EIGRP Route-Map Filtering

Jose,
Yes, but you will have to change the logic of how the prefix-list is written. Instead of relying on a route-map to perform the permit/deny actions, the prefix-list will have to do this now. So, if our goal is to deny 192.168.1.0/24 but allow everything else, you could do it like this:

(config)#ip prefix-list PL_NO192 seq 10 deny 192.168.1.0/24
(config)#ip prefix-list PL_NO192 seq 20 permit 0.0.0.0/0 le 32

(config)#router eigrp 1
(config-router)#distribute-list prefix PL_NO192 in

Note that the second sequence of PL_NO192 is saying “allow any subnet of any network that is less than or equal to 32 bits in length” which means everything.

19 posts were merged into an existing topic: EIGRP Route-Map Filtering

Hi Rene,

I have a quick question on EIGRP filtering in general. Say I have 3 routers, R1, R2, and R3 all running EIGRP and connected.

R1 has 10.10.10.0/24 and 20.20.20.0/24
If I want to advertise 10.10.10.0/24 only to R3 but not R2…
From reading your lesson, I learned that I can apply a distribute-list acl in on R3 to block the advertisement of 10.10.10.0/24…

Can this be done on R1 to filter outbound EIGRP advertisement of 10.10.10.0/24 only to R3 but not R2?

Thanks!

Barry

Hi @bwcc89,

This is a great question and you’ll be pleased to hear that yes it is definitely possible.
We can use a network statement (or other method) as normal to bring the network into the EIGRP topology and then use “distribute-list xx out” to prevent EIGRP from advertising matching routes.

The little extra configuration we need is to tell the EIGRP process to only apply that distribute list on the interface leading to R3. In this case our configuration changes to look like "distribute-list xx out "

Here is a code example from another network:

access-list 50 deny 192.168.100.0 0.0.0.128

router eigrp 155
passive-interface Loopback0
network 10.2.3.0 0.0.0.255
network 172.30.201.0 0.0.0.255
network 192.168.100.2 0.0.0.0
distribute-list 50 out FastEthernet0/0
no auto-summary

So you can see it’s very straight forwards; probably just as you expect from EIGRP!

Kind regards,
Jon

Hi have been working very peripherally on cisco for a few years but signed up and love your explanations. I am working through this lesson but am surprised there is not more of an “intro” to route maps somewhere on the site, seems there is a bit of assumed knowledge on this lesson…

1 Like

ok I’m in over my head…

in seq 20 why is there an ge 26 when trying to limit prefix to smaller then 26? I’ll reread in the morning hopefully it will make sense then…

Hello Brad.

Your feedback is always important and valuable. I suggest you submit your comments to the Lesson Ideas section of the site so that it can be considered as a possible separate lesson.


Thanks again for the feedback!

Laz

Hello Brad

If I’m not mistaken, you are talking about this set of commands:

R1(config)#route-map FILTER_OUT deny 20
R1(config-route-map)#match ip address prefix-list SMALL_PREFIXES

R1(config)#ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

R1(config)#route-map FILTER_OUT permit 30

The prefix-lists uses the permit statement to match IP addresses. So for the above configured prefix list, the IP addresses that will be matched are those with a prefix greater than or equal to 26.

The route map denies packets that match this prefix list, so they will deny any prefix greater than or equal to 26. This is indeed the opposite of what we want, so the ge 26 should be le 25.

I will let @ReneMolenaar know.

Thanks for catching that!

Laz

Hi Brad,

I just changed the wording a bit, this can be confusing. What I meant are subnets that are /26 or smaller subnets. The prefix number is higher but the subnets get smaller :slight_smile: This means we want to match:

  • /26
  • /27
  • /28
  • /29
  • /30
  • /31
  • /32

We can do this with the following statement:

ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

Rene

Hello guys,
I have a few problems with EIGRP and its distribute-lists.

I´m playing with filtering on R1.
Topology looks like this.

topology

Problem 1:

I want to block incoming route 2.1.0.0/25 (R3 Loopback 802) only from R3, using Extended Named ACL.

I cannot use Named Extended ACL in EIGRP distribute-list. Getting this error message.

