03-09-2017 01:45 PM - edited 03-08-2019 09:41 AM
Hello. Trying to understand EIGRP route filtering. Using the following topology, where R1 has 3 loopbacks and has established an EIGRP neighborship with R2.
I want to block R1 from advertising it's Lo0 route (10.0.1.0/24) by using a simple ACL and the distribute-list command.
So basically the ACL is:
ip access-list standard DENY_Lo0
deny 10.0.1.0 0.0.0.255
permit any
And I then added distribute-list DENY_Lo0 out FastEthernet0/0 to the EIGRP process on R1. Once this is done, Lo0 is now filtered and R2 does not get that update:
R2(config-router)#do sho ip ro ei
10.0.0.0/24 is subnetted, 2 subnets
D 10.0.2.0 [90/409600] via 192.168.1.1, 00:04:01, FastEthernet0/0
D 10.0.3.0 [90/409600] via 192.168.1.1, 00:04:01, FastEthernet0/0
But now, lets say I want to summarize all the loopback subnets on Fa0/0 from R1. I created the following summary: ip summary-address eigrp 100 10.0.0.0 255.255.252.0
Once I do that, the routing table on R2 changes to the below. I can then ping all loopbacks which beats my intended goal:
R2(config-router)#do sho ip ro ei
10.0.0.0/22 is subnetted, 1 subnets
D 10.0.0.0 [90/409600] via 192.168.1.1, 00:00:09, FastEthernet0/0
What is required to filter out Lo0 while at the same time being able to use the summary-address command?
Thanks for reading!
03-09-2017 01:56 PM
You cannot advertise a summary covering the loopback and then expect not to be able to ping the loopback IP.
You either need to use an acl on the interface of R1 inbound denying ICMP to that loopback IP or considering your loopback IPs change your summary address to 10.0.2.0 255.255.254.0.
Jon
03-09-2017 02:07 PM
Hi
If you are using summary address you have to use leak-map for example
ip access-list standard DENY_Lo0
deny 10.0.1.0 0.0.0.255
permit any
route-map FILTER permit 5
match ip address DENY_Lo0
interface fa0/0
ip add 192.168.1.1 255.255.255.0
ip summary-address eigrp 100 10.0.0.0 255.255.252.0 leak-map FILTER
So it will advertise the summary address + the other prefixes used to build the summary address
R1 - CONFIGURATION
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface Loopback1
ip address 10.0.2.1 255.255.255.0
!
interface Loopback2
ip address 10.0.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip summary-address eigrp 100 10.0.0.0 255.255.252.0 5 leak-map FILTER
duplex auto
speed auto
!
router eigrp 100
network 10.0.1.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 10 deny 10.0.1.0 0.0.0.255
access-list 10 permit any
!
!
!
route-map FILTER permit 10
match ip address 10
R2 - CONFIGURATION
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 0.0.0.0
no auto-summary
R2#SH IP ROUTE
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.0.2.0/24 [90/409600] via 192.168.1.1, 00:01:37, FastEthernet0/0
D 10.0.3.0/24 [90/409600] via 192.168.1.1, 00:01:37, FastEthernet0/0
D 10.0.0.0/22 [90/409600] via 192.168.1.1, 00:02:54, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R2#
It will not prevent the ICMP from R2 to loopback 0, because it is knowing the loopback 0 through the summary address, it should be removed and then you can use the distribute-list out.
Hope it is useful
:-)
03-10-2017 12:56 PM
Thank you both for the reply. I understand better now options to achieve what I want.
03-10-2017 02:26 PM
You are welcome Erick, Have a good day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide