09-10-2017 01:04 AM - edited 03-08-2019 11:58 AM
Two routers are conneccted with each other & tried to filter router1 loopback address using route map with extended acl.But still its not filtering routes & incase i use standard acl it filters the routes.
below is the config of both routers.
Router1:-loopback address:-192.168.1.0/24
192.168.1.0/24
Physical ip:- 10.1.1.1/8
Protocol:EIGRP
Router 2:-Physical IP:-10.1.1.2/8
Protocol:-EIGRP
R1# show running-config
Building configuration...
Current configuration : 1219 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 0.0.0.0
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R1#
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
R2#show running-config
Building configuration...
Current configuration : 1282 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.2 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 0.0.0.0
distribute-list route-map gagan in
auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 110 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
route-map gagan deny 10
match ip address 110
!
route-map gagan permit 20
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0/8 is directly connected, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 10.1.1.1, 00:10:04, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.1.1.1, 00:10:04, FastEthernet0/0
R2#
R2#show route-map
route-map gagan, deny, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map gagan, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R2#
09-10-2017 04:47 AM
Hello,
if you want to use an extended access list in your distribute list, the syntax should look like this:
access-list 110 permit ip host 192.168.1.0 host 255.255.255.0
access-list 110 permit ip host 192.168.2.0 host 255.255.255.0
09-10-2017 04:56 AM - edited 09-10-2017 05:19 AM
Hi
This configuration is not commonly used on distribute list, because distribute-filter is used to allow or deny networks received or advertised by the routing protocol in this case EIGRP, for example if you dont want to receive the IP 1.1.1.1 you can set up:
ROUTER 2
access-list 1 permit host 1.1.1.1
or
ip prefix-list TEST seq 5 permit 1.1.1.1/32
route-map TEST-PBR deny 5
match ip addres 1
or
match ip addres prefix TEST
route-map TEST-PBR permit 100 (Empty To allow the rest of the traffic)
router eigrp 100
distribute-list route-map TEST-PBR in
*So the IP 1.1.1.1/32 will not be installed into the routing table of the Router 2 and the rest of the networks will not be impacted.
An extended ACL it is commonly used if you want to allow or deny an access from a source to a destination and it can be applied under an interface. The following link could be useful:
http://nexp.com.ua/technologies/rns/eigrp-filtering-with-extended-acl/
Hope it is useful
:-)
09-10-2017 10:20 AM
Hi ,
Thanks for replying.My aim is to block looback address of router 1 using distribute list under route map.
If I use standard ACL & match that acl in route map & apply in distribute list it works ,i can block network in router 2 but if i use extended acl to block the network it doesn't work in same route map.In this scenario i want to block 192.168.1.0/24 in router 2 which is coming via eigrp.its working if I use standard acl but not working if i use extended acl.
Please let me know do ectended acl works on rohte map.
09-10-2017 10:37 AM - edited 09-10-2017 10:44 AM
Hi,
This configuration should accomplish what you want, I tested it and it works
ROUTER 1
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Loopback1
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
router eigrp 100
no auto
network 0.0.0.0
ROUTER 2
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252
router eigrp 100
no auto
distribute-list route-map TEST in
network 10.1.1.2 0.0.0.0
route-map TEST deny 5
match ip address 100
route-map TEST permit 100
access-list 100 permit ip host 192.168.2.1 host 255.255.255.255
This configuration will allow everything except the IP 192.168.2.1
:-)
09-10-2017 11:02 AM
Actually, since in your original post your loopbacks were /24s. the access list could even be shorter:
access-list 110 permit ip host 192.168.0.0 host 255.255.252.0
This would block 192.168.1.0/24 and 192.168.2.0/24.
09-10-2017 01:48 PM
Hi Georg,
Actually, since in your original post your loopbacks were /24s. the access list could even be shorter:
access-list 110 permit ip host 192.168.0.0 host 255.255.252.0
This would block 192.168.1.0/24 and 192.168.2.0/24.
I am afraid that this would not work. If an ACL is used in a route-map for distribute-list to control routing protocol contents, the "destination" part of an ACL entry is used to match the netmask of the route being controlled. However, your "host 255.255.252.0" means that you are looking for a network whose netmask is exactly 255.255.255.252, or /22. But the original poster had a set of four /24s, and that one would not be matched by this rule.
What would work would be this:
access-list 110 permit ip 192.168.0.0 0.0.3.0 host 255.255.255.0
Note: This would work because it matches 192.168.0.0, 192.168.1.0, 192.168.2.0, and 192.168.3.0 as the network address, and the exact netmask 255.255.255.0.
