The following examples show some basic uses of route policy based on the figure below. (All subnets have 24-bit masks.)
Each of the routing domains in Network for redistribution example is defined with simple VLANs and a basic routing configuration:
-
In the RIP domains, the RIP protocol is assigned to each VLAN that a router connects to.
-
Routers in the RIP domains redistribute connected routes—this is the default setting when RIP is enabled.
-
For simplicity, all VLANs in the OSPF domain are assigned to the backbone area (area 0.)
-
Border routers (North and South) implement both RIP and OSPF protocols.
The following listing shows the running configuration for the South router, the most complicated of the routers in this example. (Not only is the South router a border router, but it also has host computers connected directly to it in both RIP and OSPF domains.)
South(config)# show run Running configuration: ; J8697A Configuration Editor; Created on release #K.15.01.0031 hostname "South" module 1 type J8702A module 3 type J9478A ip routing vlan 1 name "DEFAULT_VLAN" untagged A19-A24,C13-C24 ip address dhcp-bootp no untagged A1-A18,C1-C12 exit vlan 31 name "VLAN31" untagged A1-A6 ip address 10.3.31.2 255.255.255.0 exit vlan 33 name "VLAN33" untagged A7-A12 ip address 10.3.33.2 255.255.255.0 exit vlan 21 name "VLAN21" untagged A13-A18 ip address 10.2.21.1 255.255.255.0 exit vlan 37 name "VLAN37" untagged C1-C6 ip address 10.3.37.1 255.255.255.0 exit vlan 29 name "VLAN29" untagged C7-C12 ip address 10.2.29.1 255.255.255.0 exit router ospf area backbone exit router rip redistribute connected exit snmp-server community "public" unrestricted vlan 21 ip rip 10.2.21.1 exit vlan 29 ip rip 10.2.29.1 exit vlan 31 ip ospf 10.3.31.2 area backbone exit vlan 33 ip ospf 10.3.33.2 area backbone exit vlan 37 ip ospf 10.3.37.1 area backbone exit
Items of particular interest are:
-
The
ip routingcommand enables routing on the switch. -
The
router ospfcommand enables OSPF routing on the switch. Thearea backbonecommand establishes the backbone area (area 0.) -
The
router ripcommand enables RIP routing on the switch. Theredistribute connectedcommand redistributes directly connected routes to all routers in the attached RIP domain. -
The
vlancommands at the end of the configuration assign routing protocols to the VLANs. Additionally, they make area assignments for VLANs in the OSPF domain.
The other routers have analogous, if somewhat simpler, routing configurations. The Northwest, Northeast, and Southeast routers have only RIP enabled, and the East router has only OSPF enabled. The North router enables both routing protocols, but has fewer VLANs.
Listed below are the routing tables that result for three representative routers:
|
South |
A border router attached to both RIP and OSPF domains. |
|
East |
A router within the OSPF domain. |
|
Southeast |
A router within the RIP domain. |
South(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.2.21.0/24 VLAN21 21 connected 1 0
10.2.22.0/24 10.2.21.2 21 rip 2 120
10.2.23.0/24 10.2.21.2 21 rip 2 120
10.2.29.0/24 VLAN29 29 connected 1 0
10.3.31.0/24 VLAN31 31 connected 1 0
10.3.32.0/24 10.3.31.1 31 ospf IntraArea 2 110
10.3.32.0/24 10.3.33.1 33 ospf IntraArea 2 110
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 10.3.33.1 33 ospf IntraArea 2 110
10.3.37.0/24 VLAN37 37 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
East(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110
10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110
10.3.32.0/24 VLAN32 32 connected 1 0
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 VLAN34 34 connected 1 0
10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
Southeast(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.2.21.0/24 VLAN21 21 connected 1 0
10.2.22.0/24 VLAN22 22 connected 1 0
10.2.23.0/24 VLAN23 23 connected 1 0
10.2.29.0/24 10.2.21.1 21 rip 2 120
10.3.31.0/24 10.2.21.1 21 rip 2 120
10.3.33.0/24 10.2.21.1 21 rip 2 120
10.3.37.0/24 10.2.21.1 21 rip 2 120
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
With this configuration, the routers and host computers in each routing domain are able to communicate with all other routers and hosts in that domain. In addition, the routers and hosts in the RIP domains can communicate with all interfaces of the adjacent border router and with hosts attached to those interfaces. (To prevent that cross-domain communication, you would remove the redistribute connected command from the router rip context.) Beyond those connected routes on the RIP side, there is no inter-domain communication.
