EIGRP Route-Map Filtering

This topic is to discuss the following lesson:

Rene what will happen if both router-map and access-list are deny?

route-map NAME deny 10
match ip address 1

ip access-list standard 1
deny 1.1.1.0
permit any 

thanks!

correction it’s “route-map” not “router-map”.

sorry for typo

Hi John,

That’s a nice trick question, here’s what happens:

Everything in NAME deny 10 with a permit in the access-list will be denied, so this matches the “permit any”.

This means that “1.1.1.0” can be processed further down the route-map, however we don’t have any other route-map statements so it will be denied anyway.

If you would add a “route-map NAME permit 20” with nothing in it then the 1.1.1.0 network would match there and it will be permitted.

Rene

1 Like

Hey Rene should this be corrected.

The topology shows all 172.16.x.x networks as /24 when the route table shows /24 , /25 , /26 , /27
Also, the outbound prefix list section:
For example let’s say that we also want to deny all prefixes in the 172.16.0.0 /16 range that use a /26 subnet mask or smaller.
Should the smaller be changed to larger since the route table below no longer shows the /26 and /27 network

Hi Matt,

I fixed the image so it now shows /25, /26 and 27.

The outbound prefix list is correct but it can be confusing…/27 is a smaller subnet than /26 but it’s a higher number. I changed the sentence to “that use a /26 subnet mask or smaller subnet mask”.

Thanks for sharing this!

Rene

Hi Rene,

Could you show an example with route-map where it matches certain interface

thank you

Hi George,

Sure, here’s an example. We have a router that has learned some EIGRP routes on different interfaces:

R1#show ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/130816] via 192.168.12.2, 01:00:49, GigabitEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/130816] via 192.168.13.3, 01:00:50, GigabitEthernet0/2
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/130816] via 192.168.14.4, 01:00:49, GigabitEthernet0/3
D     192.168.23.0/24 [90/3072] via 192.168.13.3, 01:00:49, GigabitEthernet0/2
                      [90/3072] via 192.168.12.2, 01:00:49, GigabitEthernet0/1
D     192.168.24.0/24 [90/3072] via 192.168.14.4, 01:00:49, GigabitEthernet0/3
                      [90/3072] via 192.168.12.2, 01:00:49, GigabitEthernet0/1
D     192.168.34.0/24 [90/3072] via 192.168.14.4, 01:00:49, GigabitEthernet0/3
                      [90/3072] via 192.168.13.3, 01:00:49, GigabitEthernet0/2

Let’s enable a route-map that matches on interface Gigabit0/1 and attach it as a distribute-list:

R1(config)#route-map ONLY_FIRST_GIG permit 10
R1(config-route-map)#match interface GigabitEthernet 0/1

R1(config)#router eigrp 1  
R1(config-router)#distribute-list route-map ONLY_FIRST_GIG in

Now the routing table looks like this:

R1#show ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/130816] via 192.168.12.2, 00:00:13, GigabitEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/131072] via 192.168.12.2, 00:00:12, GigabitEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D        4.4.4.4 [90/131072] via 192.168.12.2, 00:00:13, GigabitEthernet0/1
D     192.168.23.0/24 [90/3072] via 192.168.12.2, 00:00:13, GigabitEthernet0/1
D     192.168.24.0/24 [90/3072] via 192.168.12.2, 00:00:13, GigabitEthernet0/1
D     192.168.34.0/24 [90/3328] via 192.168.12.2, 00:00:12, GigabitEthernet0/1

There we go, only routes learned on Gigabit0/1 are accepted.

Hope this helps.

Rene

So a route map has to be applied to something in order for it to take effect, similar to an access list has to be applied to an interface with the access group command. How are route maps applied? We have distribute lists, pre fix lists and what else?

Derek,
Route-Maps are the swiss-army knife of Cisco. You can use them for all kinds of things in many different ways depending on the situation. With EIGRP, access-lists, prefix-lists, and route-maps are all options of a distribute-list. In other words, the “distribute-list” keyword is entered first, then you can choose which option you want after. Check out the available options below:

R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD               Access-list name
  gateway            Filtering incoming address updates based on gateway
  prefix             Filter prefixes in address updates
  route-map  Filter prefixes based on the route-map

Now, without getting too deep, where you actually apply this depends on whether you are running EIGRP “classic” mode or EIGRP “named” mode (the new style, also called Multi-Address Family EIGRP).

The example I showed above was from classic mode by going to the EIGRP process (let’s just say, its Autonomous-System 1) by

R1(config)#router eigrp 1

If you are running named mode, it takes a little bit longer to get there. In the example below, I am running EIGRP Named Instance “NetLessons” with AS 1. Here are the commands to get to the right spot in this instance:

R1(config)#router eigrp NetLessons
R1(config-router)#address-family ipv4 unicast autonomous-system 1
R1(config-router-af)#topology base
R1(config-router-af-topology)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD               Access-list name
  gateway            Filtering incoming address updates based on gateway
  prefix             Filter prefixes in address updates
  route-map  Filter prefixes based on the route-map

I hope I understood your question correctly.
--Andrew

Hi Rene, Andrew,

Firstly great article on EIGRP Filtering.

I can stop the routers in question from sending outbound advertisements for the subnet 192.168.21.0/24 (Snippet below) using the outbound route-map on the neighbour router. Is it possible to filter specific routes to a subnet via inbound filtering ? As per you instruction I can get it to block the whole subnet but I actually want to block only certain routes to that subnet - if that makes sense!

