Overview:
filter-policy: Filtering policy. This tool is mainly used in the process of routing protocols. You can call ACL, ip-prefix, route-policy and other tools to match routes to control the release or reception of routes. Only those who pass the policy Only routes can be advertised or received, and routes that do not pass the policy are filtered out. The application scenarios are relatively wide, and can be used in both IGP and BGP protocols. The filter-policy is divided into import (inbound direction) and export (outbound direction).
import: It mainly affects the router receiving routes and changes in its own routing table. It is suitable for any routing protocol, but different types of routing protocols are also different, such as distance vector protocols (such as RIP) and link state protocols (such as OSPF, IS). -IS) When using this tool to implement routing control, the effects achieved are also different. Since the distance vector protocol advertises based on its own routing table, it transmits routing table information, and routing reception can be filtered through filter-policy import. The link state protocol advertises based on the information in the link state database, and it transmits LSA, not routing information. The filter-policy import cannot filter 1/2 LSA, but prevents the generation of the routing table. This part will be analyzed later.
export: Used in the distance vector protocol to control when advertising routes to neighbors, and affect the routing table changes of neighbor routers. In the link state protocol, it is often used on the border router of the autonomous system, and is mainly used to control the introduction of external routes. Generally, route filtering can only filter routing information, not link state information. For OSPF, LSA3, LSA5, and LSA 7 can be filtered in the outbound and inbound directions. For link state routing protocols, such as OSPF and IS-IS, filtering routes in the inbound direction does not actually block the transmission of link state information. The effect of filtering is that the filtered routes cannot be added to the local routing table. The LSA representing the route will still be transmitted in the OSPF domain or IS-IS domain.
Route filtering can also filter routes imported from other protocols, such as importing RIP routes into OSPF. OSPF can use route filtering to filter out certain routes imported from RIP, and only convert external routes that meet the conditions into Type-5. LSA (AS-external-LSA) is advertised, so that other OSPF routers have only specific routes imported from RIP. This configuration can only be used in the outbound direction.
配置命令:
filter-policy { acl-number I acl-name acl-name I ip-prefix ip-prefix-name [ gateway ip-prefix-name 1 } import [ interface-type interface-number 1 ]
After filter-policy, you can call ACL, ip-prefix, and gateway to filter the specified route. Both ACL and ip-prefix are used to match routing entries, and the gateway controls based on the route advertised by the gateway, such as the next hop of a route The gateway address is 192.168.1.1, and all the routes advertised by it can be controlled by matching the gateway address. Import is designated as the inbound direction, interface-type is used to designate the interface type and interface number, and route is filtered based on the interface.
Scenario 1: Filter-policy application in RIP
Scenario description:
As shown in the figure, R1 has 5 network segments advertised into the RIP protocol, and R2 is required to filter out the odd routes.
Steps:
1. Use ACL to filter routes with minimal commands.
[R2]acl number 2000
[R2-acl-basic-2000]rule deny source 172.16.1.0 0.0.6.0
[R2-acl-basic-2000]rule permit source any //When ACL is used to filter routing at the control plane, the last There will be an implicit deny all, so it needs to match other traffic and allow it.
2. Enter the process to apply filter-policy, and call ACL in the import direction.
[R2)rip 1
[R2-rip-1]filter-policy 2000 import
[R2]display ip routing-table
When using the filter-policy tool to apply in the import direction, the filtered route cannot be seen in the routing table of R2. Since the route of R3 is passed by R2, the routing table information of R3 should be consistent with R2, and it will not be viewed. To the route to be filtered. If the interface parameter is carried in the back, only the route from that interface will be filtered. If the interface parameter is not carried, the route from all interfaces will be filtered.
Check the routing table of R3:
When using the filter-policy tool to apply in the export direction, the purpose is to filter when advertising routes to neighbors, but it will not affect the changes in the local routing table.
Scenario 2: filter-policy import application in OSPF
Scenario description:
As shown in the figure, the routing protocol runs OSPF, use filter-policy on R2 to call in the import direction, and observe the difference in the routing table. .
Steps:
1. Use ACL to filter odd-numbered routes in 172.16.X.0 on R2:
[R2]acl number 2000
[R2-acl-basic 2000]rule 10 deny source 172.16.1.0 0.0.6.0
[R2- acl-basic 2000rule 20 permit source any
[R2-acl-basic-2000]quit
[R2] ospf 1
[R2-oppf-1]filter-policy 2000 import
You can see that there are only 172.16.2.0/24, 172 in the routing table of R2 16.4.0/24 Two even-numbered routes enter the routing table, and the odd-numbered routes have been filtered and the purpose has been achieved.
2. View the routing table of R3:
R3's routing table is normal, and odd-numbered routes are not filtered. This is because R3 still has the LSA sent by R2 and can calculate the route.
Reason: As shown in the figure, OSPF routers in an area synchronize LSDBs between routers through a flooding mechanism. Three routers have the same LSDB in the same area. As the routers interact with LSAs, not routes, they cannot Filtering routes between neighbors only does not allow local LSAs to calculate routes:
but on ABR, filter-policy imprort can be used to filter Type 3 or Type 5 LSAs, because Type 3 and Type 5 LSAs are routing information and should not be local After the table is not added, it will not be transmitted to other neighbors due to the vector nature of the route.
Scenario 2: Filter-policy export application in OSPF
Scenario description: In
OSPF, filter-policy import can be used to filter routes, but not LSA, while filter-policy export is used to control the import of external routes. As shown in the figure, when R2 is required to import RIP into OSPF, only the first three routes are imported.
step:
1. Use filter-policy export on R2 to import routes from 172.16. 1.0 to 172.16.3.0 in the figure to OSPF.
[R2]ip ip-prefix R2O permit 172. 16.0.0 22 greater-equal 24 less-equal 24
[R2]ospf 1
[R2-ospf-1] import-route rip 1
[R2-ospf- 1] filter-policv ip-prefix R2O export rip 1
R2 uses the prefix list to match the three network segments of 172.16.1.0/24, 172. 16.2.0/24, and 172.16.3.0/24 from RIP, and then imports the matching route into OSPF. Use the filter-policy tool to call the prefix list and apply it in the export direction, followed by parameters that indicate routes imported from the RIP protocol. Routes that are not matched will not be imported.
2. View the routing table of R3:
display ip routing-table
Only the matched routes can be seen in the routing table of R3. 172.16.4.0/24 and 172.16.5.0/24 have not been imported. In this way, the import of routes can be precisely controlled.
to sum up:
The filter-policy tool is a very flexible routing control tool. It is mainly used in the vector routing protocol to perform filtering control on the routes advertised between neighbors; or in the link state routing protocol, on the border devices of the area or routing domain. The routes in the routing table are filtered (vector characteristics of the link state routing protocol). However, it cannot prevent the flooding of link information in the link state routing protocol (it cannot filter Type 1, Type 2 LSA, LSP, etc.), because the topology of an area is not uniform and a loop will be formed.
Sorting out the source of information: "HCIE Routing Exchange Learning Guide"