eigrp access-list question

mpozorski · ‎07-05-2011

I have been trying to figure out something with one of our access-lists and have a questions that I'm hoping someone can help me out with. if I create an access list like this:

ip access-list standard ROUTED_NETWORKS

permit 10.10.70.0

permit 10.10.17.0

permit 10.10.7.0

permit 10.10.5.0

permit 10.10.2.0

permit 10.10.14.0

permit 10.10.15.0

permit 10.10.12.0

permit 10.10.48.0

permit 10.10.34.0

As the access list does not have any wildcard associated with it would that only include the /24 networks as listed or would the router look to see that there is a static route defined for say the 10.10.48.0/20 network? I know that the wildcard is optional with an access-list but cannot find anything that would indicate that it would or would not only include the network listed.

Basically on our router we have a default route to our firewall along with some other static routes for network that live behind other L3 equipment. We have a static route pointing the 10.10.48.0/20 to an internal firewall. When I try to access devices within that /20 from the WAN the traffic comes in to our router that the static route is defined on but still sends the traffic to our firewall before going back to our router and then onto the internal firewall. When I run a traceroute on the router it takes the correct path so it seems that the issue is only present when coming in via the WAN.

If anybody can point me to some documentation about this I would greatly appreciate it.

Richard Burts · ‎07-05-2011

The default mask in a standard access list is an exact match. So I would expect that the router would look for an exact match to 10.10.48.0 and not look at the mask of the subnet.

If you want to filter on both the subnet and mask it is better to use a prefix list rather than an access list.

You do not tell us how the access is applied and that makes it impossible for us to say much helpful about your symptoms. If you can tell us how the access list is applied and how the routing is set up then perhaps we can help explain what is going on. If the router routes differently for locally generated packets than it does for packets received on WAN then I would wonder if there is some Policy Based Routing or some VRF or something like that configured.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

mpozorski · ‎07-06-2011

Thanks Rick. The access-list is only defined to limit what we send to the WAN via eigrp. Here is the statement from the eigrp process:

router eigrp 65082

redistribute connected metric 200000 20 255 10 1500 route-map connected-eigrp

redistribute static route-map static-eigrp

network 10.10.0.253 0.0.0.0

network 10.10.1.253 0.0.0.0

network 10.10.2.253 0.0.0.0

network 10.10.4.253 0.0.0.0

network 10.10.6.253 0.0.0.0

network 10.0.0.0

auto-summary

eigrp lig-neighbor warnings

this is the route-map

route-map static-eigrp permit 10

match ip address ROUTED_NETWORKS

this is the other prefix list although I just realized while looking at this that there is no route-map defined

ip prefix-list connected-eigrp seq 5 permit 10.10.0.0/19

ip prefix-list connected-eigrp seq 10 permit 10.10.32.0/19

ip prefix-list connected-eigrp seq 15 permit 10.10.65.0/24

ip prefix-list connected-eigrp seq 20 permit 10.10.66.0/23

ip prefix-list connected-eigrp seq 25 permit 10.10.68.0/22

I don't see any policy based routing going on so I don't believe that to be the issue.

thanks again for your input, and let me know if you need any further clarification.