Filtering EIGRP routes in GNS3

Posted: January 21, 2016 in CISCO

Sometime,there are need to prohibit route advertisement to other network segments.

Untitled.png

 

For example,let’s say we need to prohibit some  routes advertised by Router 5 (10.17.35.0,10.17.35.128),to be prohibited on router R1.

To reach 10.17.35.0 network,R1 has 2 path:via R3 and R4,so route filters must be set on R3 and R4.

Routing table before applying prefix list

R1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 19 subnets, 6 masks
D 10.1.1.4/30 [90/2684416] via 10.1.2.1, 00:06:35, Serial1/0
C 10.1.2.0/30 is directly connected, Serial1/0
L 10.1.2.2/32 is directly connected, Serial1/0
D 10.1.2.4/30 [90/2681856] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.0/30 [90/2172416] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.4/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.8/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.12/30 [90/2172416] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.16/30 [90/2177536] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.20/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
C 10.11.1.0/24 is directly connected, Loopback0
L 10.11.1.1/32 is directly connected, Loopback0
D 10.12.1.0/24 [90/2809856] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.32.0/23 [90/2300416] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.34.0/24 [90/2300416] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.35.0/25 [90/2300416] via 10.1.2.1, 00:00:33, Serial1/0
D 10.17.35.128/25 [90/2300416] via 10.1.2.1, 00:00:33, Serial1/0
D 10.17.36.0/26 [90/2300416] via 10.1.2.1, 00:06:37, Serial1/0
D 10.17.36.64/26 [90/2300416] via 10.1.2.1, 00:06:37, Serial1/0

Method 1:ACL

R3(config)#access-list 2 deny 10.17.35.0 0.0.0.0
R3(config)#access-list 2 deny 10.17.35.128 0.0.0.0
! allow all other networks
R3(config)#access-list 2 permit any

!Now add this filter to eigrp protocol:

R3(config)#access-list 2 permit any
R3(config)#router eigrp 20
!apply route filter to interface connected to R1
R3(config-router)#distribute-list 2 out s1/1
R4(config)#access-list 2 deny 10.17.35.0 0.0.0.0
R4(config)#access-list 2 deny 10.17.35.128 0.0.0.0
R4(config)#access-list 2 permit any
R4(config)#router eigrp 20
!apply route filter to interface connected to R1
R4(config-router)#distribute-list 2 out s1/0

 

Method2:Prefix List

Concept:http://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/

!with singe line we deny both,10.17.35.0 and 10.17.35.128 using
!ge (Greater than or Equal to) and le (less than or equal to) operators
!deny 10.17.35.0/24 and 10.17.35.0/25 (sequence number 5)
R3(config)#ip prefix-list 10_17 seq 5 deny 10.17.35.0/24 ge 25 le 25
!permit other prefixes (sequence 10):
R3(config)#ip prefix-list 10_17 seq 10 permit 0.0.0.0/0 le 32
!Apply prefix list to interface connected to R1
R3(config-router)#distribute-list prefix 10_17 out s1/1

!R4:

R4(config)#ip prefix-list 10_17 seq 5 deny 10.17.35.0/24 ge 25 le 25
R4(config)#ip prefix-list 10_17 seq 10 permit 0.0.0.0/0 le 32
R4(config-router)#distribute-list prefix 10_17 out s1/0

Method3:route-map

Route map has several route map commands in same route map,all having same text name.Route map uses ip prefix lists for route matching.Optionaly,sequence number can be set.After route being matched (deny or permit),Cisco IOS stops processing route map for that route.

Setting ip prefix list (note that although 10.17.35/25-128 networks needs to be prohibited,permit clause is used:

R3(config)#ip prefix-list 10_17 seq 5 permit 10.17.35.0/24 ge 25 le 25
R3(config)#ip prefix-list all_net seq 10 permit 0.0.0.0/0 le 32

R4(config)#ip prefix-list 10_17 seq 5 permit 10.17.35.0/25 ge 25 le 25
R4(config)#ip prefix-list all_net seq 10 permit 0.0.0.0/0 le 32

Creating route map:

 

!creating route map named 10_17 sequence 5,with deny clause:
R3(config)#route-map 10_17 deny 5
!match prefix list 10_17
R3(config-route-map)#match ip address prefix-list 10_17
R3(config-route-map)#exit
!add another sequence (10) to permit other subnets
R3(config)#route-map 10_17 permit 10
R3(config-route-map)#match ip address prefix-list all_net
R3(config-route-map)#exit
!add another sequence (note no match exists-match all) to allow all other traffic
R3(config)#route-map 10_17 permit 15
!R4:
R4(config)#route-map 10_17 deny 5
R4(config-route-map)#match ip address prefix-list 10_17
R4(config-route-map)#exit
R4(config)#route-map 10_17 permit 10
R4(config-route-map)#match ip address prefix-list all_net
R4(config-route-map)#exit
R4(config)#route-map 10_17 permit 15

 

Apply route map 10_17 to eigrp process:

R3(config-router)#distribute-list route-map 10_17 out s1/1
R4(config-router)#distribute-list route-map 10_17 out s1/0

Networks 10.17.35.0/24-25 are no longer shown in R1 routing table

R1(config)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 17 subnets, 5 masks
D 10.1.1.4/30 [90/2684416] via 10.1.2.1, 00:04:27, Serial1/0
C 10.1.2.0/30 is directly connected, Serial1/0
L 10.1.2.2/32 is directly connected, Serial1/0
D 10.1.2.4/30 [90/2681856] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.0/30 [90/2172416] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.4/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.8/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.12/30 [90/2172416] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.16/30 [90/2177536] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.20/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
C 10.11.1.0/24 is directly connected, Loopback0
L 10.11.1.1/32 is directly connected, Loopback0
D 10.12.1.0/24 [90/2809856] via 10.1.2.1, 00:04:28, Serial1/0
D 10.17.32.0/23 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.34.0/24 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.36.0/26 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.36.64/26 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s