index_98
Router Security Configuration Guide
UNCLASSIFIED
98
UNCLASSIFIED
Version 1.0g
To apply this command to a routing protocol, access lists must first be created. For
more information about how to create access lists, see Section 4.3. For illustration
purposes, an access list with rules filtering out 14.2.10.0/24 will be used.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# access-list 55 deny 14.2.10.0 0.0.0.255
Central(config)# access-list 55 permit any
Central(config)# end
Central#
The OSPF distribute-list in configuration command prevents routes from
being inserted into the routing table, but it does not stop routes from being sent out in
the link-state advertisements (LSAs). Thus all downstream routers will learn about
the networks that were supposed to be filtered in these LSAs. Some authors,
including Parkhurst [2], advise against using distribute-list in for OSPF.
The distribute-list out command in OSPF configuration mode stops routes
from being advertised in updates. However, this restriction only applies to external
routes, that is, routes from a different autonomous system (AS). The following
example shows how to prevent Central from advertising the 14.2.10.0 network from
the RIP routing domain into the OSPF routing domain. With this setting North and
East would not see a route to the 14.2.10.0 network.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# router ospf 1
Central(config-router)# distribute-list 55 out
Central(config-router)# end
Central#
The RIP distribute-list in command deletes routes from incoming RIP
updates. Subsequently, all updates sent from that router will not advertise the deleted
route. The following example shows Central deleting the route to 14.2.10.0 network
as it comes in from a RIP update from South. Therefore, since Central no longer has
a route to network 14.2.10.0, it will not advertise this network to other routers. Thus,
North and East will not see a route to 14.2.10.0.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# router rip
Central(config-router)# distribute-list 55 in
Central(config-router)# end
Central#
The RIP distribute-list out command prevents routes from being advertised in
updates. Thus, the effect of applying the same filter used in the previous examples to
South is that North, East and Central will not see routes to the 14.2.10.0 network.
South# config t
Enter configuration commands, one per line. End with CNTL/Z.