Basic understanding of route-maps, prefix-list, and access-lists is assumed for this tutorial.
Offset List
Offset lists are supported only with RIP and EIGRP. An offset list allows the addition to incoming and outgoing metrics learned through RIP or EIGRP. Offset support only standard access lists (named or numbered). The syntax is as follows:
offset-list {access-list-number | access-list-name} {in | out} offset
[interface-type/number]
The power to manipulate the advertised or received metric allows the offset list to be used as a route filtering tool. For example: an offset list configured with offset 16 will mark the route as invalid due to an infinite metric in RIP. Similarly, Offset-list can be used in EIGRP to increase the value of the reported distance of a prefix received from a neighbor. In EIGRP, offset-lists apply only to the delay component of a composite metric.
If ACL number 0 is specified in the offset-list command then it applies to all routes. Offset lists can be applied either globally to the routing process, or to routes learned from a specific interface.
Consider figure-1. R1 and R2 are advertising 192.168.1.0 and 172.16.2.0 respectively with the default metric. The routing protocol is RIP.
FIGURE-1: Offset-List Example
R2#sh ip route rip
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:19, Serial0/1 |
Now R2 wants to filter (or block) 192.168.1.0/24 from R1. The following illustrates the configuration details. On R2:
R2#show running-config | section router rip|ip access-list
router rip version 2 offset-list R2<-R1_ROUTES in 15 Serial0/1 network 10.0.0.0 network 172.16.0.0 no auto-summary ! ip access-list standard R2<-R1_ROUTES permit 192.168.1.0 0.0.0.255 R2#clear ip route * ß Always refresh the routing table after applying filters |
Verification
R2# debug ip rip
RIP: received v2 update from 10.1.1.1 on Serial0/1 192.168.1.0/24 via 0.0.0.0 in 16 hops (inaccessible) |
Let’s take a look at another example. This time R2 want R1 to think that 172.16.2.0 is in-accessible. The relevant configuration is as under:
R2#show running-config | section router rip|ip access-list
router rip version 2 offset-list R2_ROUTES->R1 out 15 ß Offset applied (globally) to 172.16.2.0 learned from any RIP neighbor. network 10.0.0.0 network 172.16.0.0 no auto-summary ! ip access-list standard R2_ROUTES->R1 permit 172.16.2.0 0.0.0.255 R2#clear ip route * |
Distribute List
Distribute lists are supported with RIP, EIGRP, and OSPF. With RIP and EIGRP it is can affect both the topology table and IP routing table since routes are filtered directly as they received. OSPF is an exception since OSPF advertises link-states not routes, and the routing table is built using the link-state database. So distribute-lists in OSPF can only be used to prevent a routes from being installed in the routing table but the actual LS database cannot be altered using the distribute list command.
distribute-list [[access-list-number | name] | [route-map map-tag]] {in|out} [interface-type/number]
Distributes list, like offset list can be applied to all updates or to update send/receive on specific interfaces. The route-map is only supported with EIGRP and OSPF.
Example
Let us consider figure-1 (again) but R1 is also advertising another network 188.1.1.0/24 to R2. The routing table before filtering is:
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets R 188.1.1.0 [120/1] via 10.1.1.1, 00:00:07, Serial0/0 R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Serial0/0 |
Now R2 does not want to receive 188.1.1.0/24 from R1.
R2#show running-config | section router rip|ip access-list
router rip version 2 network 10.0.0.0 network 172.16.0.0 distribute-list R1_188_SUBNET in no auto-summary ! ip access-list standard R1_192_SUBNET permit 188.1.1.0 0.0.0.255 |
The routing table after route filtering:
R2#sh ip route rip
R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:15, Serial0/0 |
Now if we want to filter on the basis of both the prefix and source advertising it. In this case, R1 is the source and 188.1.1.0/24 is the prefix. We would need either prefix list or an extended access list. Only the relevant syntax is shown below:
R2#show running-config | section router rip|ip access-list
router rip version 2 network 10.0.0.0 network 172.16.0.0 distribute-list R1_188_SUBNET_ONLY in no auto-summary ! ip access-list extended R1_188_SUBNET_ONLY permit ip host 10.1.1.2 host 188.1.1.0 |
The same effect can also be achieved with a prefix list (only relevant command shown):
ip prefix-list 188_ROUTE permit 188.1.1.0/24
ip prefix-list SOURCE_R1 permit 10.1.1.2/24 ! router rip distribute-list prefix 188_ROUTE gateway SOURCE_R1 in |
Why use an Extended ACL or Prefix-List over Standard ACL?
The problem with standard ACL is that it can match on Address Field only. No consideration to Subnet-Mask. If we have two networks of 188.1.1.0 (say: 188.1.1.0/24 and 188.1.1.0/26) being advertised by R1, both of the networks will be filtered if standard ACL is used. An extended ACL or prefix list on the other hand not only matches the subnet number but it also considers the subnet-mask of the specified network.
Further with extended ACL or prefix list, filtering can also be performed on the basis of source advertising the specified prefix.
Distance
Distance or Administrative Distance (AD) defines the trustworthiness of a route. AD is used if the same prefix is learned from different routing protocols. For example: if a prefix is learned from both RIP and EIGRP, routes learned from EIGRP is preferred (AD=90). Routes with maximum AD = 255 are not installed in the IP routing table. AD is significant locally on a router.. The syntax is as under:
distance distance ip-address wildcard-mask [ip-standard-acl | ip-extended-acl | access-list-name]
Now, look at some examples, how distance can be used to filter routes. Consider figure-1 (again). First, let us see how distance command behaves. The simplest example is provided with RIP.
Example:
Before applying distance:
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets R 188.1.1.0 [120/1] via 10.1.1.1, 00:00:04, Serial0/1 R 192.168.1.0/24 [120/1] via 10.1.1.1, 00:00:04, Serial0/1 |
After applying distance command:
router rip
distance 115 |
Route table:
R2#sh ip route rip
188.1.0.0/24 is subnetted, 1 subnets R 188.1.1.0 [115/1] via 10.1.1.1, 00:00:04, Serial0/1 R 192.168.1.0/24 [115/1] via 10.1.1.1, 00:00:04, Serial0/1 |
We can change the distance of the prefix 188.1.1.0/24 on R2 to the maximum distance such that it is not installed in the routing table.
ip access-list standard R1_188_ROUTE
permit 188.1.1.0 0.0.0.255 ! router rip distance 115 distance 255 10.1.1.1 255.255.255.255 R1_188_ROUTE |
Let us verify the routing table.
R2#clear ip route *
R2#sh ip route rip R 192.168.1.0/24 [115/1] via 10.1.1.1, 00:00:05, Serial0/1 |
Globally the distance for IP process is set to 115, but 188.1.1.0/24 received from R1 will not be installed since it is set with an AD=255.
This brings us to the end of this article in which we covered different ways of route manipulation and filtering. There are several other ways and techniques to carry out route manipulation and filtering, some are specific to particular routing protocol while others are used for all protocols.