1910512028, 2328 IS Fitering Search Q © IS-IS Filtering Lesson Contents 1. Configuration 1.1. Distribute-list Inbound filtering 1.2, Level 1 to Level 2 filtering 2. Conclusion ISAS as a link-state routing protocol is a bit restrictive when it comes to filtering. All routers within an area require a synchronized level 1 database, the same thing applies to all level 2 routers. The level 2 database © has to be the same on all routers. Once an LSP is generated, you can't filter it anymore. ‘There are two methods how you can filter something: * Distribute-list inbound filtering. * Filtering between level 1 and level 2. Inbound filtering is possible, this doesn't prevent an LSP from being installed in the database but it does prevent an LSP from being installed in the routing table. It is also possible to filter level 1 LSPs from being copied to the level 2 database. In this lesson, | will show you both examples. 1. Configuration Here is the topology we will use: hitpstnetworklessons.comie-ise-e-fitering we,1910512028, 2328 IS Fitering ae 458 e & @ = <6 ge 35% oy a 192.168.12.0/24 192.168.23.0/24 g Gi0/1 ——i/1. i022 _——io/2 = a 2 3 ine uw ul L2 ‘Area 123 We have three routers in area 123 and one in area 4. R1 has a loopback interface with a prefix that we will filter. © Configurations Want to take a look for yourself? Here you will find the startup configuration of each device. R1 ~ hostname RL. ' ip cet ! interface Loopback@ ip address 1.1.1.1 255.255.255.255 ip router isis ' © interface Gigabitetherneto/1 ip address 192.168.12.1 255.255.255. ip router isis ! router isis net 49.0123.0000.000.0001.00 hps:inetworklessons.comiis-isisie-fitering zie1910512028, 2328 IS Fitering end R2 ~ hostname R2 ' ip cef ! interface Gigabitetherneto/1 ip address 192.168.12.2 255.255.255.0 ip router isis ' interface Gigabitetherneto/2 ip address 192.168.23.2 255.255.255.0 ip router isis ' router isis net 49.0173.000.0067.0 e is-type level-1 Log-adjacency-changes ! end hostname R3 ip cef interface Gigabitetherneto/1 ip address 192.168.34.3 255.255.255.0 ip router isis interface Gigabitetherneto/2 ip address 192.168.23.3 255.255.255.0 ip router isis hitpstnetworklessons.comie-ise-e-fitering anz1910512028, 2328 1548 Fitetng net 49.0123.0000.0000.003.00 og-adjacency-changes ! end R4 ~ hostname R4 ! ip cef ! interface Gigabitétherneto/1 ip address 192.168.34.4 255.255.255.0 ip router isis ! router isis net 49.2004 .0080.0000.0004.00 is-type level-2-only @ og-adjacency=changes end Let's get started. 1.1, Distribute-list Inbound filtering Welll start with the distribute-list which allows us to prevent something from being installed in the routing table. Let's take a look at R2: R2#show ip route isis 1.0.0.0/32 is subnetted, 1 subnets GL1 — 1,1,1,1 [115/20] via 192.168.12.1, 00:38:16, GigabitEtherneto/1 ALA 192.168.34.0/24 [115/20] via 192.168.23.3, 0:37:26, Gigabitethernete/2 Let's get rid of the 1.1.1.1/32 prefix. | will use an access-list for this hitpstnetworklessons.comie-ise-e-fitering ana1910512028, 2328 IS Fitering a Re\WuNTag-SUu-nacaywueny Huse dededed R2(config-std-nacl)#permit any We can enable the access-list with the distribute-list command: R2(config)#router isis R2(config-router)#distribute-list R1_L@ in When you look at the level 1 database, you will see that the prefix is still there: R2itshow isis database level-1 verbose R1.00-00 IS-TS Level-1 LSP R1.00-00 LsPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL, R1.00-00 exeq9000a2 © @xEAGC 1087 ee/e Area Address: 49.0123 © NLPID: exce Hostname: Ri Metric: 18 TS R2.01 IP Address: 1.1.1.1 Metric: 18 IP 1.1.1.1 255.255.255.255 Metric: 10 IP 192,168.12.@ 255.255.255.0 We can't remove it from the database but it will be gone from the routing table! R2#tshow ip route isis A*L1 0.0.0.0/0 [115/10] via 192.168.23.3, 00:03:29, Gigabitetherneto/2 4 L1 192.168.34.0/24 [115/20] via 192.168.23.3, 00:03:39, Gigabitetherneto/2 Since it's still in the database, other routers will learn about. For example, here's R3: R3yshow ip route isis hitpstnetworklessons.comie-ise-e-fitering siz1910512028, 2328 IS Fitering a 4 L1 192.168.12.0/24 [115/20] via 192.168.23.2, 00:42:47, Gigabitetherneto/2 This introduces a problem. Since R2 is a transit router, R3 will never be able to reach 1.1.1.1/32. That's something to keep in mind. 1.2. Level 1 to Level 2 filtering Let’s continue. R3 and R4 still have 1.1.1.1/32 in their routing tables. Let's see if we can prevent this prefix from being installed on R4. Right now it does have this route in its routing table: Rawshow ip route isis 1.0.0.0/32 is subnetted, 1 subnets 12 1,2,1,1 [115/40] via 192.168.34.3, 00:42:26, Gigabitetherneto/1 4 L2 192,168.12.0/24 [115/30] via 192.168.34.3, 0:42:26, Gigabitetherneto/1 4 L2 192,168.23.0/24 [115/20] via 192.168.34.3, 00:42:26, Gigabitetherneto/1 R4 has learned this from the level 2 LSP that R3 has generated. We can see it here: eQ R3ishow isis database level-2 verbose R3.00-00 IS-IS Level-2 LSP R3.00-00 LsPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL, R3.00-00 * exeoe00003 © ox1660 899 ee/e Area Address: 49.0123 NLPID: exce Hostname: R3 Metric: 10 IS R3.01 IP Address: 192.168.23.3 Metric: 10 IP 192.168.23.0 255.255.255.0 Metric: 10 IP 192.168.34.0 255.255.255.0 Metric: 30 IP 1.1.1.1 255.255.255.255 Metric: 20 IP 192.168.12.0 255.255.255.0 hitpstnetworklessons.comie-ise-e-fitering ez1910512028, 2328 IS Fitering a There are two methods. You can use a distribute-list with extended access-list numbers or a route-map. | prefer the route-map since it allows you to use named accesslists. Let's create an access-list that matches the loopback interface of R1 R3(config)#ip access-list extended R1_LO R3(config-ext-nacl)#deny ip host 1.1.1.4 any R3(config-ext-nacl)#permit ip any any Let’s add this access-list in a route-map: R3(config)#route-map L1_L2_FILTER permit 10 R3(config-route-map)#match ip address R1_L@ The only thing left to do is to activate it. This is done with the redistribute command: R3(config)#router isis © R3(config-router)#redistribute isis ip level-1 into level-2 route-map L1_L2_FILTER This tells R3 to redistribute everything from level 1 to level 2 except for the things that we added in our route-map. Let's take another look at R3's level 2 database: R3#show isis database level-2 verbose R3.0-00 IS-IS Level-2 LSP R3.00-00 LsPID LSP Seq Num LSP Checksum LSP Holdtime R3.00-00 * exe0000004 © @xc6SE 1165 Area Address: 49.0123 NLPID: exce Hostname: R3 Metric: 10 IS R3.01 IP Address: 192.168.23.3 Metric: 18 IP 192,168.23.@ 255.255.255.0 hitpstnetworklessons.comie-ise-e-fitering ATT/P/OL, ee/e m21910512028, 2328 IS Fitering a ‘As you can see, 1.1.1.1/32 is nowhere to be found anymore. This prevents Ré from learning it: Raitshow ip route isis i 12 192.168.12.0/24 [115/30] via 192.168.34.3, 00:08:25, Gigabitetherneto/t 4 L2 192.168.23.0/24 [115/20] via 192.168.34.3, 00:57:11, Gigabitetherneto/1 The 1.1.1.1/32 entry is no longer there. Want to take a look for yourself? Here you wil find the final configuration of each device, R1 ~ hostname R1 © ip cef interface Loopback@ ip address 1.1.1.1 255.255.255.255 ip router isis interface Gigabitetherneto/1 ip address 192.168.12.1 255.255.255. ip router isis ' router isis net 49.0123.000.0000.0001.00 is-type level-1 Log-adjacency-changes ! end hitpstnetworklessons.comie-ise-e-fitering anz1910512028, 2328 IS Fitering hostname R2 ! ip cef 1 interface Gigabitethernet@/1 ip address 192.168.12.2 255.255.255.0 ip router isis ! interface Gigabitetherneto/2 ip address 192.168.23.2 255.255.255.0 ip router isis 1 router isis net 49.0123.0000.0000.002.00 is-type level-1 Log-adjacency-changes distribute-list R1L@ in ' © ip access-list standard Ri_Le deny 1.1.2.4 permit any ! end R3 ~ hostname R3 ' ip cef ' interface Gigabitethernet@/1 ip address 192.168.34.3 255.255.255.0 ip router isis interface Gigabitethernete/2 ip address 192.168.23.3 255.255.255.0 hitpstnetworklessons.comie-ise-e-fitering siz1910512028, 2328 IS Fitering a router isis net 49.0123.0000.0000.0003.00 og-adjacency-changes redistribute isis ip level-1 into level-2 route-map L4_L2 FILTER ! ip access-List extended R1_Le deny ip host 1.1.1.1 any permit ip any any ! route-map L1_L2_FILTER permit 10 match ip address R1_LO end R4 ~ hostname Ra ip cet © interface Gigabitethernet®/1 ip address 192.168.34.4 255.255.255.0 ip router isis ! router isis net 49.0004.0000.0000.0004.00 is-type level-2-only log-adjacency-changes ! end 2. Conclusion IS-IS as a link-state routing protocol, is a bit limited when it comes to filtering. You can't just filter on any interface. Once a LSP is generated, it has to be synchronized in all databases. There are two filtering methods however: * Distribute-list inbound filtering: prevents a LSP from being installed in the routing table. hitpstnetworklessons.comie-ise-e-fitering sone1910512028, 2328 IS Fitering Previous Lesson Next Lesson ISIS Summarization IS-IS Route Leaking © Tags: Filtering, IP Routing Forum Replies Zaman.tubd HiRene, We know that for Link state Routing Protocol "The database within an area has to be same" .| want to know more briefly about this why need the DB synchronized must ?? What issue will raise if not synchronized . Appreciate your very clear explanation as always Thx br/izaman © g lagapides Hello Zaman ‘Afundamental characteristic of Link State routing protocols is that every router constructs a map of the connectivity to the network that indicates which nodes are connected to which other nodes. This map is contained within the database, Based on this map, each router independently calculates the next best logical path from it to every possible destination on the network. These collections of best paths are then used to populate the routing table on the router. Ifthe database is not the same in all routers within an area, then there can be sev . Continue reading in our forum {2 Ask a question or join the discussion by visiting our Community Forum Disclaimer Privacy Policy Support About hlps:inetworklessons.comii-isiie-fitering ane1910512028, 2328 IS Fitering hlps:inetworklessons.comii-isiie-fitering rane