Distribute-list Fun!
Last night i was doing some Vol.2 Narbik Labs. I was supposed to filter some OSPF routes entering
the routing table on a certain router. I chose to use an extended access-list because, well, just because i could.
The command i wanted to use, was the router-config mode command “distribute-list”.
A bit of info on the distribute-list command. This command is used to filter routes in the routing protocol.
You can filter routes comming in from a certain interface, routes going out a certain interface (in some protocols), and
routes going into/out from another routing protocol when doing redistribution.
I knew that the way the extended access-list was interpreted would be different compared to what we normally
think of when using an extended access-list. Lets take a look.
Here’s an extended access-list
access-list 140 permit ip 100.100.0.0 0.0.0.0 255.255.0.0 0.0.0.0
This access-list looks a bit weird at first glance. However, there’s logic in the madness. The source pair
will be the network you are trying to match, in this case we want to match 100.100.0.0/16. The network must
match 100.100.0.0, hence we use a wildcard mask of 0.0.0.0. We only want the /16 netmask, which is 255.255.0.0.
Again we match this with 0.0.0.0 to make sure we only get this certain netmask.
Yes, i do know that prefix-lists would be alot easier and more transparent. In this case however, an access-list
was to be used.
The difference lies in how an IGP treats the extended access-list compared to how BGP treats it.
BGP treats the access-list as described above, but an IGP does not!
An IGP treats the access-list as follows:
The “source-pair”, in the example above “100.100.0.0 0.0.0.0”, has to be the update-source. Who sent the update
is what we are matching.
The “destination-pair” is our network part. This is where the network we want to match should be placed. If we continue
our example, we would put “100.100.0.0 0.0.0.0” in this field. Note that we cannot match the netmask this way!
To finalize our example:
access-list 140 permit ip 1.1.1.1 0.0.0.0 100.100.0.0 0.0.0.0
Which means, routing updates comming from 1.1.1.1, matching network 100.100.0.0 is allowed.
Now for the tweak 🙂
You can get the IGP distribute-list command to work as the BGP equivalent by using a route-map implementing the extended
access-list. Lets re-use our previous extended access-list:
access-list 140 permit ip 100.100.0.0 0.0.0.0 255.255.0.0 0.0.0.0
Now, lets create a route-map to use this access-list:
route-map TST-MAP match ip add 140
You can then use this route-map in your distribute-list command:
distribute-list route-map TST-MAP in
The only issue with this is that it goes for anything comming into OSPF, both from other routing protocols and from other
OSPF neighbors on other interface. Maybe not what you are looking for, but its doable 🙂
Anyways, I hope that shed some light on this nasty command.