7.1 Controlling Routing Updates
7.1.3 Filtering routing updates with distribute-list
Configuring an interface as passive prevents it from sending updates entirely, but sometimes you need to suppress only certain routes in the update from being sent or received. If RTA in Figure is configured with the network 10.0.0.0 command, all four directly connected subnets will be advertised in RTA's updates, along with any dynamically learned routes. However, you may want to prevent RTZ from learning about network 10.1.1.0 from RTA.

This may be needed to enforce a routing policy that is based on some external factor such as link expense, administrative jurisdiction, or security concerns. In some cases, you may just want to reduce needless overhead by preventing access routers from receiving the complete (and possibly immense) core routing table. Just assume that for one of these reasons, you do not want RTZ learning the route to 10.1.1.0 from RTA.

You can use the distribute-list command to pick and choose what routes a router will send or receive updates about. By referencing an access list, the distribute-list creates a route filter - a set of rules that precisely controls what routes a router will send or receive in a routing update. This command is available for all IP routing protocols and can be applied to either inbound or outbound routing updates. When applied to inbound updates, the syntax for configuring a route filter is as follows:

Router(config-router)# distribute-list access-list-number in [interface-name]

When applied to outbound updates, the syntax can be more complicated:

Router(config-router)# distribute-list access-list-number out [interface-name | routing-process | as-number]

The routing-process and as-number options are invoked when exchanging routes between different routing protocols. This will be covered later in the chapter, in the section, "Using Multiple Routing Protocols."

In Figure , access list 24 will match the route to 10.1.1.0 and result in a deny. When referenced by the distribute-list command, this match results in the removal of the route to network 10.1.1.0 in the outbound update. However, there is a catch. The distribute-list 24 out command will have a global effect on RIP updates out every interface, not just out the interface connected to RTZ. Your intent was to suppress the 10.1.1.0 route from updates to RTZ only. This level of specificity can be accomplished by using an optional interface argument with the command, as shown:

RTA(config-router)# distribute-list 24 out interface s2

Conversely, we could have told RTZ to globally filter network 10.1.1.0 from any incoming updates, as shown in Figure .

Or, you could have precisely filtered 10.1.1.0 from the specific interface on RTZ, as shown:

RTZ(config-router)# distribute-list 16 in interface s0

The distribute-list command can filter any routes in either an outbound or an inbound update globally, or for a specific interface. The Cisco IOS permits one incoming and one outgoing global distribute-list for each routing process, as well as one incoming and one outgoing distribute-list for each interface involved in a routing process. You can keep track of which routing filters are applied globally and which are applied on specific interfaces with the show ip protocols command, as shown in Figure .

Configuring a Passive EIGRP Interface Using distribute-list Command
A passive interface can not send EIGRP hellos, which prevents adjacency relationships with link partners. You can create a "pseudo" passive EIGRP interface by using a route filter that suppresses routes from the EIGRP routing update, as shown:

RTA(config)# router eigrp 364
RTA(config-router)# network 10.0.0.0
RTA(config-router)# distribute-list 5 out interface s0
RTA(config-router)# exit
RTA(config)# access-list 5 deny any

With this configuration, RTA can send EIGRP hellos and establish adjacencies, but no routes will appear in any updates sent out s0.