Using ACLs to control contents of routing protocol updates is strongly discouraged - as you can see above, ACLs are cumbersome, confusing, counter-intuitive, and are not really well-suited to perform this kind of filtering because they weren't originally designed for this purpose. What's even worse, with extended ACLs, the "destination" part can be used differently: In a route-map, the "destination" matches the netmask, but if used directly in a distribute-list, the "destination" matches the next hop address. Confusing? It certainly is for me.
Whenever possible, I encourage using prefix-lists to perform this kind of filtering. They are built specifically for this purpose, and their syntax is much cleaner; they always allow matching both on network address and netmask, and they are not ambiguous.
The equivalent prefix-list here would be:
ip prefix-list Example permit 192.168.0.0/22 ge 24 le 24
!
route-map gagan deny 10
match ip address prefix-list Example
route-map gagan permit 20
! ... the rest would be unchanged
My two cents...
Best regards,
Peter
09-10-2017 02:54 PM
You are right, I had the syntax wrong...:(
The point was that you can summarize and shorten the access list. Then again, since the original post tried to block 192.168.1.0/24 and 192.168.2.0/24, the summarization would NOT work since it also blocks 192.168.3.0/24...
So better stick with the original access list:
access-list 110 permit ip host 192.168.1.0 host 255.255.255.0
access-list 110 permit ip host 192.168.2.0 host 255.255.255.0
09-11-2017 01:11 AM
HI Georg,
Thanks for replying.If i apply this access list it works,I can filter loopback address 192.168.1.0/24 which is at router 1 in router 2.As per my observation i used below access list & applied under distribute list.But if I apply same access list under route map it doesn't work.Please guide me what is the reason same access list is working in case of distribute list & same is not working in case of route-map.
router1#
interface gi0/1
ip add 10.1.1.1 255.0.0.0
no shut
int lo0
ip address 192.168.1.1/24
nt lo1
ip address 192.168.2.1/24
router eigrp 1
network 0.0.0.0
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
router 2#
int gi0/0
ip add 10.1.1.2 255.0.0.0
no shut
router eigrp 1
network 0.0.0.0
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
upper is the basic config of both routers.
Now i have 2 scenarios.
Purpose:-To block loopback0 in router 2 using extended acl.
If i use extended acl in distribute list.below is config. that i used.
router2# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
#access-list 100 permit ip any any
router2# router eigrp 1
distribute list 100 in
If I use this access list I can see i am unable to see 192.168.1.0/24 route in router 2.As per my understanding its correct.
second scenario is if I use same access-list under route-map to filter the same route , remove every route from router 1.
Below is the config. that I used in case of route map to remove route.
router2# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
#access-list 100 permit ip any any
router eigrp 1
distribute list route-map test in
route-map test deny 5
match ip address 100
route-map test permit 20
After applying this script,it removed every route of router 1 in router 2.Please guide me why its misbehaving.
Let me clear one thing my purpose is to remove 192.168.1.0/24 in router 2 routing table.
09-11-2017 03:49 AM - edited 09-11-2017 04:16 AM
Hi
The extended ACL sintax is:
access-list <id 100-199> permit/deny <ip/tcp/udp/icmp,etc> <source IP/subnet> <wildcard> <source port/range> <destination IP/subnet> <wildcard> <destination port/range>
Now if you want to block using the extended ACL, the ACL should be:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
then
route-map test deny 5
match ip address 100
route-map test permit 100
router eigrp 100
distribute-list route-map test in
Please try again and share the results
:-)
09-11-2017 09:22 PM
Hi Julio,
Tested & i can confirm route 192.168.1.0/24 have been removed from routing table.But my concern is different.same access list is working inca se of distribute list , but if i apply same access list in route map for filtering , then it doesn't work.Is there any differance in that.
access-list 110 permit ip 10.0.0.0 0.255.255.255 192.1681.0 0.0.0.255
10.0.0.0 is the directly connected network & eigrp is being formed between this network.
If i use above access list & apply in distribute list , i can see route 192.168.1.0 is being filtered, but If i apply same acl in distribute list along with route map , it remove all routes in router 2 rouing table.
Request you please suggest me why same acl is not working if filtering is being done via route-map.
09-12-2017 12:47 AM
Hello,
it seems that with a route map, your match options for EIGRP are limited to the below:
"Match options allow EIGRP to filter internal and external routes based on source protocols, to match a metric against a range, and to match on an external protocol metric."