Thus, host Z can ping host X and host L, but not host M or host B. And host M can ping host L, but not host X or host Y or host A. And so on.
Route redistribution allows border routers to distribute routes between adjacent routing domains. Thus, the North router can redistribute routes from the northern RIP domain to the OSPF domain and from the OSPF domain to the northern RIP domain. Similarly, the South router can redistribute routes from the southern RIP domain to the OSPF domain and from the OSPF domain to the southern RIP domain. And if both the North and South routers have redistribution enabled in both directions at the same time, the routes that are redistributed from the RIP domains to the OSPF domain will be further distributed to the opposite RIP domain, and routers and hosts in all domains will be able to communicate with each other. (Some subtle complications are explained below.)
For example, in the North and South routers you might add a redistribute rip command to the router ospf context and a redistribute ospf command to the router rip context, like this:
. . router ospf area backbone redistribute rip exit router rip redistribute connected redistribute ospf exit . .
This causes extensive redistribution of routes within all three routing domains, adding a large number of routes to the route tables of all the routers. For example, the route table in the East router adds routes to subnets in both RIP domains, and looks like this:
East(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.3.32.1 32 ospf External2 10 110
10.1.12.0/24 10.3.32.1 32 ospf External2 10 110
10.1.13.0/24 10.3.32.1 32 ospf External2 10 110
10.1.14.0/24 10.3.32.1 32 ospf External2 10 110
10.2.22.0/24 10.3.33.2 33 ospf External2 10 110
10.2.23.0/24 10.3.33.2 33 ospf External2 10 110
10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110
10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110
10.3.32.0/24 VLAN32 32 connected 1 0
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 VLAN34 34 connected 1 0
10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
But this route table does not include all the possible routes in all domains: routes to subnets 10.1.15.x, 10.1.16.x, 10.2.21.x, and 10.2.29.x (VLANs 15, 16, 21, and 29) are missing. Host computer M cannot ping host X because there is no route to it, though it can ping through the "invisible" South router to host Y or host Z.
The problem is that those missing subnets are directly connected to the North and South border routers, and directly connected routes must be explicitly redistributed with a redistribute connected command even though they are RIP routes and RIP routes were redistributed. So by adding redistribute connected commands to the router ospf contexts of the North and South routers, like this:
. . router ospf area backbone redistribute connected redistribute rip exit . .
All existing routes are redistributed and the route table for the East router is now complete:
East(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.3.32.1 32 ospf External2 10 110
10.1.12.0/24 10.3.32.1 32 ospf External2 10 110
10.1.13.0/24 10.3.32.1 32 ospf External2 10 110
10.1.14.0/24 10.3.32.1 32 ospf External2 10 110
10.1.15.0/24 10.3.32.1 32 ospf External2 10 110
10.1.16.0/24 10.3.32.1 32 ospf External2 10 110
10.2.21.0/24 10.3.33.2 33 ospf External2 10 110
10.2.22.0/24 10.3.33.2 33 ospf External2 10 110
10.2.23.0/24 10.3.33.2 33 ospf External2 10 110
10.2.29.0/24 10.3.33.2 33 ospf External2 10 110
10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110
10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110
10.3.32.0/24 VLAN32 32 connected 1 0
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 VLAN34 34 connected 1 0
10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
Host L can now ping host X and, indeed, any other host in any of the three routing domains.
The wide variety of match types available with route policy allows you to make finer distinctions when distributing routes across routing domain boundaries.
