Tagging routes... why, exactly?

Yeah, I don't get it. I hope it's not so blatantly obvious that I feel silly, but I can't find any real value to tagging redistributed routes.

IE...

route-map OSFP-into-EIGRP permit 10
match ip next-hop 10.22.150.1
set tag 5

What's the tag do?

If I do a "sh ip eig topo 10.22.151.0 255.255.255.0 | in tag" then sure, the output says "Administrator tag is 5", but is there any real value to this number? I don't see how it matters.

Preciate your thoughts.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Plazma

Tag's are great.. but they're locally significant (kinda like some BGP Community's/DLCI's). It's mostly to make your life a bit easier and to create a sort of mnomonic to remember.

In your example , since routes are tagged 5 , if you wanted to deny this set routes to somewhere else, you could simply setup another route map to do that based on the tag value.

route-map DENY-NH-10.22.150.1 20
match tag 5

All in all, it's just another way to do things.

ColbyG

Tags are used to prevent routing loops with mutual redistribution. Take a look at this doc:

Redistributing Routing Protocols - Cisco Systems

vinbuck

Tags are really handy to deny external routes in OSPF. Since external routes are propogated throughought the OSPF domain, you can assign a tag (Since I work in the SP world, I assign tags by geographic region) and then deny or permit anything inbound that is marked with that tag wherever you need to. This is especially helpful if you use an IGP like OSPF to run iBGP and need to limit OSPF external routes to certain portions of the network.

The big benefit is that you don't have to keep up with multiple distribute lists and corresponding ACLs when you add an external route - you just tag the route and if there are distribute lists already in place to block that tag, then you're good to go

mikearama

Sure, I can see how you could set up a route-map to match the tag... but why go to that extra step?

I mean, in my example, I just created a "permit" route map. So I want this route to be redistributed. Otherewise, I wouldn't have matched it, and it would have been omitted by the implicit deny. If they're only locally significant, then I don't see when I would want to permit the route to be redistributed into another protocol, just to turn around and use the tag to deny it.

What am I missing?

Plazma

Well think about it from an ISP perspective.. you may have a whole metric ton of routes you have to deal with.. and you can't really filter all of them, but you can be more selective.. marking specific prefixes with tags, and then redistributing only those tagged routes.

Sure you can do it a variety of ways.. it's just another way available to you.

networker050184

The tag is just an arbitrary string of bits to match on. Sure you could make a gigantic prefix-list to match on the routes your want, but its much easier to apply a tag to them on redistribution and match on that tag. Same with communities in BGP.

jimbarino

I actually just used tags in a customer installation. They wanted each site to have a backup default route that pointed them to another site on the WAN in case their local firewall went down. The kicker was that they wanted the west coast sites to back each other up, while the other sites went to the DC on the East Coast. So I had three sites injecting default routes into OSPF, and each site had to pick which one it wanted (used an SLA on the static default, so if it couldn't get to the far side of the firewall that route went away). I suppose I couldhave filtered by source, but I found it easier to just tag the default route at the source, then filter based on that tag at the destination.