EIGRP Route-Map Filtering


(Rene Molenaar) #14

Hi Matt,

If you only want to change the delay then you’ll have to change it on the interface level. You can influence the EIGRP metric though with a route-map if you want with an offset-list, this is probably what you are looking for. Take a look here:

The example is for RIP but works the same for EIGRP.

Rene


(Jose A) #15

Hello Rene,

In the second example, the requirement is to to deny all prefixes in the 172.16.0.0 /16 range that use a /26 subnet mask or smaller subnet mask. Which means 172.16.20/26, 172.16.1.0/25 and 172.16.0.0/24 should not be advertise to R2. But show ip route in R2, after applyting the prefix-list SMALL_PREFIXES, is showing 172.16.0.0/24 and 172.16.1.0/25. I do not understand this part. I thought:

D       172.16.2.0/26 [90/409600] via 192.168.12.1, 00:01:01, FastEthernet0/0
D       172.16.3.0/27 [90/409600] via 192.168.12.1, 00:01:01, FastEthernet0/0

Should be the only two subnets to be advertised to R2.

PLease explain.

Thanks,

Jose


(Andrew P) #16

Jose,
The confusion is around the word “smaller.” When you use it, you mean any number numerically smaller than “26”. So you are expecting /25, /24, etc to be filtered out. However, when Rene uses the term “smaller” he is talking about the number of possible hosts in the subnet. Therefore, given how Rene is using the term, /27 and /28 are “smaller” than /26 (because there is a smaller possible number of hosts in those subnets).

Incidentally, in networking circles, Rene’s use of the term is how people are expecting it to be used.

Does that make sense?

--Andrew


(Jose A) #17

Andrew,

Now makes completely sense. Thanks for the clarification. In one of the previous videos for prefix list, Rene was giving several examples and I think he was using the word “smaller” meaning the actual subnet mask number (CIDR). Thanks again.


(mounir b) #18

Hello Rene,

I am confused as per below access-list it is suppose to allow 192.168.1.0 / 24 and deny all. But how prefix list block only 192.168.1.0 / 24 and allow others. Please help me to understand.

R1(config)#ip access-list standard NET_192
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255

(Andrew P) #19

Mounir,
You are right that your NET_192 access list would match 192.168.1.0/24 and not match anything else (because of an implicit “deny” at the end of an access-list).

Now, in order for a prefix-list to do the same thing, you must also use the prefix-list with something else, say a route-map. A prefix-list by itself will only match or not match a particular network prefix–it won’t perform an action such as permit or deny.

Let’s start by writing the prefix list that will match only 192.168.1.0/24, since you are asking about this:

(config)#ip prefix-list PL_MATCH192 permit 192.168.1.0/24

Notice that since we are trying to match the /24 network exactly, there is no need to use the GE or LE options that a prefix-list gives you. One potential point of confusion is the use of the work “permit” above. “Permit” is not being used in the since of allowing or blocking, but more in the sense of matching.

Next, we need to reference this prefix-list as part of a route-map so the actual actions of allowing or denying will be performed:

(config)#route-map RM_DENY-192 deny 10
(config-route-map)#match ip address prefix-list PL_MATCH192
(config)#route-map RM_DENY-192 permit 20

The way to read the route-map above is, “For anything that is matched by prefix-list PL_MATCH192, don’t allow it, then allow everything else.” The important point here is that it is the route-map, not the prefix-list that is actually responsible from allowing or blocking the 192.168.1.0/24 network. Route-maps also have an implicit deny all at the end, so it was necessary to include the “permit 20” line that matches everything.

PS: I don’t know of many people that do this, but notice the naming convention I used for Route-Maps (RM_…) and Prefix-Lists (PL_…). I find it is very helpful to get into the habit of using naming conventions like this, so you know at a glance what purpose a particular object is serving when you look at it in the IOS code.


(Jose A) #20

Andrew,

Will you be able to use distribute-list, in this case? instead of Route-map?


