7.1 Controlling Routing Update Traffic
7.1.4 IP Route filtering configuration example

In this scenario, the router will check the interface on which the update comes in. If it is Ethernet 0, the router will apply access-list 2 before putting it in the routing table. If, on the basis of that check, the network is denied, no further checking is done. However, if distribute-list 2 allows the network, then distribute-list 1 is also checked. If both distribute lists allow the network, it will be put in the table. The following algorithm is followed when multiple distribute lists are used:

1.  Extract the next network from inbound update.

2.  Check the interface into which it came.

3.  Is there a distribute list applied to that interface?

Yes  
Is the network denied by that list? 
Yes: Network does not make it; go to Step 1.  
No:  Network allowed; continue to Step 4.  

No 
Go to step 4.

4.  Is there a global distribute list?

Yes 
Is the network denied by that list?  
Yes: Network does not make it; go to Step 1.  
No: Network makes it; go to Step 1.  

No  
Network makes it; go to Step 1.

The syntax for the distribute-list out command follows:

distribute-list access-list-number out [interface-name|routing process|autonomous-system-number]

where access-list-number is the standard IP access list against which the contents of the outgoing routing update are matched. The [interface-name] argument is optional, and specifies the interface on which the update is going out. The [routing process|autonomous-system-number] arguments are used when redistribution from another routing process or autonomous system (AS) number has been specified. The list is applied to any routes we wish to import from the specified process into the current one.

For example:

access-list 1 permit 1.0.0.0 0.255.255.255
router rip
redistribute igrp 20
distribute-list 1 out igrp 20

Here, routes from igrp 20 are being redistributed into rip. Any outbound routing update that was originally sourced from igrp 20 will be checked against access-list 1. Only routes that match a 1.xxx.xxx.xxx format will be sent.

Note that it is possible to specify multiple distribute lists for a given routing process if they are applied to different interfaces or globally. For any given routing protocol, it is possible to define one interface-specific distribute list per interface, and one protocol-specific distribute list for each process/AS pair.

access-list 1 permit 1.0.0.0 0.255.255.255
access-list 2 permit 1.2.3.0 0.0.0.255
router rip
distribute-list 2 out ethernet 0
distribute-list 1 out

In this scenario, the router will send out only routes pertaining to the 1.2.3.0 subnet out of Ethernet 0, and any updates about networks in the 1.0.0.0 will be flooded out the rest of the interfaces, including the 1.2.3.0 subnet. The following algorithm is followed when multiple distribute lists are used:

1.  Select the next network for the outbound update.

2.  Check the interface into which the update is being sent.

3.  Is there a distribute list applied to that interface?

Yes 
Is the network denied by that list? 
Yes: Network does not go out; go to Step 1. 
No:  Network goes out; continue to Step 4. 

No 
Go to Step 4.

4.  Check the routing process or AS from which we derive the route.

5.  Is there a distribute list applied to that process or AS?

Yes  
Is the network denied by that list?  
Yes: Network does not go out; go to Step 1  
No: Network goes out; continue to Step 6.  

No  
Go to Step 6.

6.  Is there a global distribute list?

Yes
Is the network denied by that list? 
Yes: Network does not go out; go to Step 1. 
No: Network goes out; go to Step 1 

No 
Network makes it; go to Step 1.

Note that distribute list checking is only one of the many checks that are done against a distance vector route before including it in the router routing table or in an update. Checks are also made for desirability, policies, split horizon, and so on.