IP Route Filter

IP Route Filter

Syntax Description

Usage Guidelines

Ordering Rules

Allowing Non-Filtered Routing Packets

Filtering Rule Syntax

Options

Examples

Related Commands

IP Route Filter

This section allows you to define, edit and name a set of IP route filtering rules. This allows the device to filter inbound IP network numbers received in routing advertisements and outbound routes advertised by the device.

edit config IP Route Filter "Name"

Syntax Description

"Name"

A unique name, up to 16 characters with spaces allowed, for this filter set.

"Name"	A unique name, up to 16 characters with spaces allowed, for this filter set.

These filter rules are global to the device and are not associated with a particular interface. However, they can be restricted to an interface using the from or to modifiers as explained later in this section.

Ordering Rules

The rules are applied in the order they were written. When you select multiple filter sets, they are read from first to last as you entered them.

Allowing Non-Filtered Routing Packets

When you specify a rule, even if it is only a deny rule, the concentrator rejects all other updates unless you specifically allow them. The exception to this rule is that direct and static routes are always installed and cannot be removed from the routing table using IP route filtering.

To allow all other routing packets not filtered, make the last rule:

permit 0.0.0.0

For example, if you only want to deny routing updates for IP host address 192.67.89.3, enter two lines:

deny 192.67.89.3 in

permit 0.0.0.0

Filtering Rule Syntax

After entering the edit config command, and then the append command, enter one or more filter rules using the following syntax:

{permit | deny} IP_address[/bits]
[in | out | both]
[via protocol]
[origin protocol]
[{metricin | metricout} metric]
[{from | to} {IP_address[/bits] | port}]
[log]

Options

permit | deny

permit specifies that information from routing packets that meet the conditions are included in the IP routing table.

deny specifies that information from routing packets that meet the conditions are not included in the IP routing table.

IP_address[/bits]

The concentrator compares the IP address of a routing packet to the address you entered here. You can specify an IP address in the following ways:

In dotted-decimal notation. If you enter 0s instead of a host address for the last octets, the system treats the address as a subnet. For example, 128.138.12.0 matches all 255 hosts on the 128.138.12.0 subnet. The concentrator uses the address class to determine the subnet, so for a Class B address like 128.5.0.0, enter 0s for the last two octets to match all 65,025 host addresses. You can use the wildcard address of all zeros (0.0.0.0) for the source and/or the destination address to match any address for the source or destination.

As a factorized address in the form of nnn.nnn.nnn.{nnn,nnn,...}. For example:

192.12.9.{1,2,3,15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15.

198.41.{8,9,10,11,12,13} matches all host addresses from 198.41.8.1 to 198.41.13.255.

While you enter a factorized rule on one line, the concentrator actually creates a rule for each address. The first example above creates four rules, while the second example creates six rules. An alternative to the second example are the following two rules:

198.41.8.0/22
198.41.12.0/23

As a hexadecimal number. For example, 0x82cc0801 matches the host address 130.204.8.1.

/ bits denotes the number of bits that are significant when doing the comparison against the addresses from the IP packet. For example, an address specified as 192.15.32.0/19 matches all host addresses from 192.15.32.1 to 192.15.63.255.

in | out | both

Specifies the packet direction for which the rule is applied.

In applies filter rules only to incoming routing packets.

Out applies filter rules only to outgoing routing packets.

Both, the default, applies filter rules to incoming and outgoing packets.

via protocol

Applies the filter to routing packets originating from or received from one or more specified protocols, where protocol is:

[icmp] [rip] [ripv2] [ospf]

origin protocol

Applies the filter to routing packets originating from one or more specified protocols, where protocol is:

[icmp] [rip] [ripv2] [ospf] [static] [direct]

{metricin | metricout} metric

Allows the metric on incoming or outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. metric must be a decimal number between 1 and 15.

