Saturday, March 26, 2011

Route filtering using route tags

In enterprise routing, route-filtering is often used to prevent routing loops and sometimes for security reasons. Instead of solely relying on ip access-list and addresses, route filtering can also be performed by route tagging. In fact, this method is more scable for a larger network when managing access-lists can be a challenge over a large number of routers. Consider this corporate network (see below pic). The corporate has 3 remote sites with IP subnets of, and respectively. You have a corporate policy that states Network A should link to all 3 remote sites via ISP X. Network B should link to the first 2 remote sites via leased lines and the last remote site via ISP X only. Network A is peered with ISP X on eBGP. IGP between internal networks is OSPF and remote sites via leased line is RIP. To implement such routing policy using route-tag:

  1. Router A

  2. access-list 1 permit

  3. access-list 1 permit

  4. access-list 2 permit

  5. !

  6. route-map route-tag permit 10 ‌

  7. match ip address 1 ‌

  8. set tag 111 --tag the 1st two remote sites with 111

  9. !

  10. route-map route-tag permit 20 ‌

  11. match ip address 2 ‌

  12. set tag 222 -- tag the 3rd remote site with 222

  13. !

  14. route-map route-tag permit 30 -- without this, all other routes will be dropped

  15. !

  16. router ospf 1 ‌

  17. redistribute bgp 65001 subnets route-map route-tag -- redistribute ISP routes into IGP

  18. ...

  19. ...

  20. Router B

  21. route-map tag-filter deny 10 ‌

  22. match tag 111 -- filter off sites with tag 111

  23. !

  24. route-map tag-filter permit 20 ‌

  25. match tag 222 --permit only sites with tag 222

  26. !

  27. router ospf 2 ‌

  28. distribute-list route-map tag-filter in

To verify, perform the necessary "show ip route" commands on both router A and B to ensure the route entries are in order. Do note that tagging does not work with BGP. The alternative in BGP is to use community string in AA:NN format (e.g. 100:300). For the adverting routers (typically on customer edge), use "set community" in place of "set tag" in the route-map statement. For the recieving routers (typically on provider edge), use "ip community-list" to describe the community string and "match community". For further example on using BGP community, see this Cisco example.

No comments:

Post a Comment