05-10-2015 02:22 PM - edited 03-05-2019 01:26 AM
Hello, I'm trying to understand why a prefix-list is not working the way I thought it should. I have a LAN Subnet, 200.50.5.0/27 that I want to be able to access the core network but I do not want the core to be able to access it. In other words, I want hosts in 200.50.5.0/27 off R11 to be able to access R2. I've applied a Prefix-List on R10 via distribute-list but hosts in 200.50.5.0/27 are no longer able to ping R2's Interface at 200.20.16.1. I thought I could block EIGRP routing updates in the Outbound direction only. Any ideas where I'm going wrong? Here is a screenshot of my topology, I'm unable to ping from PC1 (200.50.5.5) to R2's Interface 200.20.16.1.
R10's Prefix-List
router eigrp 1
network 200.20.16.0 0.0.0.3
network 200.20.16.4 0.0.0.3
distribute-list prefix EMS-LANS out FastEthernet0/0 <-- I thought the "out" keyword would allow the PC to still access 200.20.16.1 but not vice-versa?
no auto-summary
ip prefix-list EMS-LANS seq 5 deny 200.50.1.0/25
ip prefix-list EMS-LANS seq 10 deny 200.50.5.0/27
ip prefix-list EMS-LANS seq 15 permit 0.0.0.0/0 le 32
Solved! Go to Solution.
05-10-2015 07:13 PM
You have a mistaken understanding of what the distribute list/prefix list is doing and of its impact. From your description it sounds like you want it to work like an access list/access-group to permit or to deny traffic being forwarded. But what the distribute list/prefix list does is to control advertisement of the subnet. When you apply this distribute list/prefix list it prevents advertisement of the 200.50.5.0 to R2. Since R2 now has no knowledge of how to reach 100.50.5.0 it has no way to communicate with that subnet, including how to respond to traffic originated from R11. So you have prevented all communication and not just communication originated from the core.
What you want to accomplish in allowing R11 to send traffic to the core and receive responses but to prevent traffic originated form the core to R11 is quite complex. It is best accomplished by a device doing stateful inspection such as a firewall and quite difficult on a router. On a router your best options would be something like Zone Based Firewall or like CBAC.
HTH
Rick
05-10-2015 07:13 PM
You have a mistaken understanding of what the distribute list/prefix list is doing and of its impact. From your description it sounds like you want it to work like an access list/access-group to permit or to deny traffic being forwarded. But what the distribute list/prefix list does is to control advertisement of the subnet. When you apply this distribute list/prefix list it prevents advertisement of the 200.50.5.0 to R2. Since R2 now has no knowledge of how to reach 100.50.5.0 it has no way to communicate with that subnet, including how to respond to traffic originated from R11. So you have prevented all communication and not just communication originated from the core.
What you want to accomplish in allowing R11 to send traffic to the core and receive responses but to prevent traffic originated form the core to R11 is quite complex. It is best accomplished by a device doing stateful inspection such as a firewall and quite difficult on a router. On a router your best options would be something like Zone Based Firewall or like CBAC.
HTH
Rick
05-10-2015 07:47 PM
Rick,
Thank you for responding. I really appreciate the insight. I was not considering that R2 had no way to respond to the ICMP from R11.
Thank you,
Rob
05-10-2015 07:56 PM
Rob
I am glad that my response was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions which have helpful information.
This forum is a good place to clarify our understanding of many of the concepts used in networking. I hope we will see you continue to be active in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide