Route filtering allows you to control which routes are accepted into the routing table or advertised to neighbors. In RIP, the primary method for filtering routes is the distribute-list command.

Distribute-List Command Syntax

Router(config-router)# distribute-list {access-list-number|name | prefix prefix-list-name | gateway prefix-list-name} {in|out} [interface-name]

Components of a Distribute-List

1. Match Method - Choose one of these options to identify routes:

   • Standard ACL (matches network address only)

   • Extended ACL (matches source of route + network)

   • Prefix list (matches network and subnet mask)

   • Gateway (filters based on next-hop address)

2. Direction:

   • in: Filters incoming updates; prevents routes from being installed in the routing table

   • out: Filters outgoing updates; prevents routes from being sent to neighbors

3. Interface (Optional):

   • By default, the filter applies to all interfaces

   • Specify an interface to apply the filter only to that interface

Using Prefix Lists for Filtering

Prefix lists offer the most precise filtering because they can match both network address and subnet mask:

Router(config)# ip prefix-list LIST-NAME [seq sequence-number] {deny|permit} network/length [ge ge-value] [le le-value]
Router(config-router)# distribute-list prefix LIST-NAME {in|out} [interface-name]

Key considerations:

• Use deny action to filter routes

• Always include a permit statement at the end to override implicit deny

• Can match exact prefix length or range of lengths using ge (greater than or equal) and le (less than or equal)

• When applied, wait for the 240-second flush timer to expire, or use clear ip route * to force immediate effect

To catch all routes and permit them using a prefix list in RIP, you would create a prefix list that matches any IP address with any subnet mask. This is typically done at the end of your prefix list to override the implicit deny.
Here's how to configure it:

Router(config)# ip prefix-list LIST-NAME seq 10 permit 0.0.0.0/0 le 32

Breaking down this command:

• ip prefix-list LIST-NAME - Creates or modifies a prefix list with the name LIST-NAME

• seq 10 - Sequence number (allows for organizing multiple entries)

• permit - Action to permit routes that match this entry

• 0.0.0.0/0 - Base prefix that matches any network

• le 32 - "Less than or equal to" 32 bits, means any prefix length from /0 to /32

This prefix list entry will match any IPv4 route regardless of its network address or subnet mask. You would typically use this at the end of your prefix list to permit all remaining routes after denying specific ones.
For example, a complete prefix list that blocks 192.168.1.0/24 but permits everything else would look like:

Router(config)# ip prefix-list FILTER-ROUTES seq 5 deny 192.168.1.0/24
Router(config)# ip prefix-list FILTER-ROUTES seq 10 permit 0.0.0.0/0 le 32
Router(config-router)# distribute-list prefix FILTER-ROUTES in

This approach ensures that after you've specified your specific deny statements, you explicitly permit all other routes, preventing the implicit deny from blocking everything else.

Using Standard ACLs for Filtering

Standard ACLs can match only the network address:

Router(config)# access-list ACL-NUMBER {deny|permit} network wildcard-mask
Router(config-router)# distribute-list ACL-NUMBER {in|out} [interface-name]

Limitations:

• Cannot match subnet mask, only network address

• Must use deny to filter routes

• Remember to include a permit any statement to override implicit deny

Using Extended ACLs for Filtering

With RIP, extended ACLs serve a special purpose - filtering routes based on their source:

Router(config)# access-list ACL-NUMBER deny ip host SOURCE-IP WORK WILDCARDNET-MASK
Router(config-router)# distribute-list ACL-NUMBER {in|out} [interface-name]

Example:

• If 10.0.0.0/8 is received from both Router1 (192.168.1.1) and Router2 (192.168.1.2)

• To filter this route from Router1 only: access-list 101 deny ip host 192.168.1.1 10.0.0.0 0.255.255.255

• Always include access-list 101 permit ip any any afterwards

Summary of RIP Filtering Methods

1. Distribute Lists (Direct method, recommended by Cisco)

   • Most flexible and precise

   • Can filter specific routes in either direction

2. Passive Interfaces (Indirect method)

   • Stops sending updates out an interface

   • Still processes incoming updates

3. Offset Lists (Indirect method)

   • Makes routes appear less desirable by increasing their metric

   • Routes aren't actually filtered but are less likely to be used

4. Administrative Distance (Indirect method)

   • Changes preference for routes from specific sources

   • Routes remain in the database but might not be installed in the routing table

Best Practices

• Use prefix lists when you need to match subnet masks

• Use distribute lists with the "in" direction to limit what enters the routing table

• Use distribute lists with the "out" direction to control route advertisement

• Always verify your filtering with show ip route and debug ip rip

• Remember that filters applied with distribute-list don't take effect immediately because routes need to age out or be cleared

This comprehensive approach to route filtering gives you precise control over your RIP routing domain and helps prevent unwanted routes from propagating through your network.

Leave a comment