Suppose that you want to limit the distribution of the "non-connected" routes in the northern RIP domain to the "odd-numbered" prefixes—that is, to 10.1.11.x and 10.1.13.x. You can accomplish that by creating a prefix list:
ip prefix-list "Odds" seq 5 permit 10.1.11.1 255.255.255.0 ge 24 le 24 ip prefix-list "Odds" seq 10 permit 10.1.13.1 255.255.255.0 ge 24 le 24
Then matching that prefix-list in a route map:
route-map "PermitOdds" permit seq 10 match ip address prefix-list "Odds" exit
And finally applying that route map to the redistribution of RIP routes in the North router:
router ospf area backbone redistribute connected redistribute rip route-map "PermitOdds" exit
The result of this is to permit redistribution of routes 10.1.11.x and 10.1.13.x, and to deny redistribution of routes 10.1.12.x and 10.1.14.x. (Routes 10.1.15.x and 10.1.16.x are redistributed by the redistribute connected command.) This occurs throughout the OSPF domain, and is propagated through redistribution by the South router into the southern RIP domain.
For instance, in the OSPF domain the route map of the East router becomes:
East(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.3.32.1 32 ospf External2 10 110
10.1.13.0/24 10.3.32.1 32 ospf External2 10 110
10.1.15.0/24 10.3.32.1 32 ospf External2 10 110
10.1.16.0/24 10.3.32.1 32 ospf External2 10 110
10.2.21.0/24 10.3.33.2 33 ospf External2 10 110
10.2.22.0/24 10.3.33.2 33 ospf External2 10 110
10.2.23.0/24 10.3.33.2 33 ospf External2 10 110
10.2.29.0/24 10.3.33.2 33 ospf External2 10 110
10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110
10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110
10.3.32.0/24 VLAN32 32 connected 1 0
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 VLAN34 34 connected 1 0
10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
In the southern RIP domain, the route map of the Southeast router becomes:
Southeast(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.2.21.1 21 rip 2 120
10.1.13.0/24 10.2.21.1 21 rip 2 120
10.1.15.0/24 10.2.21.1 21 rip 2 120
10.1.16.0/24 10.2.21.1 21 rip 2 120
10.2.21.0/24 VLAN21 21 connected 1 0
10.2.22.0/24 VLAN22 22 connected 1 0
10.2.23.0/24 VLAN23 23 connected 1 0
10.2.29.0/24 10.2.21.1 21 rip 2 120
10.3.31.0/24 10.2.21.1 21 rip 2 120
10.3.32.0/24 10.2.21.1 21 rip 2 120
10.3.33.0/24 10.2.21.1 21 rip 2 120
10.3.34.0/24 10.2.21.1 21 rip 2 120
10.3.37.0/24 10.2.21.1 21 rip 2 120
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
To not lose the "even-numbered" routes (10.1.12.x and 10.1.14.x) in the OSPF domain, reinstate the original redistribution in the North router:
router ospf area backbone redistribute connected redistribute rip exit
And move the prefix list, route map, and redistribution from the North router to the South router. To get the same distribution of routes from the northern RIP to the southern RIP domain, add the 10.1.15.x and 10.1.16.x routes to the prefix list—they will not be redistributed by the redistribute connected command because they are not directly connected to the South router. The prefix list would expand to:
ip prefix-list "Odds" seq 5 permit 10.1.11.1 255.255.255.0 ge 24 le 24 ip prefix-list "Odds" seq 10 permit 10.1.13.1 255.255.255.0 ge 24 le 24 ip prefix-list "Odds" seq 15 permit 10.1.15.1 255.255.255.0 ge 24 le 24 ip prefix-list "Odds" seq 20 permit 10.1.16.1 255.255.255.0 ge 24 le 24
The route map would move from North to South with no changes:
route-map "Odds" permit seq 10 match ip address prefix-list "PermitOdds" exit
And the route redistribution would move from the router ospf context to the router rip context:
router rip redistribute connected redistribute ospf route-map "PermitOdds" exit
This has the desired effect of redistributing all the routes in the OSPF domain, as indicated by the East router's route table:
