EIGRP Route-Map Filtering

andrew · April 6, 2016, 12:31am

Jose,
Yes, but you will have to change the logic of how the prefix-list is written. Instead of relying on a route-map to perform the permit/deny actions, the prefix-list will have to do this now. So, if our goal is to deny 192.168.1.0/24 but allow everything else, you could do it like this:

(config)#ip prefix-list PL_NO192 seq 10 deny 192.168.1.0/24
(config)#ip prefix-list PL_NO192 seq 20 permit 0.0.0.0/0 le 32

(config)#router eigrp 1
(config-router)#distribute-list prefix PL_NO192 in

Note that the second sequence of PL_NO192 is saying “allow any subnet of any network that is less than or equal to 32 bits in length” which means everything.

shantel · December 29, 2016, 5:55pm

19 posts were merged into an existing topic: EIGRP Route-Map Filtering

bwcc89 · June 8, 2017, 12:14am

Hi Rene,

I have a quick question on EIGRP filtering in general. Say I have 3 routers, R1, R2, and R3 all running EIGRP and connected.

R1 has 10.10.10.0/24 and 20.20.20.0/24
If I want to advertise 10.10.10.0/24 only to R3 but not R2…
From reading your lesson, I learned that I can apply a distribute-list acl in on R3 to block the advertisement of 10.10.10.0/24…

Can this be done on R1 to filter outbound EIGRP advertisement of 10.10.10.0/24 only to R3 but not R2?

Thanks!

Barry

Jon · June 9, 2017, 8:30am

Hi @bwcc89,

This is a great question and you’ll be pleased to hear that yes it is definitely possible.
We can use a network statement (or other method) as normal to bring the network into the EIGRP topology and then use “distribute-list xx out” to prevent EIGRP from advertising matching routes.

The little extra configuration we need is to tell the EIGRP process to only apply that distribute list on the interface leading to R3. In this case our configuration changes to look like “distribute-list xx out ”

Here is a code example from another network:

access-list 50 deny 192.168.100.0 0.0.0.128

router eigrp 155
passive-interface Loopback0
network 10.2.3.0 0.0.0.255
network 172.30.201.0 0.0.0.255
network 192.168.100.2 0.0.0.0
distribute-list 50 out FastEthernet0/0
no auto-summary

So you can see it’s very straight forwards; probably just as you expect from EIGRP!

Kind regards,
Jon

bluerfoot · July 26, 2018, 7:39pm

Hi have been working very peripherally on cisco for a few years but signed up and love your explanations. I am working through this lesson but am surprised there is not more of an “intro” to route maps somewhere on the site, seems there is a bit of assumed knowledge on this lesson…

bluerfoot · July 27, 2018, 3:55am

ok I’m in over my head…

in seq 20 why is there an ge 26 when trying to limit prefix to smaller then 26? I’ll reread in the morning hopefully it will make sense then…

lagapidis · July 28, 2018, 3:08pm

Hello Brad.

Your feedback is always important and valuable. I suggest you submit your comments to the Lesson Ideas section of the site so that it can be considered as a possible separate lesson.

Thanks again for the feedback!

Laz

lagapidis · July 28, 2018, 3:27pm

Hello Brad

If I’m not mistaken, you are talking about this set of commands:

R1(config)#route-map FILTER_OUT deny 20
R1(config-route-map)#match ip address prefix-list SMALL_PREFIXES

R1(config)#ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

R1(config)#route-map FILTER_OUT permit 30

The prefix-lists uses the permit statement to match IP addresses. So for the above configured prefix list, the IP addresses that will be matched are those with a prefix greater than or equal to 26.

The route map denies packets that match this prefix list, so they will deny any prefix greater than or equal to 26. This is indeed the opposite of what we want, so the ge 26 should be le 25.

I will let @ReneMolenaar know.

Thanks for catching that!

Laz

ReneMolenaar · August 1, 2018, 2:43pm

Hi Brad,

I just changed the wording a bit, this can be confusing. What I meant are subnets that are /26 or smaller subnets. The prefix number is higher but the subnets get smaller This means we want to match:

/26
/27
/28
/29
/30
/31
/32

We can do this with the following statement:

ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26

Rene

fugazz · December 11, 2018, 4:19pm

Hello guys,
I have a few problems with EIGRP and its distribute-lists.

