Solved: EIGRP Route Filtering with ACL issue

trilerian1 · ‎10-27-2022

I am doing route filtering with acl for an EIGRP AS. I have an issue with two /24 of a /20 that are coming through even though there is a deny statement for those networks.

The subnets in particular are 172.26.110.0/24 and 172.26.120.0/24

Here is my ACL

access-list 5 remark Filter incoming routes from Somewhere
access-list 5 deny 172.26.110.0 0.0.0.255
access-list 5 deny 172.26.120.0 0.0.0.255
access-list 5 permit 172.26.0.0 0.0.255.255
access-list 5 deny any

Here is my EIGRP config for this AS.

router eigrp Somewhere
!
address-family ipv4 unicast autonomous-system 2
!
af-interface default
passive-interface
exit-af-interface
!
af-interface Vlan1023
no passive-interface
exit-af-interface
!
topology base
distribute-list 5 in Vlan1023
redistribute eigrp 10
exit-af-topology
network 10.162.23.0 0.0.0.255
eigrp stub connected redistributed
exit-address-family

And when I do a show ip route, the bolded routes come through even though I am denying part of the subnet.

172.26.0.0/16 is variably subnetted, 14 subnets, 6 masks
D EX 172.26.0.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.0.254/32 [170/117760] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.32.0/21 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.48.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.64.0/19 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.96.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.112.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.128.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.144.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.160.0/20 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.224.0/24 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023
D EX 172.26.252.0/22 [170/51722240] via 10.162.23.253, 1w0d, Vlan1023

Can you not deny part of a bigger subnet that you are allowing through? I've added static routes to the /24 networks so the routing is fine, but I would like the route filtering to work.

Thanks

paul driver · ‎10-29-2022

Those two /24 are not in the route table just the the smmary is.
If you summarize a subnet as long as a single network/interfface related to the larger subnet is active and in the route table the summary will be advertised.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

David Ruess · ‎10-27-2022

Hello,

Edited as I didnt see the distribute list applied.

Are you able to ping the devices that you are trying to block form that device?

If you are only blocking part of the subnet it will still allow the subnet as a whole to be advertised. It looks to be working as intended.

-David

trilerian1 · ‎10-27-2022

Thanks, I will look into a prefix list.

MHM Cisco World · ‎10-27-2022

can you check


show access-list

see if match is hit the 0.0.0.255 or 0.0.255.255
share here if you can

Richard Burts · ‎10-29-2022

It is interesting that all of the routes that you show us are external. And it is interesting that the eigrp config that you post is for AS 2 and includes

redistribute eigrp 10

What can you tell us about eigrp 10?

HTH

Rick

trilerian1 · ‎11-01-2022

This router is an edge router and redistributes routes from two different AS to the other based on ACL filtering. I guess the ACL needs to change or I need to come up with something different. When I started researching how to filter the routes there were three different methods: ACL, prefix, and route map. I think I am going to go look at route maps.

paul driver · ‎10-29-2022

Those two /24 are not in the route table just the the smmary is.
If you summarize a subnet as long as a single network/interfface related to the larger subnet is active and in the route table the summary will be advertised.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

trilerian1 · ‎11-01-2022

Quick question. If on the other end, outgoing acl for filtering, if those /24s are filtered but the /16 is allowed after the deny for the /24, would it still summarize the entire /16? If so, what is the easiest way to deny specific /24s of a /16 in a filter?

The reason why I need to do this: routes that I don't want to come through are part of ipsec tunnels on the firewall, so I don't want these other routes to exist at all. On this router I can create more specific routes to the firewall for those networks, and that is what I have done. But the idea is to filter out any unwanted routes to begin with.

Thanks

MHM Cisco World · ‎11-01-2022

can you share the

show access-list ?

I want to see which line is hit and which not hit

for me I always use

prefix-list

not ACL

https://loopedback.com/2017/05/10/eigrp-deep-dive-into-prefix-list-configurations-access-list-vs-prefix-list-using-prefix-lists-to-filter-eigrp-routes-with-distribute-lists/

trilerian1 · ‎11-01-2022


60 deny 172.26.110.0, wildcard bits 0.0.0.255
70 deny 172.26.120.0, wildcard bits 0.0.0.255
90 permit 172.26.0.0, wildcard bits 0.0.255.255 (24 matches)

Looks like it does nothing with those /24s. But, they are also smaller parts of those routes, I wonder if I deny the /20 if it would still show...

MHM Cisco World · ‎11-01-2022

https://ine.com/blog/2008-01-04-using-extended-access-lists-in-a-distribute-list

check this link, I think you need to more modify wildcard 0.0.255.255 <<-

trilerian1 · ‎11-01-2022

Replying to my own post. That did the trick...

60 deny 172.26.96.0, wildcard bits 0.0.15.255 (2 matches)
70 deny 172.26.112.0, wildcard bits 0.0.15.255 (2 matches)

90 permit 172.26.0.0, wildcard bits 0.0.255.255 (20 matches)

MHM Cisco World · ‎11-01-2022

Yes, as I mention before I prefer use

prefix-list,

and if you use distribute access list always check it with

show access-list

to modify it.

good job Friend.

Richard Burts · ‎11-01-2022

I am a bit confused about what is going on here. The

show access list

does not show any hits on the deny /24 statements but does show hits on the deny /16 statement. I do agree that using a

prefix list

might be more effective here and an access list.

HTH

Rick