East(config)# show ip route IP Route Entries Destination Gateway VLAN Type Sub-Type Metric Dist. --------------- --------------- ---- --------- ---------- ---------- ----- 10.1.11.0/24 10.3.32.1 32 ospf External2 10 110 10.1.12.0/24 10.3.32.1 32 ospf External2 10 110 10.1.13.0/24 10.3.32.1 32 ospf External2 10 110 10.1.14.0/24 10.3.32.1 32 ospf External2 10 110 10.1.15.0/24 10.3.32.1 32 ospf External2 10 110 10.1.16.0/24 10.3.32.1 32 ospf External2 10 110 10.2.21.0/24 10.3.33.2 33 ospf External2 10 110 10.2.22.0/24 10.3.33.2 33 ospf External2 10 110 10.2.23.0/24 10.3.33.2 33 ospf External2 10 110 10.2.29.0/24 10.3.33.2 33 ospf External2 10 110 10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110 10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110 10.3.32.0/24 VLAN32 32 connected 1 0 10.3.33.0/24 VLAN33 33 connected 1 0 10.3.34.0/24 VLAN34 34 connected 1 0 10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110 127.0.0.0/8 reject static 0 0 127.0.0.1/32 lo0 connected 1 0
However, it falls short in the southern RIP domain. The northern RIP routes are distributed as expected, but some of the routes from the OSPF domain are missing —10.3.32.x and 10.3.34.x. Here is the Southeast router's route table:
Southeast(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.2.21.1 21 rip 2 120
10.1.13.0/24 10.2.21.1 21 rip 2 120
10.1.15.0/24 10.2.21.1 21 rip 2 120
10.1.16.0/24 10.2.21.1 21 rip 2 120
10.2.21.0/24 VLAN21 21 connected 1 0
10.2.22.0/24 VLAN22 22 connected 1 0
10.2.23.0/24 VLAN23 23 connected 1 0
10.2.29.0/24 10.2.21.1 21 rip 2 120
10.3.31.0/24 10.2.21.1 21 rip 2 120
10.3.33.0/24 10.2.21.1 21 rip 2 120
10.3.37.0/24 10.2.21.1 21 rip 2 120
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
You can solve this problem by adding a second sequence to the route map to deal with the routes from the OSPF domain. The expanded route map becomes:
route-map "PermitOdds" permit seq 10 match ip address prefix-list "Odds" exit route-map "PermitOdds" permit seq 20 match source-protocol ospf exit
Now all the desired routes show up in the Southeast router's route table:
Southeast(config)# show ip route IP Route Entries Destination Gateway VLAN Type Sub-Type Metric Dist. --------------- --------------- ---- --------- ---------- ---------- ----- 10.1.11.0/24 10.2.21.1 21 rip 2 120 10.1.13.0/24 10.2.21.1 21 rip 2 120 10.1.15.0/24 10.2.21.1 21 rip 2 120 10.1.16.0/24 10.2.21.1 21 rip 2 120 10.2.21.0/24 VLAN21 21 connected 1 0 10.2.22.0/24 VLAN22 22 connected 1 0 10.2.23.0/24 VLAN23 23 connected 1 0 10.2.29.0/24 10.2.21.1 21 rip 2 120 10.3.31.0/24 10.2.21.1 21 rip 2 120 10.3.32.0/24 10.2.21.1 21 rip 2 120 10.3.33.0/24 10.2.21.1 21 rip 2 120 10.3.34.0/24 10.2.21.1 21 rip 2 120 10.3.37.0/24 10.2.21.1 21 rip 2 120 127.0.0.0/8 reject static 0 0 127.0.0.1/32 lo0 connected 1 0
In addition to using route maps to filter routes, you can also use them to apply properties to the routes. For example, to apply a route metric when redistributing routes from the northern RIP domain to the OSPF domain, you could apply the metric with a set metric command in a route map in the North router:
route-map "Metric25" permit seq 10 match source-protocol rip set metric 25 exit
Then you could redistribute from the router ospf context:
router ospf area backbone redistribute connected redistribute rip route-map "Metric25" exit
The results are displayed in the Metric column of the East router's route map:
East(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
--------------- --------------- ---- --------- ---------- ---------- -----
10.1.11.0/24 10.3.32.1 32 ospf External2 25 110
10.1.12.0/24 10.3.32.1 32 ospf External2 25 110
10.1.13.0/24 10.3.32.1 32 ospf External2 25 110
10.1.14.0/24 10.3.32.1 32 ospf External2 25 110
10.1.15.0/24 10.3.32.1 32 ospf External2 10 110
10.1.16.0/24 10.3.32.1 32 ospf External2 10 110
10.2.21.0/24 10.3.33.2 33 ospf External2 10 110
10.2.22.0/24 10.3.33.2 33 ospf External2 10 110
10.2.23.0/24 10.3.33.2 33 ospf External2 10 110
10.2.29.0/24 10.3.33.2 33 ospf External2 10 110
10.3.31.0/24 10.3.32.1 32 ospf IntraArea 2 110
10.3.31.0/24 10.3.33.2 33 ospf IntraArea 2 110
10.3.32.0/24 VLAN32 32 connected 1 0
10.3.33.0/24 VLAN33 33 connected 1 0
10.3.34.0/24 VLAN34 34 connected 1 0
10.3.37.0/24 10.3.33.2 33 ospf IntraArea 2 110
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
Tags provide an alternative method for redistributing routes. For instance, you can set tags when redistributing routes into a domain and then use those tags for matches when redistributing those routes out of the domain. In the following example, tags are set as the routes pass through the North router from the northern RIP domain to the OSPF domain, and those tags are used for matching when the routes pass out of the OSPF domain through the South router to the southern RIP domain.