R1(config)#router eigrp 100
R1(config-router)#distribute-list ACL_BLOCK_R3_L802 in
% The ACL cannot be created or an ACL with the same name but incompatible type already exists.

R1(config-router)#do show ip access-list ACL_BLOCK_R3_L802
Extended IP access list ACL_BLOCK_R3_L802
    100 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    200 permit ip any any

Therefore EIGRP distribute-list is not compatabile with Named Extended ACL or it is just issue of my GNS3 emulator? I use Cisco VIRL image IOSv 15.6(2)T.

R1(config-router)# do show version | include Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)

Everything works fine, when I use Numbered Extended ACL.

R1(config-router)#do show access-list 150
Extended IP access list 150
    10 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 permit ip any any

R1(config-router)#do show run | section eigrp
router eigrp 100
 distribute-list 150 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show ip route eigrp | begin Gateway
Gateway of last resort is not set

      2.0.0.0/8 is variably subnetted, 6 subnets, 6 masks
D        2.0.0.0/24 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.1.0.0/25 [90/130816] via 123.0.0.2, 00:02:20, GigabitEthernet0/1
D        2.2.0.0/26 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.3.0.0/27 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.4.0.0/28 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.5.0.0/29 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1

Problem 2:

I want to do the same using route-map. On R1 block route L802 2.1.0.0/25 comming from R3.
Numbered Extended ACL should pass route 2.1.0.0/24 from R3 to route-map´s deny statement, so route from R3 will be denied.

Configuration looks like this:

R1(config-router)#do show run | sec eigrp
router eigrp 100
 distribute-list route-map RM_DENY_R3_L802 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show route-map RM_DENY_R3_L802
route-map RM_DENY_R3_L802, deny, sequence 100
  Match clauses:
    ip address (access-lists): 199
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_DENY_R3_L802, permit, sequence 200
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

R1(config-router)#do show access-list 199
Extended IP access list 199
    10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 deny ip any any (12 matches)

I dont see any matches in ACL 199 sequence 10, therefore we can´t see any matches in route-map and 2.1.0.0/25 route from R3 makes it to R1´s EIGRP topology table and from there to global ip routing table.

R1(config-router)#do show ip route | sec 2.1.0.0/25
D        2.1.0.0/25 [90/130816] via 123.0.0.3, 00:13:11, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:13:11, GigabitEthernet0/1

Why is ACL 199 not matching route 2.1.0.0/25 from R3 (123.0.0.3)?

Edit: some debug output added

R1#debug ip eigrp
EIGRP-IPv4 Route Event debugging is on
R1#clear ip eigrp neighbors 123.0.0.3

000281: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 123.0.0.3 (GigabitEthernet0/1) is up: new adjacency
.
.
.
000300: EIGRP-IPv4(100): Processing routemap RM_DENY_R3_L802 tableid:(0) map(10881098) for addr: 2.1.0.0/25
000301: EIGRP-IPv4(100): Int 2.1.0.0/25 M 130816 - 1000000 5010000000 SM 128256 - 4060086272 76293
000302: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.2)
000303: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.3)

Hello Michael

Concerning problem 1, this is due to the fact that the IOS doesn’t support named ACLs for distribute lists but it does support numbered lists. This unfortunately is not readily understandable from the error message you get. This is the case for distribute lists in BGP as well.

Concerning problem 2, this has to do with the use of an extended access list in a route map for distribution lists. When using an extended access list, you are not matching source and destination pairs, but but the address and subnet mask.

So in your case, you are stating:

10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127

This will not match anything because the source section 123.0.0.3 is actually specifying the IP address you want to match, while the second part should indicate the subnet mask. This is only the case for extended ACLs in route maps for distribute lists.

Although we don’t usually link to other sites like this, the following article from INE is quite informative about this, especially for the usage of extended ACLs in route maps for distribute lists.

I understand you’re using an extended ACL because you want to filter this route as received from R3 and not from R2. However, another option would be to place an outbound route map on R3 with a standard ACL in order to filter the particular route from being sent.

I hope this has been helpful!

Laz

Hi, lads!
Is it implicit deny all at the end of all route maps by default ?
Thx!

Hello Sergei

Yes that is correct!

Laz

1 Like