{from | to} {IP_address[/bits] | port}

Applies the filter only to routing packets from or to a specific IP address or port, where port is:

{Ethernet | WAN} slot:port

log

Causes the router to log data about filtered packets. See the Logging section for more information.

permit \| deny	permit specifies that information from routing packets that meet the conditions are included in the IP routing table. deny specifies that information from routing packets that meet the conditions are not included in the IP routing table.
IP_address[/bits]	The concentrator compares the IP address of a routing packet to the address you entered here. You can specify an IP address in the following ways: In dotted-decimal notation. If you enter 0s instead of a host address for the last octets, the system treats the address as a subnet. For example, 128.138.12.0 matches all 255 hosts on the 128.138.12.0 subnet. The concentrator uses the address class to determine the subnet, so for a Class B address like 128.5.0.0, enter 0s for the last two octets to match all 65,025 host addresses. You can use the wildcard address of all zeros (0.0.0.0) for the source and/or the destination address to match any address for the source or destination. As a factorized address in the form of nnn.nnn.nnn.{nnn,nnn,...}. For example: 192.12.9.{1,2,3,15} matches the hosts 192.12.9.1, 192.12.9.2, 192.12.9.3, and 192.12.9.15. 198.41.{8,9,10,11,12,13} matches all host addresses from 198.41.8.1 to 198.41.13.255. While you enter a factorized rule on one line, the concentrator actually creates a rule for each address. The first example above creates four rules, while the second example creates six rules. An alternative to the second example are the following two rules: 198.41.8.0/22 198.41.12.0/23 As a hexadecimal number. For example, 0x82cc0801 matches the host address 130.204.8.1. / bits denotes the number of bits that are significant when doing the comparison against the addresses from the IP packet. For example, an address specified as 192.15.32.0/19 matches all host addresses from 192.15.32.1 to 192.15.63.255.
in \| out \| both	Specifies the packet direction for which the rule is applied. In applies filter rules only to incoming routing packets. Out applies filter rules only to outgoing routing packets. Both, the default, applies filter rules to incoming and outgoing packets.
via protocol	Applies the filter to routing packets originating from or received from one or more specified protocols, where protocol is: [icmp] [rip] [ripv2] [ospf]
origin protocol	Applies the filter to routing packets originating from one or more specified protocols, where protocol is: [icmp] [rip] [ripv2] [ospf] [static] [direct]
{metricin \| metricout} metric	Allows the metric on incoming or outgoing routes to be incremented or decremented. The metric is the number of routers on a route. By increasing or decreasing the metric, a particular route can be made more or less attractive. metric must be a decimal number between 1 and 15.
{from \| to} {IP_address[/bits] \| port}	Applies the filter only to routing packets from or to a specific IP address or port, where port is: {Ethernet \| WAN} slot:port
log	Causes the router to log data about filtered packets. See the Logging section for more information.

Examples

The following example specifies to permit input only from RIP and only from 198.41.11.1, and output of routing information that originates from RIP, directly connected routes and static routes.

[ IP Route Filter "rip-in" ]
permit 0.0.0.0 in via rip from 198.41.11.1
permit 0.0.0.0 out origin rip direct static

The route filter is applied in the General section.

[ General ]
IPRouteFilters =  rip-in bgp600

Related Commands

Command Description

configure General

Configures general system settings

configure IP

Configures IP parameters for an interface

configure IP Route Redistribution

Configures how the concentrator redistrubutes routes from one dynamic IP routing protocol into another.

configure Logging

Configures logging options

edit config IP Filter

Creates IP packet filters

edit config IP Static

Creates IP static routes

show IP

Shows IP configuration and statistics

Command	Description
configure General	Configures general system settings
configure IP	Configures IP parameters for an interface
configure IP Route Redistribution	Configures how the concentrator redistrubutes routes from one dynamic IP routing protocol into another.
configure Logging	Configures logging options
edit config IP Filter	Creates IP packet filters
edit config IP Static	Creates IP static routes
show IP	Shows IP configuration and statistics

Table of Contents