Chapter 13. Route Filtering
Chapter 11, "Route Redistribution," presents several situations in which redistribution causes unwanted or inaccurate routes to exist in a particular router. For instance, in Figure 11.3 and the associated discussion, one or more routers choose a sub-optimal route through an internetwork. The problem in that example is that the routers prefer the lower administrative distance of IGRP to the administrative distance of RIP. More generally , any time routes to the same destination are being redistributed into a routing domain by more than a single router, the potential for inaccurate routing exists. In some cases, routing loops and black holes may occur. Figure 11.26 shows another example of an unwanted or unexpected route. In this case, the summary route 192.168.3.128/25 is advertised into OSPF but is redistributed into the EIGRP domain ”where the summarized subnets exist. This phenomenon , in which a route is advertised in the wrong direction across a redistributing router, is called route feedback . Route filtering enables the network administrator to keep tight control over route advertisements. Any time a router is performing mutual redistribution ”the mutual sharing of routes between two or more routing protocols ”route filters should be used to ensure that routes are advertised in only one direction. Figure 13.1 shows another use for route filters. Here, a routing domain is broken into sub-domains, each containing multiple routers. The router connecting the two domains is filtering routes so that the routers in sub-domain B know only a subset of the routes in sub-domain A. This filtering may be done for security, so that the B routers only know of authorized subnets. Or it may be done simply to manage the size of the routing tables and updates of the B routers by eliminating unnecessary routes. Figure 13.1. Route filters may be used to create routing sub-domains, into which only some of the routing domain's addresses are advertised. Yet another common use of route filters is to create a "route firewall." Frequently, corporate divisions or government agencies must be interconnected while they remain under separate administrative control. If you do not have control of all parts of the internetwork, you are vulnerable to misconfigured or even malicious routing. Route filters at the interconnecting routers will ensure that routers accept only legitimate routes. This approach is again a form of security, but in this case, incoming routes, instead of outgoing routes, are regulated . Route filters work by regulating the routes that are entered into, or advertised out of, the route table. They have somewhat different effects on link state routing protocols than they do on distance vector routing protocols. A router running a distance vector protocol advertises routes based on what is in its route table. As a result, a route filter will influence which routes the router advertises to its neighbors. Note Route filters and distance vector routing On the other hand, routers running link state protocols determine their routes based on information in their link state database, rather than the advertised route entries of its neighbors. Route filters have no effect on link state advertisements or the link state database. [1] As a result, a route filter can influence the route table of the router on which the filter is configured, but has no effect on the route entries of neighboring routers. Because of this behavior, route filters are mostly used at redistribution points into link state domains, such as an OSPF ASBR, where they can regulate which routes enter or leave the domain. Within the link state domain, route filters have limited utility.
Note Route filters and link state routing. |
![Routing TCP[s]IP (Vol. 11998)](/icons/blank_book.jpg "Routing TCP[s]IP (Vol. 11998)"){kind=icon}