CCNP ROUTE And TSHOOT Tutorial: Redistribution and ACLs

You’ll sometimes run into route redistribution situations where you want some routes from a given source to be redistributed and other routes from that same source to not be redistributed.  A great way to fine-tune redistribution is with distribute lists.   Distribute lists use ACLs to define the routes to be redistributed.  They also define the routes to not be redistributed, whether that denial be explicit or implicit.

You’ll see what I mean as we work through a lab using this topology:Route Redistribution ACL Lab Topology

R1 is receiving six routes from R5 via the RIP domain.

R1#show ip route rip

R    5.0.0.0/8 [120/1] via 30.1.1.5, 00:00:06, FastEthernet0/0

R    6.0.0.0/8 [120/1] via 30.1.1.5, 00:00:13, FastEthernet0/0

R    7.0.0.0/8 [120/1] via 30.1.1.5, 00:00:13, FastEthernet0/0

R    8.0.0.0/8 [120/1] via 30.1.1.5, 00:00:13, FastEthernet0/0

R    9.0.0.0/8 [120/1] via 30.1.1.5, 00:00:13, FastEthernet0/0

R    10.0.0.0/8 [120/1] via 30.1.1.5, 00:00:13, FastEthernet0/0

If we perform redistribution with no filtering, the OSPF routers would receive all six of those routes.

R1(config)#router ospf 1

R1(config-router)#redistribute rip subnets

R1(config-router)#redistribute connected subnets


R2#show ip route ospf

O E2  5.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

O E2  6.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

O E2  7.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

O E2  8.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

O E2  9.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

O E2  10.0.0.0/8 [110/20] via 172.12.123.1, 00:00:09, Serial0/1/0

R3#show ip route ospf

O E2  5.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

O E2  6.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

O E2  7.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

O E2  8.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

O E2  9.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

O E2  10.0.0.0/8 [110/20] via 172.12.123.1, 00:00:15, Serial0/1/0

Sometimes you want all of the routes, and sometimes you want some of the routes.  This is one of those “some of the routes” times, as our bosses want only the routers in the RIP domain to know of 8.0.0.0 /8 and 9.0.0.0 /8.  They do want the other RIP routes to be in the OSPF routing tables.

Redistribute Networks 5, 6, 7, 10 Only

Chris Bryant's CCNP ROUTE Study Guide

Let’s make it happen!  We can write an ACL identifying those two networks as networks to be denied, and then apply that ACL to the redistribute process with distribute-list.

R1(config)#access-list 17 deny 8.0.0.0 0.255.255.255

R1(config)#access-list 17 deny 9.0.0.0 0.255.255.255

R1(config)#access-list 17 permit any
R1(config)#router ospf 1

R1(config-router)#distribute-list ?

  <1-199>      IP access list number

  <1300-2699>  IP expanded access list number

  WORD         Access-list name

  gateway      Filtering incoming updates based on gateway

  prefix       Filter prefixes in routing updates

  route-map    Filter prefixes based on the route-map




R1(config-router)#distribute-list 17 ?

  in   Filter incoming routing updates

  out  Filter outgoing routing updates




R1(config-router)#distribute-list 17 out ?

  Async              Async interface

  BVI                Bridge-Group Virtual Interface

  CDMA-Ix            CDMA Ix interface

  CTunnel            CTunnel interface

  Dialer             Dialer interface

  FastEthernet       FastEthernet IEEE 802.3

  Lex                Lex interface

  Loopback           Loopback interface

  MFR                Multilink Frame Relay bundle interface

  Multilink          Multilink-group interface

  Null               Null interface

  Port-channel       Ethernet Channel of interfaces

  Serial             Serial

  Tunnel             Tunnel interface

  Vif                PGM Multicast Host interface

  Virtual-PPP        Virtual PPP interface

  Virtual-Template   Virtual Template interface

  Virtual-TokenRing  Virtual TokenRing

  bgp                Border Gateway Protocol (BGP)

  connected          Connected

  eigrp              Enhanced Interior Gateway Routing Protocol (EIGRP)

  ospf               Open Shortest Path First (OSPF)

  rip                Routing Information Protocol (RIP)

  static             Static routes

  <cr>

The interesting thing here is that we can specify an interface or a protocol to be filtered.  Let’s filter updates going out R1’s serial interface.

R1(config-router)#distribute-list 17 out serial 1/0

% Interface not allowed with OUT for OSPF

Or not!   Let’s try specifying a protocol instead of an interface.

R1(config-router)#distribute-list 17 out rip

We didn’t get an error message, so let’s check the OSPF tables on R2 and R3.

R2#show ip route ospf

O E2  5.0.0.0/8 [110/20] via 172.12.123.1, 00:05:31, Serial0/1/0

O E2  6.0.0.0/8 [110/20] via 172.12.123.1, 00:05:31, Serial0/1/0

O E2  7.0.0.0/8 [110/20] via 172.12.123.1, 00:05:31, Serial0/1/0

O E2  10.0.0.0/8 [110/20] via 172.12.123.1, 00:05:31, Serial0/1/0


R3#show ip route ospf

O E2  5.0.0.0/8 [110/20] via 172.12.123.1, 00:08:05, Serial0/1/0

O E2  6.0.0.0/8 [110/20] via 172.12.123.1, 00:08:05, Serial0/1/0

O E2  7.0.0.0/8 [110/20] via 172.12.123.1, 00:08:05, Serial0/1/0

O E2  10.0.0.0/8 [110/20] via 172.12.123.1, 00:08:05, Serial0/1/0

Success!  Both R2 and R3 see the four desired routes, and neither of them knows anything about 8.0.0.0 /8 or 9.0.0.0 /8.

As is almost always the case, we can take this a step further and prevent R1 from knowing of 8.0.0.0 /8 and 9.0.0.0 /8.  To do so, we could apply a distribute list to RIP using the same ACL we wrote earlier and filter updates coming in on Fast 0/0.

R1(config)#router rip

R1(config-router)#distribute-list 17 in fast0/0

After clearing R1’s routing table of dynamically learned routes (this is RIP, after all, and it needs a little kick in the butt on occasion), R1’s routing table no longer shows the two filtered routes.

R1#clear ip route *

R1#show ip route rip

R    5.0.0.0/8 [120/1] via 30.1.1.5, 00:00:01, FastEthernet0/0

R    6.0.0.0/8 [120/1] via 30.1.1.5, 00:00:01, FastEthernet0/0

R    7.0.0.0/8 [120/1] via 30.1.1.5, 00:00:01, FastEthernet0/0

R    10.0.0.0/8 [120/1] via 30.1.1.5, 00:00:01, FastEthernet0/0

Distribute lists can filter all routes from being advertised via a given interface without making that interface passive and losing the adjacency, as you’ll see in our next CCNP ROUTE tutorial on EIGRP and distribute lists.

While you’re here, have a look at these other CCNP ROUTE and TSHOOT tutorials and videos, and thanks for making my work a part of your success story!

Huge CCNP ROUTE / TSHOOT Redistribution Playlist on Chris Bryant’s YouTube Channel

These tutorials are on this site:

CCNP ROUTE Tutorial:  One-Protocol Redistribution

CCNP ROUTE Lab:  The distance and distance ospf commands

CCNP ROUTE and TSHOOT Tutorial:  Redistribution and AD

Check out my CCNP ROUTE 300-101 Study Guide, too — only on Amazon, and now available in soft and hard copy!

Chris Bryant's CCNP ROUTE Study Guide