Solved: Route map, prefix list, order of commands..

MicJameson1 · ‎08-21-2023

GIVEN: config...

Conf t
ip prefix-list BLOCK-ANYCONNECT-SLASH-32-SUBNETS seq 10 permit 172.16.77.0/24 ge 32
ip prefix-list PERMIT-ANYCONNECT-SLASH-24-SUBNET seq 10 permit 172.16.77.0/24
--
route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES deny 10
match ip prefix-list BLOCK-ANYCONNECT-SLASH-32-SUBNETS

route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES permit 20
match ip prefix-list PERMIT-ANYCONNECT-SLASH-24-SUBNET
--

!! (below final statement is empty to allow all other prefixes) !!

route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES permit 30
--
router eigrp 1
distribute-list route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES out

---------------------

Questions:

1. Will this config accomplish intent of preventing EIGRP distribution of

172.16.77.0/32

routes, and also permitting and propagating the advertisement of the

172.16.77.0/24

network?

2. Is the red text needed to create

172.16.77.0/24

advertisement, or can it be ignored?

Thank you.

Giuseppe Larosa · ‎08-22-2023

Hello @MicJameson1 ,

>>

Regarding...

route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES permit 20

match ip prefix-list PERMIT-ANYCONNECT-SLASH-24-SUBNET

Is this above config necessary to advertise the subnet via EIGRP?

No it is not necessary as I have written before prefix

172.16.77.0/24

would be permitted by last

route map

block

>> If this wasn't in the

route map

would the

/24

subnet be advertised?

Yes , it would still be advertised thanks to last block permit 30 with no match statements

>>

Is it still necessary to advertise the

/24

subnet via...

ASA5525#router eigrp 1
network 172.16.77.0 255.255.255.0

?

To answer to this question you need to ask yourself if the ASA is injecting a

default route

in EIGRP routing domain, the specific route for the remote VPN pool is not necessary. If the ASA is not in the path for general internet connectivity that route is needed as the

default route

would point to some other device / path

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎08-21-2023

Hello @MicJameson1 ,

2) the block is not strictly needed as the last

route-map

block would allow also

172.16.77.0/24

You can consider it just a way to make the configuration more easy to understand

1) Yes, the configuration should work I thought I had suggested you to put the red block first, then the deny block and then the final permit but your configuration works too.

Hope to help

Giuseppe

MicJameson1 · ‎08-21-2023

Regarding...

route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES permit 20

match ip prefix-list PERMIT-ANYCONNECT-SLASH-24-SUBNET

Is this above config necessary to advertise the subnet via EIGRP?

If this wasn't in the

route map

would the

/24

subnet be advertised?

Is it still necessary to advertise the

/24

subnet via...

ASA5525#router eigrp 1
network 172.16.77.0 255.255.255.0

?

Giuseppe Larosa · ‎08-22-2023

Hello @MicJameson1 ,

>>

Regarding...

route-map RM-BLOCK-ANYCONNECT-SLASH-32-ROUTES permit 20

match ip prefix-list PERMIT-ANYCONNECT-SLASH-24-SUBNET

Is this above config necessary to advertise the subnet via EIGRP?

No it is not necessary as I have written before prefix

172.16.77.0/24

would be permitted by last

route map

block

>> If this wasn't in the

route map

would the

/24

subnet be advertised?

Yes , it would still be advertised thanks to last block permit 30 with no match statements

>>

Is it still necessary to advertise the

/24

subnet via...

ASA5525#router eigrp 1
network 172.16.77.0 255.255.255.0

?

To answer to this question you need to ask yourself if the ASA is injecting a

default route

in EIGRP routing domain, the specific route for the remote VPN pool is not necessary. If the ASA is not in the path for general internet connectivity that route is needed as the

default route

would point to some other device / path

Hope to help

Giuseppe