(Andrew P) #21

Jose,
Yes, but you will have to change the logic of how the prefix-list is written. Instead of relying on a route-map to perform the permit/deny actions, the prefix-list will have to do this now. So, if our goal is to deny 192.168.1.0/24 but allow everything else, you could do it like this:

(config)#ip prefix-list PL_NO192 seq 10 deny 192.168.1.0/24
(config)#ip prefix-list PL_NO192 seq 20 permit 0.0.0.0/0 le 32

(config)#router eigrp 1
(config-router)#distribute-list prefix PL_NO192 in

Note that the second sequence of PL_NO192 is saying “allow any subnet of any network that is less than or equal to 32 bits in length” which means everything.


(Networklessons Admin) split this topic #22

19 posts were merged into an existing topic: EIGRP Route-Map Filtering


(Barry C) #23

Hi Rene,

I have a quick question on EIGRP filtering in general. Say I have 3 routers, R1, R2, and R3 all running EIGRP and connected.

R1 has 10.10.10.0/24 and 20.20.20.0/24
If I want to advertise 10.10.10.0/24 only to R3 but not R2…
From reading your lesson, I learned that I can apply a distribute-list acl in on R3 to block the advertisement of 10.10.10.0/24…

Can this be done on R1 to filter outbound EIGRP advertisement of 10.10.10.0/24 only to R3 but not R2?

Thanks!

Barry


(jonrandall) #24

Hi @bwcc89,

This is a great question and you’ll be pleased to hear that yes it is definitely possible.
We can use a network statement (or other method) as normal to bring the network into the EIGRP topology and then use “distribute-list xx out” to prevent EIGRP from advertising matching routes.

The little extra configuration we need is to tell the EIGRP process to only apply that distribute list on the interface leading to R3. In this case our configuration changes to look like "distribute-list xx out "

Here is a code example from another network:

access-list 50 deny 192.168.100.0 0.0.0.128

router eigrp 155
passive-interface Loopback0
network 10.2.3.0 0.0.0.255
network 172.30.201.0 0.0.0.255
network 192.168.100.2 0.0.0.0
distribute-list 50 out FastEthernet0/0
no auto-summary

So you can see it’s very straight forwards; probably just as you expect from EIGRP!

Kind regards,
Jon


(brad k) #25

Hi have been working very peripherally on cisco for a few years but signed up and love your explanations. I am working through this lesson but am surprised there is not more of an “intro” to route maps somewhere on the site, seems there is a bit of assumed knowledge on this lesson…


(brad k) #26

ok I’m in over my head…

in seq 20 why is there an ge 26 when trying to limit prefix to smaller then 26? I’ll reread in the morning hopefully it will make sense then…


(Lazaros Agapides) #27

Hello Brad.

Your feedback is always important and valuable. I suggest you submit your comments to the Lesson Ideas section of the site so that it can be considered as a possible separate lesson.


Thanks again for the feedback!

Laz


(Lazaros Agapides) #28

Hello Brad

If I’m not mistaken, you are talking about this set of commands:

R1(config)#route-map FILTER_OUT deny 20
R1(config-route-map)#match ip address prefix-list SMALL_PREFIXES

R1(config)#ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

R1(config)#route-map FILTER_OUT permit 30

The prefix-lists uses the permit statement to match IP addresses. So for the above configured prefix list, the IP addresses that will be matched are those with a prefix greater than or equal to 26.

The route map denies packets that match this prefix list, so they will deny any prefix greater than or equal to 26. This is indeed the opposite of what we want, so the ge 26 should be le 25.

I will let @ReneMolenaar know.

Thanks for catching that!

Laz


(Rene Molenaar) #29

Hi Brad,

I just changed the wording a bit, this can be confusing. What I meant are subnets that are /26 or smaller subnets. The prefix number is higher but the subnets get smaller :slight_smile: This means we want to match:

  • /26
  • /27
  • /28
  • /29
  • /30
  • /31
  • /32

We can do this with the following statement:

ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

Rene


(Michal P) #30

Hello guys,
I have a few problems with EIGRP and its distribute-lists.

I´m playing with filtering on R1.
Topology looks like this.

topology

Problem 1:

I want to block incoming route 2.1.0.0/25 (R3 Loopback 802) only from R3, using Extended Named ACL.

I cannot use Named Extended ACL in EIGRP distribute-list. Getting this error message.

R1(config)#router eigrp 100
R1(config-router)#distribute-list ACL_BLOCK_R3_L802 in
% The ACL cannot be created or an ACL with the same name but incompatible type already exists.

