12-13-2008 06:23 PM - edited 03-04-2019 12:41 AM
I have Telco MPLS CE router connected to my C4506 (L3) interface. I can see on my C4506 many unwanted routes distributed by Telco through this interface. Most of them are public IP addresses (they use them for loopbacks IPs). To avoid any routing problems in the future I want to stop distributing these IP addresses to my network. I built "access-liststandard DENY_TELCO_LOOPBACK" and then I applied this list under EIGRP using "distribute-list DENY_TELCO_LOOPBACK in".
It didn't stopped these routes from being distrubuted at all. What wrong I am doing? Is there any better way of doing this?
Solved! Go to Solution.
12-15-2008 08:54 AM
Zbigniew
There is a slight difference in syntax when the distribute list will be using a prefix list instead of a more normal access list. I suggest that you change this:
distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32
to this:
distribute-list prefix RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32
try it and let us know if it works better.
HTH
Rick
12-15-2008 10:22 AM
Hello Rick, Zbigniew
to reference the route-map you need
distribute-list route-map rm-filter-telco-loops in gi6/32
the route-map keyword has to be specified or the router will look for a named ACL with name rm-filter-telco-loops that of course does not exist and no route filtering action occurs
I'm sorry I didn't see this before
ge 32 means only prefixes with len >= 32 that is not what you want keep le 32 that will match whatover prefix len /29, /30, /27 within the IP address block
OR if the distribute-list supports refers directly to the prefix-list as Rick has suggested
Hope to help
Giuseppe
12-13-2008 07:03 PM
zbigniew
I believe that you are going in the right direction. A distribute list under EIGRP using a standard access list is typically the best way to prevent certain routes from being accepted into EIGRP. Perhaps there is some small issue with syntax or something that is preventing it from working as you want it to. Perhaps you could post the specifics from the config and we might be able to identify the issue.
HTH
Rick
12-13-2008 08:18 PM
Thank you for your reply
Here is a part of config and some of unwanted routes which I want to filter:
ip access-list standard DENY_TELUS_LOOPBACK
deny 10.52.0.67
deny 154.11.18.0
deny 206.75.127.0
permit any
router eigrp 100
redistribute static
passive-interface default
no passive-interface Vlan100
no passive-interface GigabitEthernet6/32
no passive-interface GigabitEthernet6/47
network 10.0.0.0
distribute-list DENY_TELCO_LOOPBACK out GigabitEthernet6/32 ****
distribute-list DENY_TELCO_LOOPBACK in GigabitEthernet6/32
distribute-list 93 out GigabitEthernet6/47
distribute-list DENY_TELCO_LOOPBACK out ****
distribute-list DENY_TELCO_LOOPBACK in
**** I put "in" and "out" just in case. I think I should use "distribute-list DENY_TELCO_LOOPBACK in GigabitEthernet6/32" only
---------------------------------------------
D EX 206.75.127.248/29
[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32
D EX 206.75.127.240/29
[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32
D EX 206.75.127.232/29
[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32
12-13-2008 10:44 PM
Is it a typo;
Access-list is of name " DENY_TELUS_LOOPBACK "
and in eigrp config, access-list called is "
DENY_TELCO_LOOPBACK ".....
Hope to help
12-13-2008 10:59 PM
It is actually not a typo. For a conversation purpose I wanted to change a name of an access-list before posting it here but I changed only one name and didn't the second one.
In my config both names are DENY_TELUS_LOOPBACK
12-14-2008 01:39 AM
- Can you post the ouput of show eigrp topology here ?
- Are you seeing any hits on access-list ?
Hope to help
12-17-2008 05:35 AM
Thank you very much for help
12-14-2008 04:05 AM
Hello Zbigniew,
a standard ACL when applied for filtering routes works only on exact matches.
So it would require a long list with one line for each unwanted subnet.
If you have a lot of /29 within an ip address block you should use a prefix-list or an ip extended ACL.
I think the prefix-list it's easier to use and I provide you an example
ip prefix-list filter-telco-loops deny 206.75.127.0/24 le 32
a line like this denies any possible subnet of block 206.75.127.0/24
you need the equivalent of permit ip any any
ip prefix-list filter-telco-loops permit 0.0.0./0 le 32
then you apply it adding the prefix-list
in a route map
route-map rm-filter-telco-loops permit 10
match ip address prefix-list filter-telco-loops
the route-map can be invoked by the distribute list command
router eigrp 100
distribute-list route-map rm-filter-telco-loops in gi6/32
see
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1018093
This should fix your issue. Add statements before the final permit to deny all other unwanted IP blocks
Hope to help
Giuseppe
12-14-2008 10:29 AM
Thank you very much for an advice. I will try your solution. I think you are right because I can see hits in access-list if the access- list is very specific. for example:
if I have deny 10.52.113.117 then I see hits, but when I have deny 154.11.18.0 then there are no hits at all.
Thanks again
12-14-2008 05:45 PM
zbigniew
Giuseppe is giving you good advice. From the perspective of the access list (and distribte list) there must be an exact match between what is stated in the access list and the prefix that is being advertised. I can see from your perspective that you would like to identify an address block and to deny all subnets contained within it. The tool that can do that is prefix lists, as Giuseppe has suggested.
This is why the access list and distribute list that you have configured are not working as you want. If you change the configuration and use prefix lists it should accomplish what you want.
HTH
Rick
12-14-2008 09:24 PM
I did what Giuseppe sugested:
router eigrp 100
redistribute static
passive-interface default
no passive-interface Vlan100
no passive-interface GigabitEthernet6/32
no passive-interface GigabitEthernet6/47
network 10.0.0.0
distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32
ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.127.0/24 le 32
ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 le 32
route-map RM-FILTER-TELUS-LOOPS permit 10
match ip address prefix-list FILTER-TELUS-LOOPS
but I still see routes to network 206.75.127.0/24
I replied to Guiseppe as well
Regards
12-14-2008 11:58 PM
Hello Zbigniew,
two suggestions:
a) the command could be given without providing an interface
distribute-list RM-FILTER-TELUS-LOOPS in
b) after making a change you may need to use commands like clear ip route * or
clear ip eigrp 100 neighbor
and then later see if you achieved the desired results
Also you can check if the prefix-list has matched with
show ip prefix-list FILTER-TELUS-LOOPS
if no matches appear for the deny statement we need to consider another solution
If you like you can post
sh ip route | inc 206.75.127.
Hope to help
Giuseppe
12-14-2008 09:21 PM
I did what you suggested:
router eigrp 100
redistribute static
passive-interface default
no passive-interface Vlan100
no passive-interface GigabitEthernet6/32
no passive-interface GigabitEthernet6/47
network 10.0.0.0
distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32
ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.127.0/24 le 32
ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 le 32
route-map RM-FILTER-TELUS-LOOPS permit 10
match ip address prefix-list FILTER-TELUS-LOOPS
I still see routes 206.75.127.0/24
Didi I miss something?
Regards
12-14-2008 10:25 PM
Either you can make an access-list to exactly match 206.75.127.232/29, 206.75.127.240/29. 206.75.127.248/29....
or
make your prefix-list as:
ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.126.0/23 ge 32
ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 ge 32
It will work..
Hope to Help
12-15-2008 05:56 AM
Should it be "le 32" as suggested by Giuseppe or "ge 32" as you suggested. Giuseppe specified 206.75.126.0/24 and you specified 206.75.126.0/23.
I tried both and still doesn't filter this route.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide