8.1.0/24 0.0.0.0 0 32768 i

*> 10.8.2.0/24 0.0.0.0 0 32768 i

*> 20.0.0.0 0.0.0.0 0 32768 i

*> 30.0.0.0 0.0.0.0 0 32768 i

*> 172.16.0.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/25 0.0.0.0 0 32768 i

*> 172.16.3.0/25 0.0.0.0 0 32768 i

*> 172.16.4.0/26 0.0.0.0 0 32768 i

*> 172.16.5.0/27 0.0.0.0 0 32768 i

*> 172.16.6.0/28 0.0.0.0 0 32768 i

*> 172.16.7.0/29 0.0.0.0 0 32768 i

*> 192.168.0.0 0.0.0.0 0 32768 i

*> 192.168.1.0 0.0.0.0 0 32768 i

*> 192.168.2.0/25 0.0.0.0 0 32768 i

*> 192.168.3.0/25 0.0.0.0 0 32768 i

*> 192.168.4.0/26 0.0.0.0 0 32768 i

*> 192.168.5.0/27 0.0.0.0 0 32768 i

*> 192.168.6.0/28 0.0.0.0 0 32768 i

*> 192.168.7.0/29 0.0.0.0 0 32768 i

*> 192.168.7.8/29 0.0.0.0 0 32768 i

*> 192.168.7.16/29 0.0.0.0 0 32768 i

*> 192.168.7.24/30 0.0.0.0 0 32768 i

*> 192.168.12.0 0.0.0.0 0 32768 i

Total number of prefixes 34

Time to clean up that BGP table. Here’s the access-list we need:

R1(config)#access-list 106 permit ip 0.0.0.0 255.255.255.255

255.255.255.192 0.0.0.63

R1(config)#router bgp 1

R1(config-router)#distribute-list 106 in

R1#clear ip bgp *

Here’s how the access-list works:

 We don’t care about the network address so we use 0.0.0.0 as the network
address with wildcard 255.255.255.255.
 The prefix length has to be at least /26, that’s a 255.255.255.192 subnet mask.
 We want to match all prefixes from /26 to /32, by using this wildcard we tell
the router that we don’t care about the first three octets and the first two bits
of the fourth octet. The last six bits have to match. This will match subnet
mask 255.255.255.192, 255.255.255.224, 255.255.255.240, 255.255.255.248,
255.255.255.252, 255.255.255.254 and 255.255.255.255 (everything from /26
to /32).

Here’s the end result:

R1#show ip bgp

BGP table version is 15, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,
 r RIB-failure, S Stale, m multipath, b backup-path, x
best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 10.5.0.0/26 192.168.12.2 0 0 2 i

r> 10.6.0.0/27 192.168.12.2 0 0 2 i

r> 10.7.0.0/28 192.168.12.2 0 0 2 i

r> 172.16.4.0/26 192.168.12.2 0 0 2 i

r> 172.16.5.0/27 192.168.12.2 0 0 2 i

r> 172.16.6.0/28 192.168.12.2 0 0 2 i

r> 172.16.7.0/29 192.168.12.2 0 0 2 i

r> 192.168.4.0/26 192.168.12.2 0 0 2 i

r> 192.168.5.0/27 192.168.12.2 0 0 2 i

r> 192.168.6.0/28 192.168.12.2 0 0 2 i

r> 192.168.7.0/29 192.168.12.2 0 0 2 i

r> 192.168.7.8/29 192.168.12.2 0 0 2 i

r> 192.168.7.16/29 192.168.12.2 0 0 2 i

r> 192.168.7.24/30 192.168.12.2 0 0 2 i

Above you can see that all prefixes below /26 have disappeared.

Filter 172.16.x.x networks with a /27 to /32 prefix length

This example will be similar to the previous one with the exception that we will check
a specific network range. Here are all networks in the 172.16.x.x range that R2 offers
us:
R2#show ip bgp neighbors 192.168.12.1 advertised-routes | include
172.16.

