(1) features of Route Maps:
Route Maps is similar to access lists. The difference is that Route Maps can change some attributes of Packets/Routes.
Purpose:
Route Maps is mainly used for Redistribution, Policy Routing, and BGP implementation.
Implementation:
Policy Routing sends Packets to Route Maps to implement Policy Route forwarding.
Redistribution sends Routes to Route Maps to filter Route entries.
Configuration instructions:
If the Action and Sequence Number attributes are not specified for Route Maps, the default value is:
Action: permit
Sequence Number: 10
The Sequence Number does not automatically increase.
If no Sequence Number is specified when you use the Route Maps statement, the default Sequence Number is 10.
Route Maps Deny Action:
Redistribution: the specified route entries are not redistributed.
Policy Routing: the specified Packets does not forward the route according to the Policy, but the route table entries are forwarded normally.
Case Study: Policy Routing
Note: (1) Policy Routing only affects inbound traffic.
(2) Standard and Extended ACL can be used.
(3) Globally configure the ip local policy route-map sense to apply the policy route to the Packets sent by the Router itself.
<1> Standard ACL
Interface Serial 0 ip address 172.16.5.1 255.255.255.0 ip policy route-map sense! Access-list 1 permit 172.16.6.0 0.0.255access-list 2 permit 172.16.7.0 0.0.0.255! Route-map sense permit 10 match ip address 1 set ip next-hop 172.16.4.2! Route-map sense permit 20 match ip address 2 set ip next-hop 172.16.4.3
<2> Extended ACL
Interface Ethernet 0 ip address 172.16.1.4 255.255.255.0 ip policy route-map sense! Access-list 105 permit tcp 172.16.1.0 0.0.255 eq ftp anyaccess-list 105 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data anyaccess-list 106 permit tcp 172.16.1.0 0.0.0.255 eq telnet any! Route-map sense permit 10 match ip address 105 set ip next-hop 172.16.2.1! Route-map sense permit 20 match IPaddress 106 set ip next-hop 172.16.3.1
<3> Length of the Packets
Interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map sense! Route-map sense permit 10 match length 1000 1600 set ip next-hop 172.16.2.1! Route-map sense permit 20 match length 0 400 set ip next-hop 172.16.3.1
<4> Router's Packets
Interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map sense! Ip local policy route-map sense! Access-list 120 permit ip any 172.16.1.0 0.0.255access-list 120 permit ospf any! Route-map sense permit 10 match ip address 120! Route-map sense permit 20 match length 1000 1600 set ip next-hop 172.16.2.1! Route-map sense permit 30 match length 0 400 set ip next-hop 172.16.3.1
NOTE: If there is no first route-map entry, the Packets of the router itself and the Packets of OSPF will be forwarded to the wrong address due to the last two route-map statements.
Case Study: Policy Routing and Quality of Service Routing Policy Routing can be combined with Precedence and Type of Service (TOS) of ip headers to implement QOS-based Policy Routing.
Note: You can use the Number field or Keyword for Precedence and TOS configurations.
Set ip precedence serial Bits Number Keyword000 0 routine001 1 priority010 2 serial 3 flash100 4 flash-override101 5 critical110 6 internet111 7 network serial set ip tos serial Bits Number Keyword0000 0 normal0001 1 min-monetary-cost0010 2 max-reliability0100 4 max-throughput1000 8 min-delay --------------- ---------------------- Interface Serial0 ip address 10.1.18.67 255.255.255.252 ip policy route-map sense! Interface Serial1 ip address 10.34.16.83.20.255.255.252 ip policy route-map sense! Access-list 1 permit 172.16.0.0 0.255.255access-list 110 permit tcp any eq www any! Route-map sense permit 10 match ip address 1 110 set ip precedence critical! Route-map sense permit 20 set ip tos 10 set ip precedence priorityCase Study: Route Tagging
Purpose:
It is used to identify the route of a specific Domain during bidirectional redistribution to prevent the route from being redistributed back to the origin Domain.
Usage:
The edge Router of a route entry adds a Tag ID to the route entry during Redistribution as the Domain of the Transit Network and does not need to use or recognize tags, you just need to pass it to its external network.
Routing Protocol: Support: r12002, VPN, IS-IS, OSPF, BGP
Not Support: r00001, IGRP
Packets Format:
R1_2: supports 16-bit tags in decimal format: 0 ~ 65535
Esxi external route TLVs: 32-bit tags supported in decimal format: 0 ~ 4294967295
OSPF type 5 LSAs: 32-bit tags supported in decimal format: 0 ~ 4294967295
Configuration instance:
Router ospf 1 redistribute igrp 1 metric 10 subnets tag 1 redistribute rip metric 10 subnets route-map sense network 10.100.200.1 0.0.0.0 area 0! Router rip network 10.0.0.0! Router igrp 1 network 10.0.0.0! Access-list 1 permit 10.1.2.3access-list 2 permit 10.1.2.4! Route-map sense permit 10 match ip route-source 1 set tag 2! Route-map sense permit 20 match ip route-source 2 set tag 3
(2) Distribute-list
Purpose:
<1> control route entry distribution and route redistribution.
<2> Create a "route firewall"
About routing protocols:
Distance Vector Routing Protocol: Route Filtering can control Route entries advertised/received by the Vector and Route entries for redistribution.
