08-14-2023 06:58 AM - last edited on 08-15-2023 11:50 AM by Translator
Hello.
My goal is to stop
ASA5525 Anyconnect /32
routes from flapping through the network.
Question:
What is the resulting differences between these 3 configs?...
1. "#ip summary-address eigrp 172.16.25.0. 0.0.0.255" 2. "#router EIGRP 1 #no auto summary #network 172.16.25.0 0.0.0.255" 3. "#ip route 172.16.25.0 255.255.255.0" !!
Then EIGRP redistributes this via a
route map with prefix list.!!
--
Thank you!
Solved! Go to Solution.
08-14-2023 07:14 AM - last edited on 08-15-2023 11:58 AM by Translator
Hello @jmaxwellUSAF ,
option 1 ) applies outbound the interface it is configured not to all neighbors. You may want to add an AD value at the end as this creates a
static route to null0
so use of AD is recommended to avoid possible routing black hole.
2) this is simply EIGRP with no auto-summary and this will advertise any
prefix in 172.25.0.0/16
regardless of
prefix length
This is a prerequiste for option 1 or option 3
3) if you create a
static route to 172.25.0.0/16
with a true
next-hop ( not null0) or using null0
you are allowed to inject the prefix into EIGRP using
redistribution
of static routes a
route-map
that invokes a
prefix list matching 172.25.0.0/16
can be used.
The
prefix-list
has to match on exact match only
ip prefix-list ONLY-172-25 se 5 permit 172.25.0.0/16
with no ge or le modifiers
This kind of configuration will create an EIGRP external route for the prefix and allows to filter out the more specific routes only if they are not present in the EIGRP table.
if you have internal component routes in the EIGRP routing table (for option 2 config ) you should use a
distribution list
that denies component routes and allows the aggregate to be applied at EIGRP process level.
Warning: the
distribute list
must allow all other prefixes that need to be advertised to neighbors. A
route-map
can be used in combination with the
distribute-list
command. The
route-map
can have multiple blocks with a final block that simply allows all other prefixes.
ip prefix-list BLOCK-CR seq 5 permit 172.25.0.0/16 ge 17 le 32
route-map BLOCK-ROUTES permit 10
match ip prefix-list ONLY-172-25
route-map BLOCK-ROUTES deny 20
match ip prefix-list BLOCK-CR
! final statement empty to allow all other prefixes
route-map BLOCK-ROUTES permit 30
Hope to help
Giuseppe
08-14-2023 07:14 AM - last edited on 08-15-2023 11:58 AM by Translator
Hello @jmaxwellUSAF ,
option 1 ) applies outbound the interface it is configured not to all neighbors. You may want to add an AD value at the end as this creates a
static route to null0
so use of AD is recommended to avoid possible routing black hole.
2) this is simply EIGRP with no auto-summary and this will advertise any
prefix in 172.25.0.0/16
regardless of
prefix length
This is a prerequiste for option 1 or option 3
3) if you create a
static route to 172.25.0.0/16
with a true
next-hop ( not null0) or using null0
you are allowed to inject the prefix into EIGRP using
redistribution
of static routes a
route-map
that invokes a
prefix list matching 172.25.0.0/16
can be used.
The
prefix-list
has to match on exact match only
ip prefix-list ONLY-172-25 se 5 permit 172.25.0.0/16
with no ge or le modifiers
This kind of configuration will create an EIGRP external route for the prefix and allows to filter out the more specific routes only if they are not present in the EIGRP table.
if you have internal component routes in the EIGRP routing table (for option 2 config ) you should use a
distribution list
that denies component routes and allows the aggregate to be applied at EIGRP process level.
Warning: the
distribute list
must allow all other prefixes that need to be advertised to neighbors. A
route-map
can be used in combination with the
distribute-list
command. The
route-map
can have multiple blocks with a final block that simply allows all other prefixes.
ip prefix-list BLOCK-CR seq 5 permit 172.25.0.0/16 ge 17 le 32
route-map BLOCK-ROUTES permit 10
match ip prefix-list ONLY-172-25
route-map BLOCK-ROUTES deny 20
match ip prefix-list BLOCK-CR
! final statement empty to allow all other prefixes
route-map BLOCK-ROUTES permit 30
Hope to help
Giuseppe
08-14-2023 09:10 AM - last edited on 08-15-2023 11:59 AM by Translator
BTW, also, option two is a "given" when doing CIDR. Generally, we no longer want implicit Classful summarization.
Also, to @jmaxwellUSAF, you're sure you want to aggregate an
entire /16
? Just seems like an excessively large address block for a set of VPN clients, but that may have been what has been set aside for them.
08-14-2023 09:27 AM - last edited on 08-15-2023 12:00 PM by Translator
Yea,
/16
is incorrect. It should be
/24
I'm editing my post now. Thx.
08-14-2023 09:55 AM - edited 08-14-2023 09:56 AM
Good!
BTW, I vaguely (??? - decades ago) some network VPN devices did NOT advertise host routes, for their clients, to avoid the kind of issue you're working to mitigate. Possibly you don't need to do network summarization.
08-15-2023 11:27 AM - last edited on 08-15-2023 12:01 PM by Translator
Hello Giuseppe.
I understand the above
route map
May you please add the
distribute list
config that will make this config complete?
Thank you.
08-16-2023 08:22 AM - edited 08-16-2023 08:23 AM
QUESTION: May you please tell me if this syntax looks correct? Thank you.
!! (obfuscated) !!
router eigrp 5
distribute-list route-map BLOCK-ANYCONNECT5-SLASH-32-ROUTES out
ip prefix-list PERMIT-ANYCONNECT5-SLASH-24-SUBNET se 10 permit 172.16.25.0/16
ip prefix-list BLOCK-ANYCONNECT5-SLASH-32-SUBNETS seq 10 permit 172.16.25.0/16 ge 32
--
route-map BLOCK-ANYCONNECT5-SLASH-32-ROUTES permit 10
match ip prefix-list PERMIT-ANYCONNECT5-SLASH-24-SUBNET
route-map BLOCK-ANYCONNECT5-SLASH-32-ROUTES deny 20
match ip prefix-list BLOCK-ANYCONNECT5-SLASH-32-SUBNETS
!! (final statement empty to allow all other prefixes) !!
route-map BLOCK-ANYCONNECT5-SLASH-32-ROUTES permit 30
08-16-2023 10:20 AM
Hello @jmaxwellUSAF ,
the syntax looks like correct but you need to refer to the actual prefix /24
ip prefix-list PERMIT-ANYCONNECT5-SLASH-24-SUBNET se 10 permit 172.16.25.0/24
ip prefix-list BLOCK-ANYCONNECT5-SLASH-32-SUBNETS seq 10 permit 172.16.25.0/24 ge 32
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide