Filtering Routes with EIGRP
Problem
You want restrict which routes EIGRP propagates through the network.
Solution
You can filter the routes that EIGRP receives on a particular interface (or subinterface) using the distribute-list in command as follows:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#access-list 34 deny 192.168.30.0 Router2(config)#access-list 34 permit any Router2(config)#router eigrp 55 Router2(config-router)#distribute-list 34 in Serial0.1 Router2(config-router)#exit Router2(config)#end Router2#
EIGRP also provides a distribute-list out command that allows you to filter the routes that are sent out through a particular interface (or subinterface):
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 57 permit 172.25.1.0 Router1(config)#access-list 57 deny any Router1(config)#router eigrp 55 Router1(config-router)#distribute-list 57 out Serial0/0.2 Router1(config-router)#exit Router1(config)#end Router1#
And, with the gateway keyword, you can apply different filters to different neighbors on the same multiple access network:
Router9#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router9(config)#ip prefix-list ALLOWED-PREFIXES permit 10.0.0.0/8 le 32 Router9(config)#ip prefix-list ALLOWED-PREFIXES deny 0.0.0.0/0 le 32 Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.1/32 Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.4/32 Router9(config)#ip prefix-list ALLOWED-NEIGHBORS deny 0.0.0.0/0 le 32 Router9(config)#router eigrp 55 Router9(config-router)#distribute-list prefix ALLOWED-PREFIXES gateway ALLOWED-NEIGHBORS in Router9(config-router)#exit Router9(config)#end Router9#
Discussion
The best way to see the action of these distribute-list commands is to look at the routing tables both with and without the filters. In the example, this is how the routing table looked before we applied any distribute lists:
Router2#show ip route eigrp D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:06, Serial0.1 D 172.22.0.0/16 [90/2172416] via 172.25.2.1, 00:04:04, Serial0.1 172.25.0.0/16 is variably subnetted, 6 subnets, 4 masks D 172.25.25.6/32 [90/2300416] via 172.25.2.1, 00:04:04, Serial0.1 D 172.25.25.1/32 [90/2297856] via 172.25.2.1, 00:04:04, Serial0.1 D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:04:04, Serial0.1 D 172.25.0.0/16 is a summary, 00:06:39, Null0 D 10.0.0.0/8 [90/4357120] via 172.25.2.1, 00:04:04, Serial0.1 Router2#
Then, after applying the inbound filter, you can see that network 192.168.30.0 is gone:
Router2#show ip route eigrp D 172.22.0.0/16 [90/2172416] via 172.25.2.1, 00:00:08, Serial0.1 172.25.0.0/16 is variably subnetted, 6 subnets, 4 masks D 172.25.25.6/32 [90/2300416] via 172.25.2.1, 00:00:08, Serial0.1 D 172.25.25.1/32 [90/2297856] via 172.25.2.1, 00:00:08, Serial0.1 D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:00:08, Serial0.1 D 172.25.0.0/16 is a summary, 00:08:42, Null0 D 10.0.0.0/8 [90/4357120] via 172.25.2.1, 00:00:08, Serial0.1 Router2#
The show ip protocols command shows what filters have been applied to which interfaces, both inbound and outbound:
Router2#show ip protocols Routing Protocol is "eigrp 55" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Serial0.1 filtered by 34 (per-user), default is 34 Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 55 Automatic network summarization is in effect Automatic address summarization: 192.168.20.0/24 for Loopback0, Serial0.1 172.25.0.0/16 for Ethernet0 Summarizing with metric 128256 Maximum path: 4 Routing for Networks: 172.25.0.0 192.168.20.0 Routing Information Sources: Gateway Distance Last Update 172.25.2.1 90 00:02:10 Distance: internal 90 external 170 Router2#
The second example in the Solution section of this recipe shows an outbound distribute list. It is difficult to see the effect of an outbound filter from the router that has the filter. So we will apply this filter to the neighbor device.