Link-State Routing Protocol: Route Filtering can only control its Route entries during redistribution.
Note: a basic requirement of LS Routing Protocol is that the Link State Database of all Routers in an area must be consistent. Therefore, if Route Filtering can filter out LSA announcements of LS Routing Protocol, it violates the LS Routing Protocol specification.
Case Study: Filtering Specific Routesrouter rip version 2 network 192.168.75.0 distribute-list 1 in Serial1! Ip classlessaccess 1 permit 0.0.0.0Case Study: Route Filtering and Redistribution
Note:
When the distribute-list command is used for Link-State Routing Protocol:
Combined with Interfaces: only in parameters can be used
Used with routing process: only out parameters can be used
The two solutions have the same effect. The scheme used with the interface has a better effect on restraining the route feedback. The scheme used with the routing process has a route table when restraining the route feedback, so it becomes invalid. <1> integration with Interfaces
Router ospf 25 redistribute rip metric 100 network 172.16.1.254 0.0.0.0 area 25 network 255.0.0.0.0 area 25 network 255.0.0.0.0 area 25 distribute-list 3 in Ethernet0/0 distribute-list 3 in Ethernet0/1 distribute- list 3 in Ethernet0/2! Router rip redistribute ospf 25 metric 5 passive-interface Ethernet0/0 passive-interface Ethernet0/1 passive-interface Ethernet0/2 network 192.16.0.0 distribute-list 1 in Ethernet0/3 distribute-list 1 in ethernet2/0 distribute-ilst 1 in Ethernet2.1! Ip classlessaccess-list 1 permit 172.16.128.0 0.0.127.255access-iist 3 permit 172.16.0.0 0.0.127.255
<2> combined with the routing process:
Router ospf 25 redistribute rip metric 100 network 172.16.1.254 0.0.0.0 area 25 network 172.16.8.254 0.0.0.0 area 25 network 172.16.50.254 0.0.0.0 area 25 distribute-list 10 out rip! Router rip redistribute ospf 25 metric 5 passive-interface Ethernet0/3 passive-interface Ethernet2/0 passive-interface Ethernet2/1 network 172.16.0.0 distribute-list 20 out ospf 25! Ip classlessaccess-list 10 permit 172.16.130.0access-list 10 permit 172.16.145.0access-list 10 permit limit-list 20 permit 172.16.23.0access-list 20 permit 172.16.9.0access-list 20 permit 172.16.75.0
(3) Prefix-list:
Filters Routes distributed by specific routing protocols, mainly used with BGP.
Features:
Compared with ACL, ACL is more flexible. It is easier to understand mask matching.
Case Study: Standard Syntax
Ip prefix-list {list-name | list-number} [seq number] {deny network/length | permit network/length} [ge-length] [le-length]
No ip prefix-list {list-name | list-number} [seq number] {deny network/length | permit network/length} [ge-length] [le-length]
Note:
<1> ip prefix-list uses the longest matching rule.
<2> If seq number is not specified, the default value is 5. Each added entry is automatically increased by 5.
That is, if you specify the first project seq number as 2, The seq number of the next entry without seq number is automatically changed to 7.
<3> to automatically add the seq number function, run the command: no ip prefix-list sequence-number to cancel it.
<4> length <ge-length <le-length <= 32
<5> the ip prefix-list statement cannot be used with the match ip next-hop Statement of Route Maps. It can only be used with the match ip address statement.
Case Study: ip prefix-list description
Syntax:
Ip prefix-list-name description textCase Study: configuration Examplerouter bgp 3 no synchronization neighbor 172.16.1.2 remote-as 3 neighbor 172.16.20.1 remote-as 1 neighbor 172.16.29.1 prefix-list 1 out no auto-summary! Ip prefix-list 1 seq 5 deny 192.68.10.0/24ip prefix-list 1 seq 10 permit 0.0.0.0/32
(4) ip as-path access-list function:
Filter BGP distribution route entries Based on the bgp as-PATH attribute.
Case Study: Syntax
Ip as-path access-list acl-number permit | deny regexp
No ip as-path access-list acl-number
Note: The valid value of acl-number is 0 ~ 500.
Case Study: Configuration Guide
<1> filter Routes updates for all private
Ip as-path access-list 1 deny (_ 64 [6-9] [0-9] [0-9] _ | _ 65 [0-9] [0-9] [0-9] _)
Ip as-path access-list 1 permit .*
<2> application instance
Router bgp 3 no synchronization neighbor 172.16.1.2 remote-as 3 neighbor 172.16.20.1 remote-as 1 neighbro 172.16.20.1 filter-list 1 out no auto-summary! Ip as-path access-lsit 1 permit ^ $
(5) execution sequence of the preceding filter commands:
<1> inbound
Route-map-> filter-list-> prefix-list, distribute-list
<2> outbound
Prefix-list, distribute-list-> filter-list-> route-map
Prefix-list, distribute-list is used by neighbors to use only one of them at a time in one direction.
----------------------------------------
Summary:
In fact, these filtering commands are not too difficult. The key is a filtering concept.
They are all flexible things. If they are used well, they will play a great role. If they are used poorly, they may also be counterproductive.
Therefore, when configuring these filter commands, you must carefully consider them. For each filter, you must think about the effect of deploying the current network so that you do not recognize the Filter Vulnerability until it is deployed on the vro. This will not cause security risks.