*> 172.16.0.0/24 0.0.0.0 0 32768 i

*> 172.16.1.0/24 0.0.0.0 0 32768 i

*> 172.16.2.0/25 0.0.0.0 0 32768 i

*> 172.16.3.0/25 0.0.0.0 0 32768 i

*> 172.16.4.0/26 0.0.0.0 0 32768 i

*> 172.16.5.0/27 0.0.0.0 0 32768 i

*> 172.16.6.0/28 0.0.0.0 0 32768 i

*> 172.16.7.0/29 0.0.0.0 0 32768 i

Let’s see if we can filter these…

R1(config)#$access-list 107 permit ip 172.16.0.0 0.0.255.255

255.255.255.224 0.0.0.31

R1(config)#router bgp 1

R1(config-router)#distribute-list 107 in

R1#clear ip bgp *

Here’s how the access-list works:

 We want to check network 172.16.0.0 but we don’t care about the 3rd or 4th
octet so we use wildcard 0.0.255.255.
 The prefix length should be at least /27 so we use a subnet mask of
255.255.255.224.
  We want to match all subnet masks from /27 to /32, so we use a wildcard of
0.0.0.31. This means we don’t care about the first three octets and the first
three bits of the fourth octet. The last five bits of the 4th octet must match.
This will allow subnet mask 255.255.255.224, 255.255.255.240,
255.255.255.248, 255.255.255.252, 255.255.255.254 and 255.255.255.255.

Here’s the end result:

R1#show ip bgp

BGP table version is 4, local router ID is 192.168.12.1

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

r> 172.16.5.0/27 192.168.12.2 0 0 2 i

r> 172.16.6.0/28 192.168.12.2 0 0 2 i

r> 172.16.7.0/29 192.168.12.2 0 0 2 i

Great, we only have a few 172.16.x.x networks with a /27 prefix length or larger.

Conclusion
You have now seen quite some examples of how you can use BGP filtering with
extended access-lists. This can be pretty annoying and it’s much easier to use prefix-
lists instead. However if you are not allowed to use them, you now know how to
filter with extended access-lists.

 Configurations
 R1
hostname R1

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

duplex auto

speed auto

router bgp 1

bgp log-neighbor-changes

neighbor 192.168.12.2 remote-as 2

distribute-list 107 in

access-list 100 permit ip host 20.0.0.0 host 255.0.0.0

access-list 100 permit ip host 172.16.0.0 host 255.255.255.0

access-list 100 permit ip host 192.168.1.0 host 255.255.255.0

access-list 101 permit ip 192.168.0.0 0.0.255.0 host 255.255.255.0

access-list 102 permit ip 10.0.0.0 0.255.255.0 host 255.255.255.0

access-list 103 permit ip 10.0.0.0 0.255.255.255 host 255.255.255.128

access-list 104 permit ip 192.168.7.0 0.0.0.255 255.255.255.0 0.0.0.255

access-list 105 permit ip any 255.255.255.0 0.0.0.255

access-list 106 permit ip any 255.255.255.192 0.0.0.63

access-list 107 permit ip 172.16.0.0 0.0.255.255 255.255.255.224

0.0.0.31
 !

end

 R2

hostname R2

interface Loopback0

ip address 10.0.0.1 255.255.255.0

interface Loopback1

ip address 10.1.0.1 255.255.255.0

interface Loopback2

ip address 10.2.0.1 255.255.255.0

interface Loopback3

ip address 10.3.0.1 255.255.255.128

interface Loopback4

ip address 10.3.0.129 255.255.255.128

interface Loopback5
 ip address 10.4.0.1 255.255.255.128

interface Loopback6

ip address 10.4.0.129 255.255.255.128

interface Loopback7

ip address 10.5.0.1 255.255.255.192

interface Loopback8

ip address 10.6.0.1 255.255.255.224

interface Loopback9

ip address 10.7.0.1 255.255.255.240

interface Loopback10

ip address 10.8.1.1 255.255.255.0

interface Loopback11

ip address 10.8.2.1 255.255.255.0

interface Loopback12

ip address 20.0.0.1 255.0.0.0

!

interface Loopback13

ip address 30.0.0.1 255.0.0.0

interface Loopback14

ip address 172.16.0.1 255.255.255.0

interface Loopback15

ip address 172.16.1.1 255.255.255.0

interface Loopback16

ip address 172.16.2.1 255.255.255.128

interface Loopback17

ip address 172.16.3.1 255.255.255.128

interface Loopback18

ip address 172.16.4.1 255.255.255.192

interface Loopback19

ip address 172.16.5.1 255.255.255.224

!
interface Loopback20

ip address 172.16.6.1 255.255.255.240

interface Loopback21

ip address 172.16.7.1 255.255.255.248

interface Loopback22

ip address 192.168.0.1 255.255.255.0

interface Loopback23

ip address 192.168.1.1 255.255.255.0

interface Loopback24

ip address 192.168.2.1 255.255.255.128

interface Loopback25

ip address 192.168.3.1 255.255.255.128

interface Loopback26

ip address 192.168.4.1 255.255.255.192

interface Loopback27
 ip address 192.168.5.1 255.255.255.224

interface Loopback28

ip address 192.168.6.1 255.255.255.240

interface Loopback29

ip address 192.168.7.1 255.255.255.248

interface Loopback30

ip address 192.168.7.9 255.255.255.248

interface Loopback31

ip address 192.168.7.17 255.255.255.248

interface Loopback32

ip address 192.168.7.25 255.255.255.252

interface FastEthernet0/0

ip address 192.168.12.2 255.255.255.0

duplex auto

speed auto

!
router bgp 2

bgp log-neighbor-changes

network 10.0.0.0 mask 255.255.255.0

network 10.1.0.0 mask 255.255.255.0

network 10.2.0.0 mask 255.255.255.0

network 10.3.0.0 mask 255.255.255.128

network 10.3.0.128 mask 255.255.255.128

network 10.4.0.0 mask 255.255.255.128

network 10.4.0.128 mask 255.255.255.128

network 10.5.0.0 mask 255.255.255.192

network 10.6.0.0 mask 255.255.255.224

network 10.7.0.0 mask 255.255.255.240

network 10.8.0.0 mask 255.255.255.224

network 10.8.1.0 mask 255.255.255.0

network 10.8.2.0 mask 255.255.255.0

network 20.0.0.0

network 30.0.0.0

network 172.16.0.0 mask 255.255.255.0

network 172.16.1.0 mask 255.255.255.0

network 172.16.2.0 mask 255.255.255.128

network 172.16.3.0 mask 255.255.255.128

network 172.16.4.0 mask 255.255.255.192

 network 172.16.5.0 mask 255.255.255.224

network 172.16.6.0 mask 255.255.255.240

network 172.16.7.0 mask 255.255.255.248

network 192.168.0.0

network 192.168.1.0

network 192.168.2.0 mask 255.255.255.128

network 192.168.3.0 mask 255.255.255.128

network 192.168.4.0 mask 255.255.255.192

network 192.168.5.0 mask 255.255.255.224

network 192.168.6.0 mask 255.255.255.240

network 192.168.7.0 mask 255.255.255.248

network 192.168.7.8 mask 255.255.255.248

network 192.168.7.16 mask 255.255.255.248

network 192.168.7.24 mask 255.255.255.252

network 192.168.12.0

neighbor 192.168.12.1 remote-as 1

end

Want to take a look for yourself? Here you will find the final configuration of each
device.

If you have any questions, feel free to leave a comment!

 BGP IPv6 Route Filtering on Cisco IOS
Lesson Contents
 Configuration
o Prefix-List Filtering
o Filter-List Filtering
o Route-Map Filtering
 Order of Operation
Filtering IPv6 routes in BGP is similar to IPv4 filtering. There are 3 methods we can
use:

 Prefix-list
 Filter-list
 Route-map

Each of these can be applied in- or outbound. I’ll explain how you can use these for
filtering, this is the topology I will use:
R1 and R2 are using IPv6 addresses and will use MP-BGP so that R1 can advertise
some prefixes on its loopback interfaces. All prefixes on the loopback interfaces
are /64 subnets while loopback3 has a /96 subnet.

Configuration
Let’s start with a basic MP-BGP configuration so that R1 and R2 become eBGP
neighbors:

R1 & R2#

(config)ipv6 unicast-routing

R1(config)#router bgp 1

R1(config-router)#bgp router-id 1.1.1.1

R1(config-router)#neighbor 2001:db8:0:12::2 remote-as 2

R1(config-router)#address-family ipv6

R1(config-router-af)#neighbor 2001:db8:0:12::2 activate

R1(config-router-af)#network 2001:db8:0:1::/64

R1(config-router-af)#network 2001:db8:0:11::/64

R1(config-router-af)#network 2001:db8:0:111::/64

R1(config-router-af)#network 2001:db8:0:1111::/96

R2(config)#router bgp 2

R2(config-router)#bgp router-id 2.2.2.2

R2(config-router)#neighbor 2001:db8:0:12::1 remote-as 1

R2(config-router)#address-family ipv6

R2(config-router-af)#neighbor 2001:db8:0:12::1 activate

Let’s check if R2 has learned all prefixes:

R2#show ipv6 route bgp | begin 2001

B 2001:DB8:0:1::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:11::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:111::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:1111::/96 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

There we go, everything is in the routing table. Now we can play with some of the
filtering options…

Prefix-List Filtering
Let’s start with the prefix-list. R1 is advertising one /96 subnet. Let’s see if we can
configure R2 to filter this network:

R2(config)#ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

This prefix-list checks the entire 2001::/16 range and permits subnets with a /64 or
larger. Anything smaller will be denied. Let’s activate it:

R2(config)#router bgp 2

R2(config-router)#address-family ipv6

R2(config-router-af)#neighbor 2001:db8:0:12::1 prefix-list

SMALL_NETWORKS in

We activate the prefix-list inbound on R2 for everything that we receive from R1.
Let’s reset BGP to speed things up:
R2#clear ip bgp *

Let’s check R2 to see if our prefix is gone:

R2#show ipv6 route bgp | begin 2001

B 2001:DB8:0:1::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:11::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:111::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

Great, it has been filtered succesfully!

Filter-List Filtering
Let’s try the filter-list. We can use this to filter prefixes from certain autonomous
systems. Everything that R1 is advertising only has AS 1 in the AS path, I’ll configure
AS prepending so we have something to play with:

R1(config)#ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64

R1(config)#route-map PREPEND permit 10

R1(config-route-map)#match ipv6 address prefix-list FIRST_LOOPBACK

R1(config-route-map)#set as-path prepend 11

R1(config)#route-map PREPEND permit 20

R1(config)#router bgp 1
R1(config-router)#address-family ipv6

R1(config-router-af)#neighbor 2001:db8:0:12::2 route-map PREPEND out

The above configuration will make sure that whenever R1 advertises

2001:db8:0:1::/64 it will add AS 11 to the AS path. Let’s verify this:

R2#show ip bgp all

For address family: IPv4 Unicast

For address family: IPv6 Unicast

BGP table version is 4, local router ID is 2.2.2.2

Status codes: s suppressed, d damped, h history, * valid, > best, i -

internal,

r RIB-failure, S Stale, m multipath, b backup-path, x

best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 2001:DB8:0:1::/64

2001:DB8:0:12::1

0 0 1 11 i

*> 2001:DB8:0:11::/64

2001:DB8:0:12::1
 0 0 1 i

*> 2001:DB8:0:111::/64

2001:DB8:0:12::1

0 0 1 i

For address family: IPv4 Multicast

Above you can see that 2001:DB8:0:1::/64 now has AS 11 in its AS path. Let’s
configure a filter-list on R2 to get rid of this network:

R2(config)#ip as-path access-list 11 permit ^1$

R2(config)#router bgp 2

R2(config-router)#address-family ipv6

R2(config-router-af)#neighbor 2001:db8:0:12::1 filter-list 11 in

R2#clear ip bgp *

The as-path access-list above only permits prefixes from AS1, nothing else. We
attach it inbound to everything we receive from R1. This is the result:

R2#show ipv6 route bgp | begin 2001

B 2001:DB8:0:11::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

B 2001:DB8:0:111::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

It’s gone from the routing table, mission accomplished.

Route-Map Filtering
Route-maps are really useful and can be used to match on many different things. I’ll
use an IPv6 access-list in a route-map to filter 2001:DB8:0:11::/64:

R2(config)#ipv6 access-list THIRD_LOOPBACK

R2(config-ipv6-acl)#permit 2001:db8:0:11::/64 any

R2(config)#route-map MY_FILTER deny 10

R2(config-route-map)#match ipv6 address THIRD_LOOPBACK

R2(config-route-map)#exit

R2(config)#route-map MY_FILTER permit 20

R2(config)#router bgp 2

R2(config-router-af)#neighbor 2001:db8:0:12::1 route-map MY_FILTER in

R2#clear ip bgp *

The configuration above has an access-list called “THIRD_LOOPBACK” that matches

2001:DB8:0:11::/64 and is denied in the route-map called “MY_FILTER”. Last but not
least, we apply it inbound on R2. Here’s the result:

R2#show ipv6 access-list

IPv6 access list THIRD_LOOPBACK

permit ipv6 2001:DB8:0:11::/64 any (1 match) sequence 10

R2#show ipv6 route bgp | begin 2001

B 2001:DB8:0:111::/64 [20/0]

via FE80::21D:A1FF:FE8B:36D0, FastEthernet0/0

The access-list tells us that it has a match and you can see it’s gone from the routing
table.