R1(config-router)#do show ip access-list ACL_BLOCK_R3_L802
Extended IP access list ACL_BLOCK_R3_L802
    100 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    200 permit ip any any

Therefore EIGRP distribute-list is not compatabile with Named Extended ACL or it is just issue of my GNS3 emulator? I use Cisco VIRL image IOSv 15.6(2)T.

R1(config-router)# do show version | include Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)

Everything works fine, when I use Numbered Extended ACL.

R1(config-router)#do show access-list 150
Extended IP access list 150
    10 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 permit ip any any

R1(config-router)#do show run | section eigrp
router eigrp 100
 distribute-list 150 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show ip route eigrp | begin Gateway
Gateway of last resort is not set

      2.0.0.0/8 is variably subnetted, 6 subnets, 6 masks
D        2.0.0.0/24 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.1.0.0/25 [90/130816] via 123.0.0.2, 00:02:20, GigabitEthernet0/1
D        2.2.0.0/26 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.3.0.0/27 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.4.0.0/28 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.5.0.0/29 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1

Problem 2:

I want to do the same using route-map. On R1 block route L802 2.1.0.0/25 comming from R3.
Numbered Extended ACL should pass route 2.1.0.0/24 from R3 to route-map´s deny statement, so route from R3 will be denied.

Configuration looks like this:

R1(config-router)#do show run | sec eigrp
router eigrp 100
 distribute-list route-map RM_DENY_R3_L802 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show route-map RM_DENY_R3_L802
route-map RM_DENY_R3_L802, deny, sequence 100
  Match clauses:
    ip address (access-lists): 199
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_DENY_R3_L802, permit, sequence 200
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

R1(config-router)#do show access-list 199
Extended IP access list 199
    10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 deny ip any any (12 matches)

I dont see any matches in ACL 199 sequence 10, therefore we can´t see any matches in route-map and 2.1.0.0/25 route from R3 makes it to R1´s EIGRP topology table and from there to global ip routing table.

R1(config-router)#do show ip route | sec 2.1.0.0/25
D        2.1.0.0/25 [90/130816] via 123.0.0.3, 00:13:11, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:13:11, GigabitEthernet0/1

Why is ACL 199 not matching route 2.1.0.0/25 from R3 (123.0.0.3)?

Edit: some debug output added

R1#debug ip eigrp
EIGRP-IPv4 Route Event debugging is on
R1#clear ip eigrp neighbors 123.0.0.3

000281: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 123.0.0.3 (GigabitEthernet0/1) is up: new adjacency
.
.
.
000300: EIGRP-IPv4(100): Processing routemap RM_DENY_R3_L802 tableid:(0) map(10881098) for addr: 2.1.0.0/25
000301: EIGRP-IPv4(100): Int 2.1.0.0/25 M 130816 - 1000000 5010000000 SM 128256 - 4060086272 76293
000302: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.2)
000303: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.3)

(Lazaros Agapides) #31

Hello Michael

Concerning problem 1, this is due to the fact that the IOS doesn’t support named ACLs for distribute lists but it does support numbered lists. This unfortunately is not readily understandable from the error message you get. This is the case for distribute lists in BGP as well.

Concerning problem 2, this has to do with the use of an extended access list in a route map for distribution lists. When using an extended access list, you are not matching source and destination pairs, but but the address and subnet mask.

So in your case, you are stating:

10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127

This will not match anything because the source section 123.0.0.3 is actually specifying the IP address you want to match, while the second part should indicate the subnet mask. This is only the case for extended ACLs in route maps for distribute lists.

Although we don’t usually link to other sites like this, the following article from INE is quite informative about this, especially for the usage of extended ACLs in route maps for distribute lists.

I understand you’re using an extended ACL because you want to filter this route as received from R3 and not from R2. However, another option would be to place an outbound route map on R3 with a standard ACL in order to filter the particular route from being sent.

I hope this has been helpful!

Laz


(Sergei K) #32

Hi, lads!
Is it implicit deny all at the end of all route maps by default ?
Thx!


(Lazaros Agapides) #33

Hello Sergei

Yes that is correct!

Laz