Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
0
Helpful
3
Replies

EIGRP Route Filtering via Prefix-List Help

Go to solution
Rob R.
Level 1
Level 1

‎05-10-2015 02:22 PM - edited ‎03-05-2019 01:26 AM

Hello, I'm trying to understand why a prefix-list is not working the way I thought it should. I have a LAN Subnet, 200.50.5.0/27 that I want to be able to access the core network but I do not want the core to be able to access it. In other words, I want hosts in 200.50.5.0/27 off R11 to be able to access R2. I've applied a Prefix-List on R10 via distribute-list but hosts in 200.50.5.0/27 are no longer able to ping R2's Interface at 200.20.16.1. I thought I could block EIGRP routing updates in the Outbound direction only. Any ideas where I'm going wrong? Here is a screenshot of my topology, I'm unable to ping from PC1 (200.50.5.5) to R2's Interface 200.20.16.1. 

 

 

R10's Prefix-List

router eigrp 1
 network 200.20.16.0 0.0.0.3
 network 200.20.16.4 0.0.0.3
 distribute-list prefix EMS-LANS out FastEthernet0/0  <-- I thought the "out" keyword would allow the PC to still access 200.20.16.1 but not vice-versa?
 no auto-summary

 

ip prefix-list EMS-LANS seq 5 deny 200.50.1.0/25
ip prefix-list EMS-LANS seq 10 deny 200.50.5.0/27
ip prefix-list EMS-LANS seq 15 permit 0.0.0.0/0 le 32

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-10-2015 07:13 PM

You have a mistaken understanding of what the distribute list/prefix list is doing and of its impact. From your description it sounds like you want it to work like an access list/access-group to permit or to deny traffic being forwarded. But what the distribute list/prefix list does is to control advertisement of the subnet. When you apply this distribute list/prefix list it prevents advertisement of the 200.50.5.0 to R2. Since R2 now has no knowledge of how to reach 100.50.5.0 it has no way to communicate with that subnet, including how to respond to traffic originated from R11. So you have prevented all communication and not just communication originated from the core.

 

What you want to accomplish in allowing R11 to send traffic to the core and receive responses but to prevent traffic originated form the core to R11 is quite complex. It is best accomplished by a device doing stateful inspection such as a firewall and quite difficult on a router. On a router your best options would be something like Zone Based Firewall or like CBAC.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎05-10-2015 07:13 PM

You have a mistaken understanding of what the distribute list/prefix list is doing and of its impact. From your description it sounds like you want it to work like an access list/access-group to permit or to deny traffic being forwarded. But what the distribute list/prefix list does is to control advertisement of the subnet. When you apply this distribute list/prefix list it prevents advertisement of the 200.50.5.0 to R2. Since R2 now has no knowledge of how to reach 100.50.5.0 it has no way to communicate with that subnet, including how to respond to traffic originated from R11. So you have prevented all communication and not just communication originated from the core.

 

What you want to accomplish in allowing R11 to send traffic to the core and receive responses but to prevent traffic originated form the core to R11 is quite complex. It is best accomplished by a device doing stateful inspection such as a firewall and quite difficult on a router. On a router your best options would be something like Zone Based Firewall or like CBAC.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Rob R.
Level 1
Level 1
In response to Richard Burts

‎05-10-2015 07:47 PM

Rick,

 

Thank you for responding. I really appreciate the insight. I was not considering that R2 had no way to respond to the ICMP from R11.

 

Thank you,

Rob

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Rob R.

‎05-10-2015 07:56 PM

Rob

 

I am glad that my response was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions which have helpful information. 

 

This forum is a good place to clarify our understanding of many of the concepts used in networking. I hope we will see you continue to be active in the forum.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card