This is an excerpt from the document below:
EIGRP Support for Route Map Filtering
09-12-2017 01:39 AM
My friends,
Once again: An extended ACL receives different input values depending on whether it is used in a distribute-list directly, or whether it is used in a route-map that is subsequently used in a distribute-list.
Consider the following topology:
R1 --- R2
R1 has a loopback 10.255.255.1/32, R2 has a loopback 10.255.255.2/32. They are connected through a network 10.0.12.0/24; R1 is 10.0.12.1/24, R2 is 10.0.12.2.
To demonstrate the value an ACL is going receive, I will be using an ACL in the following form:
access-list 100 permit ip any any log
The log keyword is going to log the details of the parameters passed to the ACL so that we can exactly see what data have been passed to the ACL for matching.
So consider the following configuration of both routers:
R1: access-list 100 permit ip any any log ! interface Lo0 ip address 10.255.255.1 255.255.255.255 ! interface e2/0 ip address 10.0.12.1 255.255.255.0 no shutdown ! router eigrp 1 network 10.0.0.0 R2: interface Lo0 ip address 10.255.255.2 255.255.255.255 ! interface e2/1 ip address 10.0.12.2 255.255.255.0 no shutdown ! router eigrp 1 network 10.0.0.0
R1 has the ACL created but it is not applied yet; it's just ready.
After the adjacency is up, let's see what gets logged if I apply the ACL 100 in the outbound direction on R1:
R1(config)#router eigrp 1 R1(config-router)#distribute-list 100 out e2/0 R1(config-router)# *Sep 12 10:06:18.723: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed *Sep 12 10:06:18.747: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 0.0.0.0 -> 10.255.255.1, 1 packet
So what values do we have here?
In other words, when the ACL is used in a distribute-list directly in the outbound direction, the "source" part of the ACL entry will always see the value 0.0.0.0, and the "destination" part of the ACL entry will see the actual network IP address of the advertised route. Note that the netmask of this route is not passed to the ACL; in other words, an ACL used directly in a distribute-list cannot be used to match on netmasks of the advertised routes.
Let's now remove the ACL from the outbound direction on R1, and place it into the inbound direction:
R1(config-router)#no distribute-list 100 out e2/0 R1(config-router)#distribute-list 100 in e2/0 R1(config-router)# *Sep 12 10:12:11.963: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed *Sep 12 10:12:12.063: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.0.12.2 -> 10.255.255.2, 1 packet
What do we have here now?
Again, we see the next hop address being passed as the "source IP" to the ACL, and the address of the advertised network being passed as the "destination IP" to the ACL. Again, there is no netmask here; an ACL used directly in a distribute-list cannot be used to match on netmasks of advertised networks.
Let's now change the scenario - stop using the ACL in the distribute-list directly; instead, let's "encapsulate" it into a route-map, and test again in an outbound direction:
R1(config-router)#no distribute-list 100 in e2/0 R1(config-router)#exit R1(config)#route-map Test permit 10 R1(config-route-map)#match ip address 100 R1(config-route-map)#exit R1(config)#router eigrp 1 R1(config-router)#distribute-list route-map Test out e2/0 R1(config-router)# *Sep 12 10:18:36.959: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed *Sep 12 10:18:36.975: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.255.255.1 -> 255.255.255.255, 1 packet
What we now see is something quite different:
In other words, when the ACL is used in a route-map, and the route-map is then used in a distribute-list, the parameters passed to the ACL are very different: The address of the network is passed as the "source IP", and the netmask of the network is passed as the "destination IP".
And what about the opposite direction, inbound?
R1(config-router)#no distribute-list route-map Test out e2/0 R1(config-router)#distribute-list route-map Test in e2/0 R1(config-router)# *Sep 12 10:24:19.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed *Sep 12 10:24:33.383: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.255.255.2 -> 255.255.255.255, 1 packet
Again, it is:
So to sum up:
This is what makes the behavior different.
Please note that these rules are only valid for IGP protocols; BGP might be different, but to test this for BGP, I am leaving this to you as an exercise ;) The method of testing would similar to what you see above. If you test this in a lab, keep in mind that logging messages from ACLs are rate-limited; to flush the ACL logging cache to the log immediately, you may need to enter the clear access-list counters command.
Best regards,
Peter
09-12-2017 04:49 AM
Well, it took me about 6 hours to grasp the concept, and I am still not sure if I fully get it. Either way, it works when I now configure access list 100 as below:
access-list 100 permit ip host 192.168.1.0 host 255.255.255.0
That blocks the route. It looks nothing like an access list, but Peter, your explanation makes sense, thank again...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide