Configuring an interface as passive
prevents it from sending updates entirely, but sometimes you need to
suppress only certain routes in the update from being sent or
received. If RTA in Figure
is configured with the network
10.0.0.0 command, all four
directly connected subnets will be advertised in RTA's updates,
along with any dynamically learned routes. However, you may want to
prevent RTZ from learning about network 10.1.1.0 from RTA.
This may be needed to enforce a routing policy that is based on
some external factor such as link expense, administrative
jurisdiction, or security concerns. In some cases, you may just want
to reduce needless overhead by preventing access routers from
receiving the complete (and possibly immense) core routing table.
Just assume that for one of these reasons, you do not want RTZ
learning the route to 10.1.1.0 from RTA.
You can use the distribute-list
command to pick and choose what routes a router will send or receive
updates about. By referencing an access list, the distribute-list
creates a route filter - a set of rules that precisely controls what
routes a router will send or receive in a routing update. This
command is available for all IP routing protocols and can be applied
to either inbound or outbound routing updates. When applied to
inbound updates, the syntax for configuring a route filter is as
follows:
Router(config-router)# distribute-list
access-list-number in [interface-name]
When applied to outbound updates, the syntax can be more
complicated:
Router(config-router)# distribute-list
access-list-number out [interface-name | routing-process
| as-number]
The routing-process and as-number options are
invoked when exchanging routes between different routing protocols.
This will be covered later in the chapter, in the section,
"Using Multiple Routing Protocols."
In Figure ,
access list 24 will match the route to 10.1.1.0 and result in a
deny. When referenced by the distribute-list
command, this match results in the removal of the route to network
10.1.1.0 in the outbound update. However, there is a catch. The distribute-list
24 out command will have a
global effect on RIP updates out every interface, not just out the
interface connected to RTZ. Your intent was to suppress the
10.1.1.0 route from updates to RTZ only. This level of specificity
can be accomplished by using an optional interface
argument with the command, as shown:
RTA(config-router)# distribute-list
24 out interface s2
Conversely, we could have told RTZ to globally filter network
10.1.1.0 from any incoming updates, as shown in Figure .
Or, you could have precisely filtered 10.1.1.0 from the specific
interface on RTZ, as shown:
RTZ(config-router)# distribute-list
16 in interface s0
The distribute-list
command can filter any routes in either an outbound or an inbound
update globally, or for a specific interface. The Cisco IOS permits
one incoming and one outgoing global distribute-list
for each routing process, as well as one incoming and one outgoing distribute-list
for each interface involved in a routing process. You can keep track
of which routing filters are applied globally and which are applied
on specific interfaces with the show
ip protocols command, as
shown in Figure .
Configuring a Passive EIGRP Interface Using
distribute-list
Command
A passive interface can not send EIGRP hellos, which prevents
adjacency relationships with link partners. You can create a
"pseudo" passive EIGRP interface by using a route filter
that suppresses routes from the EIGRP routing update, as shown:
RTA(config)# router eigrp 364
RTA(config-router)# network 10.0.0.0
RTA(config-router)# distribute-list 5 out interface s0
RTA(config-router)# exit
RTA(config)# access-list 5 deny any
With this configuration, RTA can send EIGRP hellos and establish
adjacencies, but no routes will appear in any updates sent out s0.
|