You are welcome Erick, Have a

erick alvarado · ‎03-09-2017

Hello. Trying to understand EIGRP route filtering. Using the following topology, where R1 has 3 loopbacks and has established an EIGRP neighborship with R2.

I want to block R1 from advertising it's Lo0 route (10.0.1.0/24) by using a simple ACL and the distribute-list command.

So basically the ACL is:

ip access-list standard DENY_Lo0

deny 10.0.1.0 0.0.0.255

permit any

And I then added distribute-list DENY_Lo0 out FastEthernet0/0 to the EIGRP process on R1. Once this is done, Lo0 is now filtered and R2 does not get that update:

R2(config-router)#do sho ip ro ei

10.0.0.0/24 is subnetted, 2 subnets

D 10.0.2.0 [90/409600] via 192.168.1.1, 00:04:01, FastEthernet0/0

D 10.0.3.0 [90/409600] via 192.168.1.1, 00:04:01, FastEthernet0/0

But now, lets say I want to summarize all the loopback subnets on Fa0/0 from R1. I created the following summary: ip summary-address eigrp 100 10.0.0.0 255.255.252.0

Once I do that, the routing table on R2 changes to the below. I can then ping all loopbacks which beats my intended goal:

R2(config-router)#do sho ip ro ei

10.0.0.0/22 is subnetted, 1 subnets

D 10.0.0.0 [90/409600] via 192.168.1.1, 00:00:09, FastEthernet0/0

What is required to filter out Lo0 while at the same time being able to use the summary-address command?

Thanks for reading!

Jon Marshall · ‎03-09-2017

You cannot advertise a summary covering the loopback and then expect not to be able to ping the loopback IP.

You either need to use an acl on the interface of R1 inbound denying ICMP to that loopback IP or considering your loopback IPs change your summary address to 10.0.2.0 255.255.254.0.

Jon

Julio E. Moisa · ‎03-09-2017

Hi

If you are using summary address you have to use leak-map for example

ip access-list standard DENY_Lo0
deny 10.0.1.0 0.0.0.255
permit any

route-map FILTER permit 5
match ip address DENY_Lo0

interface fa0/0
ip add 192.168.1.1 255.255.255.0
ip summary-address eigrp 100 10.0.0.0 255.255.252.0 leak-map FILTER

So it will advertise the summary address + the other prefixes used to build the summary address

R1 - CONFIGURATION

interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface Loopback1
ip address 10.0.2.1 255.255.255.0
!
interface Loopback2
ip address 10.0.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip summary-address eigrp 100 10.0.0.0 255.255.252.0 5 leak-map FILTER
duplex auto
speed auto

!
router eigrp 100
network 10.0.1.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 10 deny 10.0.1.0 0.0.0.255
access-list 10 permit any
!
!
!
route-map FILTER permit 10
match ip address 10

R2 - CONFIGURATION

interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto

!
router eigrp 100
network 0.0.0.0
no auto-summary

R2#SH IP ROUTE
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D 10.0.2.0/24 [90/409600] via 192.168.1.1, 00:01:37, FastEthernet0/0
D 10.0.3.0/24 [90/409600] via 192.168.1.1, 00:01:37, FastEthernet0/0
D 10.0.0.0/22 [90/409600] via 192.168.1.1, 00:02:54, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R2#

It will not prevent the ICMP from R2 to loopback 0, because it is knowing the loopback 0 through the summary address, it should be removed and then you can use the distribute-list out.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

erick alvarado · ‎03-10-2017

Thank you both for the reply. I understand better now options to achieve what I want.

Julio E. Moisa · ‎03-10-2017

You are welcome Erick, Have a good day

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

EIGRP route filtering with ACL & ip summary-address