Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
756
Views
15
Helpful
13
Replies

EIGRP Route Filtering with ACL issue

Go to solution
trilerian1
Level 1
Level 1

‎10-27-2022 08:09 AM - last edited on ‎11-03-2022 02:45 AM by Community Manager

I am doing route filtering with acl for an EIGRP AS.  I have an issue with two /24 of a /20 that are coming through even though there is a deny statement for those networks.

The subnets in particular are 172.26.110.0/24 and 172.26.120.0/24

Here is my ACL

access-list 5 remark Filter incoming routes from Somewhere
access-list 5 deny 172.26.110.0 0.0.0.255
access-list 5 deny 172.26.120.0 0.0.0.255
access-list 5 permit 172.26.0.0 0.0.255.255
access-list 5 deny any

 

Here is my EIGRP config for this AS.

router eigrp Somewhere
!
address-family ipv4 unicast autonomous-system 2
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Vlan1023
no passive-interface
exit-af-interface
!
topology base
distribute-list 5 in Vlan1023
redistribute eigrp 10
exit-af-topology
network 10.162.23.0 0.0.0.255
eigrp stub connected redistributed
exit-address-family

 

And when I do a show ip route, the bolded routes come through even though I am denying part of the subnet. 

172.26.0.0/16 is variably subnetted, 14 subnets, 6 masks
D EX 172.26.0.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.0.254/32 [170/117760] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.32.0/21 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.48.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.64.0/19 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.96.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.112.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.128.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.144.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.160.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.224.0/24 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.252.0/22 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023

 

Can you not deny part of a bigger subnet that you are allowing through? I've added static routes to the /24 networks so the routing is fine, but I would like the route filtering to work.  

 

Thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎10-29-2022 09:31 PM

Those two /24 are not in the route table just the the smmary is.
If you summarize a subnet as long as a single network/interfface related to the larger subnet is active and in the route table the summary will be advertised.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

13 Replies 13

Go to solution
David Ruess
VIP
VIP

‎10-27-2022 09:09 AM - edited ‎10-27-2022 09:25 AM

Hello,

Edited as I didnt see the distribute list applied.

Are you able to ping the devices that you are trying to block form that device?

If you are only blocking part of the subnet it will still allow the subnet as a whole to be advertised. It looks to be working as intended.

 

-David

Go to solution
trilerian1
Level 1
Level 1
In response to David Ruess

‎10-27-2022 09:47 AM

Thanks, I will look into a prefix list. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to trilerian1

‎10-27-2022 04:52 PM - last edited on ‎11-03-2022 02:46 AM by Community Manager

can you check 


show access-list 


see if match is hit the 0.0.0.255 or 0.0.255.255 
share here if you can 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎10-29-2022 12:00 PM - last edited on ‎11-03-2022 02:47 AM by Community Manager

It is interesting that all of the routes that you show us are external. And it is interesting that the eigrp config that you post is for AS 2 and includes

redistribute eigrp 10

What can you tell us about eigrp 10?

HTH

Rick
0 Helpful

Go to solution
trilerian1
Level 1
Level 1
In response to Richard Burts

‎11-01-2022 05:52 AM

This router is an edge router and redistributes routes from two different AS to the other based on ACL filtering.  I guess the ACL needs to change or I need to come up with something different.  When I started researching how to filter the routes there were three different methods: ACL, prefix, and route map.  I think I am going to go look at route maps.  

0 Helpful

Go to solution
paul driver
VIP
VIP

‎10-29-2022 09:31 PM

Those two /24 are not in the route table just the the smmary is.
If you summarize a subnet as long as a single network/interfface related to the larger subnet is active and in the route table the summary will be advertised.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
trilerian1
Level 1
Level 1
In response to paul driver

‎11-01-2022 06:03 AM

Quick question.  If on the other end, outgoing acl for filtering, if those /24s are filtered but the /16 is allowed after the deny for the /24, would it still summarize the entire /16?  If so, what is the easiest way to deny specific /24s of a /16 in a filter? 

The reason why I need to do this: routes that I don't want to come through are part of ipsec tunnels on the firewall, so I don't want these other routes to exist at all.  On this router I can create more specific routes to the firewall for those networks, and that is what I have done.  But the idea is to filter out any unwanted routes to begin with.

Thanks

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to trilerian1

‎11-01-2022 08:10 AM - last edited on ‎11-03-2022 02:49 AM by Community Manager

can you share the

show access-list ?


I want to see which line is hit and which not hit

for me I always use

prefix-list

not ACL 

https://loopedback.com/2017/05/10/eigrp-deep-dive-into-prefix-list-configurations-access-list-vs-prefix-list-using-prefix-lists-to-filter-eigrp-routes-with-distribute-lists/

 

Go to solution
trilerian1
Level 1
Level 1
In response to MHM Cisco World

‎11-01-2022 08:24 AM - last edited on ‎11-03-2022 02:51 AM by Community Manager 


60 deny 172.26.110.0, wildcard bits 0.0.0.255
70 deny 172.26.120.0, wildcard bits 0.0.0.255
90 permit 172.26.0.0, wildcard bits 0.0.255.255 (24 matches)

 

Looks like it does nothing with those /24s.  But, they are also smaller parts of those routes, I wonder if I deny the /20 if it would still show... 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to trilerian1

‎11-01-2022 08:31 AM

https://ine.com/blog/2008-01-04-using-extended-access-lists-in-a-distribute-list

check this link, I think you need to more modify wildcard 0.0.255.255 <<- 

0 Helpful

Go to solution
trilerian1
Level 1
Level 1
In response to trilerian1

‎11-01-2022 08:35 AM - last edited on ‎11-03-2022 02:52 AM by Community Manager

Replying to my own post.  That did the trick...

60 deny 172.26.96.0, wildcard bits 0.0.15.255 (2 matches)
70 deny 172.26.112.0, wildcard bits 0.0.15.255 (2 matches)

90 permit 172.26.0.0, wildcard bits 0.0.255.255 (20 matches)


0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to trilerian1

‎11-01-2022 08:40 AM - last edited on ‎11-03-2022 02:54 AM by Community Manager

Yes, as I mention before I prefer use

prefix-list, 


and if you use distribute access list always check it with

show access-list

to modify it.

good job Friend. 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to trilerian1

‎11-01-2022 08:48 AM - last edited on ‎11-03-2022 02:55 AM by Community Manager

I am a bit confused about what is going on here. The

show access list

does not show any hits on the deny /24 statements but does show hits on the deny /16 statement. I do agree that using a

prefix list

might be more effective here and an access list.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card