Order of Operation
You have now seen how you can use a prefix-list, filter-list and route-map to filter
IPv6 prefixes. You can apply all of these at the same time if you want, I didn’t remove
any of my previous configurations when I was writing this lesson. Take a look at R2:

R2#show run | sec address-family ipv6

address-family ipv6

neighbor 2001:DB8:0:12::1 activate

neighbor 2001:DB8:0:12::1 prefix-list SMALL_NETWORKS in

neighbor 2001:DB8:0:12::1 route-map MY_FILTER in

neighbor 2001:DB8:0:12::1 filter-list 11 in

On a production network you probably won’t use all of these at the same time. The
route-map is a popular choice since you can use it for pretty much anything, filtering
and doing things like prepending the AS path.

If you do activate all of these at the same time then you might want to know in what
order the router will process these filtering techniques. Here they are:

Inbound:

 Route-map
 Filter-List
 Prefix-List

Outbound:

 Prefix-List
 Filter-List
  Route-Map

Why do we care about this? Imagine you have an inbound route-map and prefix-list.
If you permitted a prefix in the prefix-list but denied it in the route-map then you will
never see the prefix in your BGP table since the route-map is processed before the
prefix-list.

For outbound filtering it’s the other way around. If you permit something in the
route-map but denied it in a filter-list then it will never be advertised…the filter-list is
processed before the route-map for outbound updates.

Don’t make it too hard for yourself…it’s best to stick to using the route-map only
since you can attach prefix-lists and as-path access-lists to it.

 Configurations
 R1

hostname R1

ipv6 unicast-routing

interface FastEthernet0/0

ipv6 address 2001:DB8:0:12::1/64

interface Loopback0

ipv6 address 2001:DB8:0:1::1/64

interface Loopback1

ipv6 address 2001:DB8:0:11::1/64

!
interface Loopback2

ipv6 address 2001:DB8:0:111::1/64

interface Loopback3

ipv6 address 2001:DB8:0:1111::1/96

router bgp 1

bgp router-id 1.1.1.1

bgp log-neighbor-changes

neighbor 2001:DB8:0:12::2 remote-as 2

address-family ipv4

neighbor 2001:DB8:0:12::2 activate

neighbor 2001:DB8:0:12::2 route-map PREPEND out

exit-address-family

address-family ipv6

network 2001:DB8:0:1::/64

network 2001:DB8:0:11::/64

network 2001:DB8:0:111::/64

network 2001:DB8:0:1111::/96

neighbor 2001:DB8:0:12::2 activate

 neighbor 2001:DB8:0:12::2 route-map PREPEND out

exit-address-family

ipv6 prefix-list FIRST_LOOPBACK permit 2001:db8:0:1::/64

route-map PREPEND permit 10

match ipv6 address prefix-list FIRST_LOOPBACK

set as-path prepend 11

route-map PREPEND permit 20

end

 R2

hostname R2

ipv6 unicast-routing

interface FastEthernet0/0

ipv6 address 2001:DB8:0:12::2/64

router bgp 2

bgp router-id 2.2.2.2

bgp log-neighbor-changes
 neighbor 2001:DB8:0:12::1 remote-as 1

address-family ipv4

no neighbor 2001:DB8:0:12::1 activate

exit-address-family

address-family ipv6

neighbor 2001:DB8:0:12::1 activate

neighbor 2001:DB8:0:12::1 prefix-list SMALL_NETWORKS in

neighbor 2001:DB8:0:12::1 route-map MY_FILTER in

neighbor 2001:DB8:0:12::1 filter-list 11 in

exit-address-family

ipv6 prefix-list SMALL_NETWORKS permit 2001::/16 le 64

ip as-path access-list 11 permit ^1$

ipv6 access-list THIRD_LOOPBACK

permit 2001:db8:0:11::/64 any

route-map MY_FILTER deny 10

match ipv6 address THIRD_LOOPBACK

route-map MY_FILTER permit 20

end

Want to take a look for yourself? Here you will find the final configuration of each
device.

That’s all I have for now, I hope this has been useful to understand BGP IPv6 filtering.
If you have any questions, just leave a comment.