I´m playing with filtering on R1.
Topology looks like this.

topology

Problem 1:

I want to block incoming route 2.1.0.0/25 (R3 Loopback 802) only from R3, using Extended Named ACL.

I cannot use Named Extended ACL in EIGRP distribute-list. Getting this error message.

R1(config)#router eigrp 100
R1(config-router)#distribute-list ACL_BLOCK_R3_L802 in
% The ACL cannot be created or an ACL with the same name but incompatible type already exists.

R1(config-router)#do show ip access-list ACL_BLOCK_R3_L802
Extended IP access list ACL_BLOCK_R3_L802
    100 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    200 permit ip any any

Therefore EIGRP distribute-list is not compatabile with Named Extended ACL or it is just issue of my GNS3 emulator? I use Cisco VIRL image IOSv 15.6(2)T.

R1(config-router)# do show version | include Version
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.6(2)T, RELEASE SOFTWARE (fc2)

Everything works fine, when I use Numbered Extended ACL.

R1(config-router)#do show access-list 150
Extended IP access list 150
    10 deny ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 permit ip any any

R1(config-router)#do show run | section eigrp
router eigrp 100
 distribute-list 150 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show ip route eigrp | begin Gateway
Gateway of last resort is not set

      2.0.0.0/8 is variably subnetted, 6 subnets, 6 masks
D        2.0.0.0/24 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.1.0.0/25 [90/130816] via 123.0.0.2, 00:02:20, GigabitEthernet0/1
D        2.2.0.0/26 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.3.0.0/27 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.4.0.0/28 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1
D        2.5.0.0/29 [90/130816] via 123.0.0.3, 00:27:43, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:27:43, GigabitEthernet0/1

Problem 2:

I want to do the same using route-map. On R1 block route L802 2.1.0.0/25 comming from R3.
Numbered Extended ACL should pass route 2.1.0.0/24 from R3 to route-map´s deny statement, so route from R3 will be denied.

Configuration looks like this:

R1(config-router)#do show run | sec eigrp
router eigrp 100
 distribute-list route-map RM_DENY_R3_L802 in
 network 123.0.0.1 0.0.0.0
 passive-interface default
 no passive-interface GigabitEthernet0/1
 eigrp router-id 0.0.0.1

R1(config-router)#do show route-map RM_DENY_R3_L802
route-map RM_DENY_R3_L802, deny, sequence 100
  Match clauses:
    ip address (access-lists): 199
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RM_DENY_R3_L802, permit, sequence 200
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

R1(config-router)#do show access-list 199
Extended IP access list 199
    10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127
    20 deny ip any any (12 matches)

I dont see any matches in ACL 199 sequence 10, therefore we can´t see any matches in route-map and 2.1.0.0/25 route from R3 makes it to R1´s EIGRP topology table and from there to global ip routing table.

R1(config-router)#do show ip route | sec 2.1.0.0/25
D        2.1.0.0/25 [90/130816] via 123.0.0.3, 00:13:11, GigabitEthernet0/1
                    [90/130816] via 123.0.0.2, 00:13:11, GigabitEthernet0/1

Why is ACL 199 not matching route 2.1.0.0/25 from R3 (123.0.0.3)?

Edit: some debug output added

R1#debug ip eigrp
EIGRP-IPv4 Route Event debugging is on
R1#clear ip eigrp neighbors 123.0.0.3

000281: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 123.0.0.3 (GigabitEthernet0/1) is up: new adjacency
.
.
.
000300: EIGRP-IPv4(100): Processing routemap RM_DENY_R3_L802 tableid:(0) map(10881098) for addr: 2.1.0.0/25
000301: EIGRP-IPv4(100): Int 2.1.0.0/25 M 130816 - 1000000 5010000000 SM 128256 - 4060086272 76293
000302: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.2)
000303: EIGRP-IPv4(100): table(default): route installed for 2.1.0.0/25 (90/130816) origin(123.0.0.3)

lagapidis · December 19, 2018, 10:12am

Hello Michael

Concerning problem 1, this is due to the fact that the IOS doesn’t support named ACLs for distribute lists but it does support numbered lists. This unfortunately is not readily understandable from the error message you get. This is the case for distribute lists in BGP as well.

Concerning problem 2, this has to do with the use of an extended access list in a route map for distribution lists. When using an extended access list, you are not matching source and destination pairs, but but the address and subnet mask.

So in your case, you are stating:

10 permit ip host 123.0.0.3 2.1.0.0 0.0.0.127

This will not match anything because the source section 123.0.0.3 is actually specifying the IP address you want to match, while the second part should indicate the subnet mask. This is only the case for extended ACLs in route maps for distribute lists.

Although we don’t usually link to other sites like this, the following article from INE is quite informative about this, especially for the usage of extended ACLs in route maps for distribute lists.

I understand you’re using an extended ACL because you want to filter this route as received from R3 and not from R2. However, another option would be to place an outbound route map on R3 with a standard ACL in order to filter the particular route from being sent.

I hope this has been helpful!

Laz

koolith · February 14, 2019, 9:09pm

Hi, lads!
Is it implicit deny all at the end of all route maps by default ?
Thx!

lagapidis · February 15, 2019, 10:07am

Hello Sergei

Yes that is correct!

Laz

kent2612 · October 28, 2019, 10:36am

Hi Network Lessons,

Any example of EIGRP default-route-tag in dotted decimal format?

lagapidis · October 29, 2019, 8:30am

Hello Kenneth

The following Cisco documentation details the route tag enhancements that are available for EIGRP. The specific link takes you to the section dealing with the dotted decimal format of these tags.

I hope this has been helpful!

Laz

dorosv · February 7, 2020, 7:09pm

Hi all,
I’ve been playing around with EIGRP route-maps and have a few questions.
If I use a prefix list as a match for a route map sequence, but don’t configure anything in the prefix list:
If the route map statement is permit, it’ll permit everything regardless of the next sequences.
If the route map statement is deny, it’ll deny everything .
Is this accurate?

If i use a deny route map sequence matching a prefix list that has only deny sequences in it, it doesn’t appear to do anything. Is this also correct? Seems strange, because like i stated before, if you don’t configure the prefix list, it blocks everything.

Thank you

lagapidis · February 10, 2020, 10:01am

Hello Vlad

Yes, this is correct. I labbed it up and verified that this is the case.

This makes sense because like access lists, a prefix list always has an implicit deny at the end. Take a look at the following two prefix lists:

ip prefix-list LIST1 description empty

ip prefix-list LIST2 description one_deny
ip prefix-list LIST2 seq 5 deny 172.16.1.0/24

These two lists may be different, but they are identical in what they actually do. The first denies everything, the second denies 172.16.1.0/24 AND everything. More simply put, both deny everything.

In general, all prefix-lists that don’t have any permit statements do exactly the same thing: deny everything.

I hope this has been helpful!

Laz

philipvarghese1987 · June 8, 2020, 1:15pm

Hi Rene/Laz,
When we match a route map with an access list if we use a deny statement in the access list, will the route map match the entry in the access list? I see in the route map introduction chapter that only permit statements in an access list match the entry and apply the statement we put in the route map but when it comes to eigrp route-map filtering chapter, the example for filtering 1.1.1.0 /24 shows we use a deny statement in the access list and we saw the same result that the prefix is being filtered, can you clarify that?

See the snippet below,

R2(config)#ip access-list standard NET_1
R2(config-std-nacl)#deny 1.1.1.0 0.0.0.255
R2(config-std-nacl)#permit any

R2(config)#route-map FILTER_IN permit 10
R2(config-route-map)#match ip address NET_1

R2#show ip route eigrp 
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.16.0.0/24 [90/409600] via 192.168.12.1, 00:56:08, FastEthernet0/0
D       172.16.1.0/25 [90/409600] via 192.168.12.1, 00:56:08, FastEthernet0/0

lagapidis · June 9, 2020, 11:46am

Hello Philip

How the route-map is used will make a difference in how it is interpreted as far as the permit and deny statements go. If you look at this post, you will see that when using redistribution, a deny statement in the ACL will not generate a match:

However, when using a distribute-list as is in this case, then the deny statement in the ACL does match the prefix. And it actually plays a role in the outcome of the distribution list.

I labbed it up and found the following:

ACL deny and route-map deny result in the prefix being blocked
ACL deny and route-map permit result in the prefix being blocked
ACL permit and route-map deny result in the prefix being blocked
ACL permit and route-map permit result in the prefix not being blocked

So for distribute lists, it seems the permit/deny statements must be both permit in order for the prefix to be permitted.

I hope this has been helpful!

Laz

philipvarghese1987 · June 9, 2020, 8:27pm

Thank you Laz! It was helpful. I will lab myself some examples and will let you know if there is a doubt.