HostedDB - Dedicated UNIX Servers
index_98
Router Security Configuration Guide UNCLASSIFIED 98 UNCLASSIFIED Version 1.0g To apply this command to a routing protocol, access lists must first be created. For more information about how to create access lists, see Section 4.3. For illustration purposes, an access list with rules filtering out 14.2.10.0/24 will be used. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# access-list 55 deny 14.2.10.0 0.0.0.255 Central(config)# access-list 55 permit any Central(config)# end Central# The OSPF distribute-list in  configuration command prevents routes from being inserted into the routing table, but it does not stop routes from being sent out in the link-state advertisements (LSAs). Thus all downstream routers will learn about the networks that were supposed to be filtered in these LSAs.  Some authors, including Parkhurst [2], advise against using distribute-list in for OSPF. The distribute-list out command in OSPF configuration mode stops routes from being advertised in updates. However, this restriction only applies to external routes, that is, routes from a different autonomous system (AS). The following example shows how to prevent Central from advertising the 14.2.10.0 network from the RIP routing domain into the OSPF routing domain. With this setting North and East would not see a route to the 14.2.10.0 network. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# router ospf 1 Central(config-router)# distribute-list 55 out Central(config-router)# end Central# The RIP  distribute-list in command deletes routes from incoming RIP updates. Subsequently, all updates sent from that router will not advertise the deleted route. The following example shows Central deleting the route to 14.2.10.0 network as it comes in from a RIP update from South. Therefore, since Central no longer has a route to network 14.2.10.0, it will not advertise this network to other routers. Thus, North and East will not see a route to 14.2.10.0. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# router rip Central(config-router)# distribute-list 55 in Central(config-router)# end Central# The RIP  distribute-list out command prevents routes from being advertised in updates. Thus, the effect of applying the same filter used in the previous examples to South is that North, East and Central will not see routes to the 14.2.10.0 network. South# config t Enter configuration commands, one per line.  End with CNTL/Z.