topic Re: EIGRP Route Filtering with ACL issue in Routing and SD-WAN

EIGRP Route Filtering with ACL issue

trilerian1 — Thu, 03 Nov 2022 09:45:18 GMT

I am doing route filtering with acl for an EIGRP AS. I have an issue with two /24 of a /20 that are coming through even though there is a deny statement for those networks.

The subnets in particular are 172.26.110.0/24 and 172.26.120.0/24

Here is my ACL

access-list 5 remark Filter incoming routes from Somewhere
access-list 5 deny 172.26.110.0 0.0.0.255
access-list 5 deny 172.26.120.0 0.0.0.255
access-list 5 permit 172.26.0.0 0.0.255.255
access-list 5 deny any

Here is my EIGRP config for this AS.

router eigrp Somewhere
!
address-family ipv4 unicast autonomous-system 2
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Vlan1023
no passive-interface
exit-af-interface
!
topology base
distribute-list 5 in Vlan1023
redistribute eigrp 10
exit-af-topology
network 10.162.23.0 0.0.0.255
eigrp stub connected redistributed
exit-address-family

And when I do a show ip route, the bolded routes come through even though I am denying part of the subnet.

172.26.0.0/16 is variably subnetted, 14 subnets, 6 masks
D EX 172.26.0.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.0.254/32 [170/117760] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.32.0/21 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.48.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.64.0/19 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.96.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.112.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.128.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.144.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.160.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.224.0/24 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.252.0/22 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023

Can you not deny part of a bigger subnet that you are allowing through? I've added static routes to the /24 networks so the routing is fine, but I would like the route filtering to work.

Thanks

Re: EIGRP Route Filtering with ACL issue

David Ruess — Thu, 27 Oct 2022 16:25:38 GMT

Hello,

Edited as I didnt see the distribute list applied.

Are you able to ping the devices that you are trying to block form that device?

If you are only blocking part of the subnet it will still allow the subnet as a whole to be advertised. It looks to be working as intended.

-David

Re: EIGRP Route Filtering with ACL issue

trilerian1 — Thu, 27 Oct 2022 16:47:28 GMT

Thanks, I will look into a prefix list.

Re: EIGRP Route Filtering with ACL issue

MHM Cisco World — Thu, 03 Nov 2022 09:46:39 GMT

can you check


show access-list

see if match is hit the 0.0.0.255 or 0.0.255.255
share here if you can

Re: EIGRP Route Filtering with ACL issue

Richard Burts — Thu, 03 Nov 2022 09:47:19 GMT

It is interesting that all of the routes that you show us are external. And it is interesting that the eigrp config that you post is for AS 2 and includes

redistribute eigrp 10

What can you tell us about eigrp 10?

Re: EIGRP Route Filtering with ACL issue

paul driver — Sun, 30 Oct 2022 04:31:18 GMT

Those two /24 are not in the route table just the the smmary is.
If you summarize a subnet as long as a single network/interfface related to the larger subnet is active and in the route table the summary will be advertised.

Re: EIGRP Route Filtering with ACL issue

trilerian1 — Tue, 01 Nov 2022 12:52:59 GMT

This router is an edge router and redistributes routes from two different AS to the other based on ACL filtering. I guess the ACL needs to change or I need to come up with something different. When I started researching how to filter the routes there were three different methods: ACL, prefix, and route map. I think I am going to go look at route maps.

Re: EIGRP Route Filtering with ACL issue

trilerian1 — Tue, 01 Nov 2022 13:03:50 GMT

Quick question. If on the other end, outgoing acl for filtering, if those /24s are filtered but the /16 is allowed after the deny for the /24, would it still summarize the entire /16? If so, what is the easiest way to deny specific /24s of a /16 in a filter?

The reason why I need to do this: routes that I don't want to come through are part of ipsec tunnels on the firewall, so I don't want these other routes to exist at all. On this router I can create more specific routes to the firewall for those networks, and that is what I have done. But the idea is to filter out any unwanted routes to begin with.

Thanks

Re: EIGRP Route Filtering with ACL issue

MHM Cisco World — Thu, 03 Nov 2022 09:49:37 GMT

can you share the

show access-list ?

I want to see which line is hit and which not hit

for me I always use

prefix-list

not ACL

https://loopedback.com/2017/05/10/eigrp-deep-dive-into-prefix-list-configurations-access-list-vs-prefix-list-using-prefix-lists-to-filter-eigrp-routes-with-distribute-lists/

Re: EIGRP Route Filtering with ACL issue

trilerian1 — Thu, 03 Nov 2022 09:51:53 GMT


60 deny 172.26.110.0, wildcard bits 0.0.0.255
70 deny 172.26.120.0, wildcard bits 0.0.0.255
90 permit 172.26.0.0, wildcard bits 0.0.255.255 (24 matches)

Looks like it does nothing with those /24s. But, they are also smaller parts of those routes, I wonder if I deny the /20 if it would still show...

Re: EIGRP Route Filtering with ACL issue

MHM Cisco World — Tue, 01 Nov 2022 15:31:24 GMT

https://ine.com/blog/2008-01-04-using-extended-access-lists-in-a-distribute-list

check this link, I think you need to more modify wildcard 0.0.255.255 <<-

Re: EIGRP Route Filtering with ACL issue

trilerian1 — Thu, 03 Nov 2022 09:52:45 GMT

Replying to my own post. That did the trick...

60 deny 172.26.96.0, wildcard bits 0.0.15.255 (2 matches)
70 deny 172.26.112.0, wildcard bits 0.0.15.255 (2 matches)

90 permit 172.26.0.0, wildcard bits 0.0.255.255 (20 matches)

Re: EIGRP Route Filtering with ACL issue

MHM Cisco World — Thu, 03 Nov 2022 09:54:10 GMT

Yes, as I mention before I prefer use

prefix-list,

and if you use distribute access list always check it with

show access-list

to modify it.

good job Friend.

Re: EIGRP Route Filtering with ACL issue

Richard Burts — Thu, 03 Nov 2022 09:55:42 GMT

I am a bit confused about what is going on here. The

show access list

does not show any hits on the deny /24 statements but does show hits on the deny /16 statement. I do agree that using a

prefix list

might be more effective here and an access list.