EIGRP Route-Map Filtering

Mounir,
You are right that your NET_192 access list would match 192.168.1.0/24 and not match anything else (because of an implicit “deny” at the end of an access-list).

Now, in order for a prefix-list to do the same thing, you must also use the prefix-list with something else, say a route-map. A prefix-list by itself will only match or not match a particular network prefix–it won’t perform an action such as permit or deny.

Let’s start by writing the prefix list that will match only 192.168.1.0/24, since you are asking about this:

(config)#ip prefix-list PL_MATCH192 permit 192.168.1.0/24

Notice that since we are trying to match the /24 network exactly, there is no need to use the GE or LE options that a prefix-list gives you. One potential point of confusion is the use of the work “permit” above. “Permit” is not being used in the since of allowing or blocking, but more in the sense of matching.

Next, we need to reference this prefix-list as part of a route-map so the actual actions of allowing or denying will be performed:

(config)#route-map RM_DENY-192 deny 10
(config-route-map)#match ip address prefix-list PL_MATCH192
(config)#route-map RM_DENY-192 permit 20

The way to read the route-map above is, “For anything that is matched by prefix-list PL_MATCH192, don’t allow it, then allow everything else.” The important point here is that it is the route-map, not the prefix-list that is actually responsible from allowing or blocking the 192.168.1.0/24 network. Route-maps also have an implicit deny all at the end, so it was necessary to include the “permit 20” line that matches everything.

PS: I don’t know of many people that do this, but notice the naming convention I used for Route-Maps (RM_…) and Prefix-Lists (PL_…). I find it is very helpful to get into the habit of using naming conventions like this, so you know at a glance what purpose a particular object is serving when you look at it in the IOS code.

2 Likes