Establish prefix lists on the North router to separate the "odd" and "even" routes:
ip prefix-list "Odds" seq 5 permit 10.1.11.1 255.255.255.0 ge 24 le 24 ip prefix-list "Odds" seq 10 permit 10.1.13.1 255.255.255.0 ge 24 le 24 ip prefix-list "Evens" seq 5 permit 10.1.12.1 255.255.255.0 ge 24 le 24 ip prefix-list "Evens" seq 10 permit 10.1.14.1 255.255.255.0 ge 24 le 24
Then set up a route map with separate sequences to tag the odd and even routes:
route-map "TagIn" permit seq 10 match ip address prefix-list "Odds" set tag 1 exit route-map "TagIn" permit seq 20 match ip address prefix-list "Evens" set tag 2 exit
Set up a separate route map to match the connected routes, and assign the same tag value you used for the odd routes. This allows you to propagate both the odd and the connected routes, but not the even routes, to the southern RIP domain.
route-map "TagConn" permit seq 10 match source-protocol connected set tag 1 exit
Redistribute the routes to the OSPF domain using the route maps:
router ospf area backbone redistribute connected route-map "TagConn" redistribute rip route-map "TagIn" exit
On the South router set up a route map with three sequences:
-
One to permit routes with tag values of 1
-
One to deny routes with tag values of 2
-
One to permit OSPF routes (this propagates all the routes from the OSPF domain
The route map looks like this:
route-map "TagOut" permit seq 10 match tag 1 exit route-map "TagOut" deny seq 20 match tag 2 exit route-map "TagOut" permit seq 30 match source-protocol ospf
This arrangement permits the odd routes from the northern RIP domain and the RIP routes that were connected to the North router. It denies the even routes from the northern RIP domain, and it permits the OSPF routes. The route table from the Southeast router shows the results:
Southeast(config)# show ip route IP Route Entries Destination Gateway VLAN Type Sub-Type Metric Dist. --------------- --------------- ---- --------- ---------- ---------- ----- 10.1.11.0/24 10.2.21.1 21 rip 2 120 10.1.13.0/24 10.2.21.1 21 rip 2 120 10.1.15.0/24 10.2.21.1 21 rip 2 120 10.1.16.0/24 10.2.21.1 21 rip 2 120 10.2.21.0/24 VLAN21 21 connected 1 0 10.2.22.0/24 VLAN22 22 connected 1 0 10.2.23.0/24 VLAN23 23 connected 1 0 10.2.29.0/24 10.2.21.1 21 rip 2 120 10.3.31.0/24 10.2.21.1 21 rip 2 120 10.3.32.0/24 10.2.21.1 21 rip 2 120 10.3.33.0/24 10.2.21.1 21 rip 2 120 10.3.34.0/24 10.2.21.1 21 rip 2 120 10.3.37.0/24 10.2.21.1 21 rip 2 120 127.0.0.0/8 reject static 0 0 127.0.0.1/32 lo0 connected 1 0