I will using HSRP with IP SLA on the GigabitEthernet0/0/1.30 (Another great lesson :-)) to failover to another router and I want to make sure that the only way that the routers can access 192.168.21.0/24 is via either 101.1 or 101.2

Router#sh ip eigrp topology all-links

P 192.168.21.0/24, 2 successors, FD is 28416, serno 71
via 192.168.101.1 (28416/2816), GigabitEthernet0/0/1.30
via 192.168.101.2 (28416/2816), GigabitEthernet0/0/1.30
via 192.168.10.252 (28672/28416), GigabitEthernet0/0/0.40
via 192.168.11.252 (28672/28416), GigabitEthernet0/0/0.41

Thanks
matt

Hi Matt,

Good to hear you like it :slight_smile:

If you use inbound filtering then you can also select the interface. Is that what you are looking for? Here’s an example:

R1#show ip route eigrp
D        2.2.2.2 [90/130816] via 192.168.14.4, 00:00:20, GigabitEthernet0/3
                 [90/130816] via 192.168.13.3, 00:00:20, GigabitEthernet0/2
                 [90/130816] via 192.168.12.2, 00:00:20, GigabitEthernet0/1

R1 has three entries for 2.2.2.2/32. Let’s filter two of those:

R1(config)#access-list 1 deny host 2.2.2.2
R1(config)#access-list 1 permit any
R1(config)#router eigrp 1
R1(config-router)#distribute-list 1 in GigabitEthernet0/2
R1(config-router)#distribute-list 1 in GigabitEthernet0/3

After applying the distribute-list on GigabitEthernet0/2 and 0/3, only the route through GigabitEthernet0/1 will remain:

R1#show ip route eigrp
D        2.2.2.2 [90/130816] via 192.168.12.2, 00:00:45, GigabitEthernet0/1

Does this help?

Rene

Hi Rene,

Thanks this worked perfectly :slight_smile:

Out of interest do you have an article on using route-map’s & lists to manage EIGRP delay’s ? I can see that you have an article on unequal load balancing with EIGRP but I don’t wish to load-balance over the links. I only want these

I have currently got around this by setting simple delays on the interface’s but this advertises the delay for that VLAN to all routers, whilst I am all for keeping it simple I may want more granular control going forward.

Cheers
Matt

Hi Matt,

If you only want to change the delay then you’ll have to change it on the interface level. You can influence the EIGRP metric though with a route-map if you want with an offset-list, this is probably what you are looking for. Take a look here:

The example is for RIP but works the same for EIGRP.

Rene

Hello Rene,

In the second example, the requirement is to to deny all prefixes in the 172.16.0.0 /16 range that use a /26 subnet mask or smaller subnet mask. Which means 172.16.20/26, 172.16.1.0/25 and 172.16.0.0/24 should not be advertise to R2. But show ip route in R2, after applyting the prefix-list SMALL_PREFIXES, is showing 172.16.0.0/24 and 172.16.1.0/25. I do not understand this part. I thought:

D       172.16.2.0/26 [90/409600] via 192.168.12.1, 00:01:01, FastEthernet0/0
D       172.16.3.0/27 [90/409600] via 192.168.12.1, 00:01:01, FastEthernet0/0

Should be the only two subnets to be advertised to R2.

PLease explain.

Thanks,

Jose

Jose,
The confusion is around the word “smaller.” When you use it, you mean any number numerically smaller than “26”. So you are expecting /25, /24, etc to be filtered out. However, when Rene uses the term “smaller” he is talking about the number of possible hosts in the subnet. Therefore, given how Rene is using the term, /27 and /28 are “smaller” than /26 (because there is a smaller possible number of hosts in those subnets).

Incidentally, in networking circles, Rene’s use of the term is how people are expecting it to be used.

Does that make sense?

--Andrew

Andrew,

Now makes completely sense. Thanks for the clarification. In one of the previous videos for prefix list, Rene was giving several examples and I think he was using the word “smaller” meaning the actual subnet mask number (CIDR). Thanks again.

Hello Rene,

I am confused as per below access-list it is suppose to allow 192.168.1.0 / 24 and deny all. But how prefix list block only 192.168.1.0 / 24 and allow others. Please help me to understand.

R1(config)#ip access-list standard NET_192
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255

Mounir,
You are right that your NET_192 access list would match 192.168.1.0/24 and not match anything else (because of an implicit “deny” at the end of an access-list).

Now, in order for a prefix-list to do the same thing, you must also use the prefix-list with something else, say a route-map. A prefix-list by itself will only match or not match a particular network prefix–it won’t perform an action such as permit or deny.

Let’s start by writing the prefix list that will match only 192.168.1.0/24, since you are asking about this:

(config)#ip prefix-list PL_MATCH192 permit 192.168.1.0/24

Notice that since we are trying to match the /24 network exactly, there is no need to use the GE or LE options that a prefix-list gives you. One potential point of confusion is the use of the work “permit” above. “Permit” is not being used in the since of allowing or blocking, but more in the sense of matching.

Next, we need to reference this prefix-list as part of a route-map so the actual actions of allowing or denying will be performed:

(config)#route-map RM_DENY-192 deny 10
(config-route-map)#match ip address prefix-list PL_MATCH192
(config)#route-map RM_DENY-192 permit 20

The way to read the route-map above is, “For anything that is matched by prefix-list PL_MATCH192, don’t allow it, then allow everything else.” The important point here is that it is the route-map, not the prefix-list that is actually responsible from allowing or blocking the 192.168.1.0/24 network. Route-maps also have an implicit deny all at the end, so it was necessary to include the “permit 20” line that matches everything.

PS: I don’t know of many people that do this, but notice the naming convention I used for Route-Maps (RM_…) and Prefix-Lists (PL_…). I find it is very helpful to get into the habit of using naming conventions like this, so you know at a glance what purpose a particular object is serving when you look at it in the IOS code.

Andrew,

Will you be able to use distribute-list, in this case? instead of Route-map?