Only the NBMA and Ethernet segments will be used for quick demonstrations and clarity, unless R4 or R5 is needed for demonstration.
The first mechanism specifically for EIGRP to filter EIGRP learned routes is by distribute lists, which have a similar syntax structure and function in ways as an offset-list, in the ways that:
- It requires an ACL, Prefix-List, or Route-Map to be referenced by the distribute-list
- The distribute-list is configured in EIGRP router configuration mode
- It is configured with “in” and “out” options for directional route filtering
- An interface is a optional on distribute-list’s just like with offset-lists
- Can use both Extended and Standard ACL’s as demonstrated below
Now with OSPF the directional options are a bit tricky, however with EIGRP distribute-list’s it is either filtering “in”coming routing updates before placing them in the routing table, or filtering “out”going routing updates.
Also as mentioned and bears repeating, you can specify an interface in the distribute-list command, if no interface is specified it is applied to routes coming in or going out any interface.
When using an Access-List to be called out in the distribute-list, Permit statements allow routes to be accepted / sent out, and Deny statements block routes from being accepted or sent out from the specified ACL.
***Random piece of information from lesson, each line of an ACL is called an ACE (Access Control Entry), I did not know that before so thought it should be mentioned***
Here is a demonstration of how to configure a distribute-list using an ACL:
R1#sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
via 172.12.123.2 (2173416/29160), Serial0/0/0
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
P 3.3.3.3/32, 1 successors, FD is 2297856
via 172.12.123.3 (2297856/128256), Serial0/0/0
via 172.12.123.2 (2300416/156160), Serial0/0/0
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 3 deny 3.3.3.3
R1(config)#access-list 3 permit any
R1(config)#router eigrp 100
R1(config-router)#distribute-list 3 in
R1(config-router)#
*May 11 02:03:58.759: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 02:03:58.759: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
R1(config-router)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
via 172.12.123.2 (2173416/29160), Serial0/0/0
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
R1(config-router)#
Now route 3.3.3.3 is being filtered, and as you will notice like an offset-list, it resets your adjacencies with your EIGRP neighbors, so it’s pretty straight forward.
To verify if any filtering is being done by EIGRP on your local router, use the command “sh ip proto” and it will display in the output:
R1(config-router)#do sh ip proto
*** IP Routing is NSF aware ***
Routing Protocol is “eigrp 100”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is 3
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
Redistributing: eigrp 100
EIGRP-IPv4 Protocol for AS(100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 1.1.1.1
Now if we want to filter outbound, it works the same way:
R1(config-router)#int lo11
R1(config-if)#ip add
*May 11 02:20:03.731: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback11, changed state to up
R1(config-if)#ip add 11.11.11.11 255.255.255.255
R1(config-if)#exit
R1(config)#access-list 11 deny 11.11.11.11
R1(config)#access-list 11 permit any
R1(config)#router eigrp 100
R1(config-router)#network 11.11.11.11 0.0.0.0
R1(config-router)#distribute-list 11 out
R1(config-router)#
*May 11 02:21:37.599: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 02:21:37.599: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
And to verify:
R1(config-router)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 11.11.11.11/32, 1 successors, FD is 128256
via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
via 172.12.123.2 (2173416/29160), Serial0/0/0
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]
R2#sh ip eigrp top
IP-EIGRP Topology Table for AS(100)/ID(2.2.2.2)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 3.3.3.3/32, 1 successors, FD is 156160
via 172.12.23.3 (156160/128256), FastEthernet0/0
P 2.2.2.2/32, 1 successors, FD is 128256
via Connected, Loopback2
P 172.12.15.0/24, 1 successors, FD is 2172416
via 172.12.123.1 (2172416/28160), Serial0/0
P 172.12.23.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0
R2#
No 11.11.11.11/32 route being Advertised by R1, however what if we want to add more than one distribute list to EIGRP? That is a good question to lab:
R1(config-router)#exit
R1(config)#access-list 2 deny 2.2.2.2
R1(config)#access-list 2 permit any
R1(config)#router eigrp 100
R1(config-router)#distribute-list 2 in
R1(config-router)#
*May 11 02:28:35.003: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 02:28:35.003: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
R1(config-router)#do sh ip proto
*** IP Routing is NSF aware ***
Routing Protocol is “eigrp 100”
Outgoing update filter list for all interfaces is 11
Incoming update filter list for all interfaces is 2
So as demonstrated here, you can have multiple ACE’s to filter routes in a single ACL, however you cannot use multiple distribute-list’s on a given direction, I’ll spare the output but route 3.3.3.3/32 is once again in the Topology table and 2.2.2.2/32 is gone.