Look back at the output of the previous show ip route eigrp command to remember what the routing table looked like before applying this filter. Then, after applying the outbound distribute-list command on the neighboring router, the routing table looks like this:
Router2#show ip route eigrp 172.25.0.0/16 is variably subnetted, 4 subnets, 4 masks D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:03:56, Serial0.1 Router2#
In this case, you will notice that we have applied an extremely restrictive outbound route filter. This technique is often used in WAN situations in which there is only one path from the remote site to the rest of the network. In such cases, it is often possible to send only a few summary routes, perhaps even a single default route, 0.0.0.0/0.
Again, the show ip protocols command shows information about both the filters and the interfaces that they act on:
Router1#show ip protocols Routing Protocol is "eigrp 55" Outgoing update filter list for all interfaces is not set Serial0/0.2 filtered by 57 (per-user), default is 57 Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 55 Automatic network summarization is in effect Automatic address summarization: 172.25.0.0/16 for FastEthernet0/1, Serial0/1 Summarizing with metric 28160 172.22.0.0/16 for FastEthernet0/0.1, Serial0/0.2, Loopback0 Serial0/1 Summarizing with metric 28160 10.0.0.0/8 for FastEthernet0/0.1, Serial0/0.2, Loopback0 FastEthernet0/1 Summarizing with metric 3845120 Maximum path: 4 Routing for Networks: 10.0.0.0 172.22.0.0 172.25.0.0 Routing Information Sources: Gateway Distance Last Update 10.1.1.1 90 00:04:45 172.25.1.7 90 00:04:45 172.25.2.2 90 00:04:45 172.22.1.4 90 00:04:45 Distance: internal 90 external 170 Router1#
You can also use prefix lists to filter routes with EIGRP. This technique is most commonly used for filtering routes with BGP. Prefix lists do essentially the same thing as the access lists that we have already discussed. But they give you a different way to approaching filtering that is in some ways more in tune with how we think about routing. And because of the highly granular control they offer, it is often much easier to configure a prefix list to do the same job as an access list. Further, in mixed BGP/EIGRP networks, it can be extremely convenient to be able to use the same method for both routing protocols:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip prefix-list Inbound seq 10 permit 10.0.0.0/8 Router2(config)#ip prefix-list Inbound seq 20 deny 10.0.0.0/8 ge 9 Router2(config)#ip prefix-list Inbound seq 30 permit 0.0.0.0/0 le 32 Router2(config)#router eigrp 55 Router2(config-router)#distribute-list prefix Inbound in Serial0.1 Router2(config-router)#exit Router2(config)#end Router2#
There are three lines in the prefix list called Inbound in this example. The first line permits the 10.0.0.0/8 network. Then the second line denies any network belonging to 10.0.0.0 that happens to have a mask with nine or more bits. The final line permits all other routes.
Again, to see how this works, it is easiest to look at the routing table before and after applying the filter. So in this case, we start with a routing table that looks like this:
Router2#show ip route eigrp D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:16, Serial0.1 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks D EX 10.0.0.0/8 [170/4357120] via 172.25.2.1, 00:00:16, Serial0.1 D 10.2.2.0/24 [90/2300416] via 172.25.2.1, 00:00:16, Serial0.1 D 10.1.1.0/30 [90/4357120] via 172.25.2.1, 00:00:16, Serial0.1 D*EX 0.0.0.0/0 [170/2172416] via 172.25.2.1, 00:00:16, Serial0.1 Router2#
After applying this filter, this routing table is reduced to the following:
Router2#show ip route eigrp D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:22, Serial0.1 D EX 10.0.0.0/8 [170/4357120] via 172.25.2.1, 00:00:22, Serial0.1 D*EX 0.0.0.0/0 [170/2172416] via 172.25.2.1, 00:00:22, Serial0.1 Router2#
The gateway keyword is useful in some limited situations. This command is only allowed on inbound distribute lists. It then lets you filter which EIGRP neighbors to accept routing updates from. It does not allow you to filter one group of routes from one neighbor and a different group from a different neighbor, which makes the command less useful than it might initially appear.
|
The command tells the router to accept only routes that are in the list of allowed prefixes, and only if they are received from the allowed group of neighbors:
Router9(config-router)#distribute-list prefix ALLOWED-PREFIXES gateway ALLOWED-NEIGHBORS in
This feature is most useful in situations in which you want to block all routing updates from some neighbors, but you still want these neighbors to receive all of the outbound routing updates.
See Also
Chapter 9