***Another random but important note, the command “show ip eigrp top all-links” will show all learned EIGRP routes, specifically including the ones that do NOT meet the Feasibility condition to become a Feasible Successor in the Topology table***
The feasibility condition states if a routes Reported Distance is greater than the Successor routes Feasible Distance, it is not put into the Topology table, but it is still learned and can be seen using the “sh ip eigrp top all-links” command.
Another good note more geared for TSHOOT but could show up on ROUTE, if a route you are expecting to be in the Topology table is not there and the “… all-links” command does show it was learned, it may have a Bandwidth or Delay configuration on the interface that needs to be removed that is altering the Metric.
So if you are expecting a route, or are just asked how you see all routes in the Topology table, use “all-links” in the show command.
NOW, FOR AN IMPORTANT LOOK AT HOW EXTENDED ACCESS-LISTS WORK WITH EIGRP DISTRIBUTE-LISTS, VERY IMPORTANT BEHAVIOR TO UNDERSTAND!
If using an Extended ACL rather than a standard to just block any incoming or outgoing routes, you can use an extended ACL not to filter by a source its coming from and a destination its going to, but to filter routes only from a particular source.
This is done by actually reversing how the router looks at the ACL, how it normally views it by source and destination, the “source” portion will identify the router advertising the route and the “destination” portion will define the route being advertised.
So for example, I only want to know about the Ethernet segment 172.12.23.0/24 from R3, and I only want to know of 3.3.3.3/32 from R2. Lets step through this, starting with verification that we can see all routes initially on R1:
R1
R1(config)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 11.11.11.11/32, 1 successors, FD is 128256
via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 2 successors, FD is 2173416
via 172.12.123.2 (2173416/29160), Serial0/0/0
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
P 3.3.3.3/32, 1 successors, FD is 2297856
via 172.12.123.3 (2297856/128256), Serial0/0/0
via 172.12.123.2 (2300416/156160), Serial0/0/0
R1(config)#
We have selected our routes to be filtered in red. Now lets right an Extended ACL where the source defines the router advertising the route, and the destination defining the route being advertised:
R1(config)#access-list 123 deny ip host 172.12.123.2 172.12.23.0 0.0.0.255
R1(config)#access-list 123 deny ip host 172.12.123.3 host 3.3.3.3
R1(config)#access-list 123 permit ip any any
R1(config)#router eigrp 100
R1(config-router)#distribute-list 123 in
R1(config-router)#
*May 11 03:10:57.967: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.2 (Serial0/0/0) is resync: route configuration changed
*May 11 03:10:57.967: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.123.3 (Serial0/0/0) is resync: route configuration changed
R1(config-router)#
So we should now see our path to the network 3.3.3.3/32 is through 172.12.123.2, and that our Ethernet segment 172.12.23.0/24 is only available via R3 (hopefully):
R1(config-router)#do sh ip eigrp top
EIGRP-IPv4 Topology Table for AS(100)/ID(1.1.1.1)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 11.11.11.11/32, 1 successors, FD is 128256
via Connected, Loopback11
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0/0
P 172.12.15.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 172.12.23.0/24, 1 successors, FD is 2173416
via 172.12.123.3 (2173416/29160), Serial0/0/0
P 2.2.2.2/32, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0/0
via 172.12.123.3 (2300416/156160), Serial0/0/0
P 3.3.3.3/32, 1 successors, FD is 2297856
via 172.12.123.2 (2300416/156160), Serial0/0/0
R1(config-router)#
Beautiful, works exactly how it should, you just need to keep in mind for EIGRP ACL Distribute-Lists that the source is the advertising router and the destination is the route to be filtered!
I will stop this here because this about covers all bases for EIGRP Distribute-List / route filtering using Distribute-Lists and Access-Lists, and will make a separate post regarding the use of Prefix-Lists and why we would bother to use them over this method.
The DEVNET GRIND! 