Hi ,

Thanks for replying.My aim is to block looback address of router 1 using distribute list under route map.

If I use standard ACL & match that acl in route map & apply in distribute list it works ,i can block network in router 2 but if i use extended acl to block the network it doesn't work in same route map.In this scenario i want to block 192.168.1.0/24 in router 2 which is coming via eigrp.its working if I use standard acl but not working if i use extended acl.

Please let me know do ectended acl works on rohte map.

Hi,

This configuration should accomplish what you want, I tested it and it works

ROUTER 1

interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Loopback1
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252

router eigrp 100

no auto
network 0.0.0.0
 

ROUTER 2

interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.252

router eigrp 100

no auto

distribute-list route-map TEST in
network 10.1.1.2 0.0.0.0

route-map TEST deny 5
match ip address 100

route-map TEST permit 100

access-list 100 permit ip host 192.168.2.1 host 255.255.255.255

This configuration will allow everything except the IP 192.168.2.1

:-)

Actually, since in your original post your loopbacks were /24s. the access list could even be shorter:

access-list 110 permit ip host 192.168.0.0 host 255.255.252.0

This would block 192.168.1.0/24 and 192.168.2.0/24.

Hi Georg,

Actually, since in your original post your loopbacks were /24s. the access list could even be shorter:

access-list 110 permit ip host 192.168.0.0 host 255.255.252.0

This would block 192.168.1.0/24 and 192.168.2.0/24.

I am afraid that this would not work. If an ACL is used in a route-map for distribute-list to control routing protocol contents, the "destination" part of an ACL entry is used to match the netmask of the route being controlled. However, your "host 255.255.252.0" means that you are looking for a network whose netmask is exactly 255.255.255.252, or /22. But the original poster had a set of four /24s, and that one would not be matched by this rule.

What would work would be this:

access-list 110 permit ip 192.168.0.0 0.0.3.0 host 255.255.255.0

Note: This would work because it matches 192.168.0.0, 192.168.1.0, 192.168.2.0, and 192.168.3.0 as the network address, and the exact netmask 255.255.255.0.

Using ACLs to control contents of routing protocol updates is strongly discouraged - as you can see above, ACLs are cumbersome, confusing, counter-intuitive, and are not really well-suited to perform this kind of filtering because they weren't originally designed for this purpose. What's even worse, with extended ACLs, the "destination" part can be used differently: In a route-map, the "destination" matches the netmask, but if used directly in a distribute-list, the "destination" matches the next hop address. Confusing? It certainly is for me.

Whenever possible, I encourage using prefix-lists to perform this kind of filtering. They are built specifically for this purpose, and their syntax is much cleaner; they always allow matching both on network address and netmask, and they are not ambiguous.

The equivalent prefix-list here would be:

ip prefix-list Example permit 192.168.0.0/22 ge 24 le 24
!
route-map gagan deny 10
  match ip address prefix-list Example
route-map gagan permit 20
! ... the rest would be unchanged

My two cents...

Best regards,
Peter

You are right, I had the syntax wrong...:(

The point was that you can summarize and shorten the access list. Then again, since the original post tried to block 192.168.1.0/24 and 192.168.2.0/24, the summarization would NOT work since it also blocks 192.168.3.0/24...

So better stick with the original access list:

access-list 110 permit ip host 192.168.1.0 host 255.255.255.0
access-list 110 permit ip host 192.168.2.0 host 255.255.255.0

HI Georg,

Thanks for replying.If i apply this access list it works,I can filter loopback address 192.168.1.0/24 which is at router 1 in router 2.As per my observation i used below access list & applied under distribute list.But if I apply same access list under route map it doesn't work.Please guide me what is the reason same access list is working in case of distribute list & same is not working in case of route-map.

router1#

interface gi0/1

ip add 10.1.1.1 255.0.0.0

no shut

int lo0

ip address 192.168.1.1/24

nt lo1

ip address 192.168.2.1/24

router eigrp 1

network 0.0.0.0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

router 2#

int gi0/0

ip add 10.1.1.2 255.0.0.0

no shut

router eigrp 1

network 0.0.0.0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

upper is the basic config of both routers.

Now i have 2 scenarios.

Purpose:-To block loopback0 in router 2 using extended acl.

If i use extended acl in distribute list.below is config. that i used.

router2# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

           #access-list 100 permit ip any any

router2# router eigrp 1

              distribute list 100 in

If I use this access list I can see i am unable to see 192.168.1.0/24 route in router 2.As per my understanding its correct.

second scenario is if I use same access-list under route-map to filter the same route , remove every route from router 1.

Below is the config. that I used in case of route map to remove route.

router2# access-list 100 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

           #access-list 100 permit ip any any

             router eigrp 1

             distribute list route-map test in

             route-map test deny 5

             match ip address 100

             route-map test permit 20

After applying this script,it removed every route of router 1 in router 2.Please guide me why its misbehaving.

Let me clear one thing my purpose is to remove 192.168.1.0/24 in router 2 routing table.

Hi

The extended ACL sintax is:

access-list <id 100-199> permit/deny <ip/tcp/udp/icmp,etc> <source IP/subnet> <wildcard> <source port/range> <destination IP/subnet> <wildcard> <destination port/range>

Now if you want to block using the extended ACL, the ACL should be:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

then

route-map test deny 5

match ip address 100

route-map test permit 100

router eigrp 100

distribute-list route-map test in

Please try again and share the results

:-)

Hi Julio,

Tested & i can confirm route 192.168.1.0/24 have been removed from routing table.But my concern is different.same access list is working inca se of distribute list , but if i apply same access list in route map for filtering , then it doesn't work.Is there any differance in that.

access-list 110 permit ip 10.0.0.0 0.255.255.255 192.1681.0 0.0.0.255
10.0.0.0 is the directly connected network & eigrp is being formed between this network.

If i use above access list & apply in distribute list , i can see route 192.168.1.0 is being filtered, but If i apply same acl in distribute list along with route map , it remove all routes in router 2 rouing table.

Request you please suggest me why same acl is not working if filtering is being done via route-map.

Hello,

it seems that with a route map, your match options for EIGRP are limited to the below:

"Match options allow EIGRP to filter internal and external routes based on source protocols, to match a metric against a range, and to match on an external protocol metric."

This is an excerpt from the document below:

EIGRP Support for Route Map Filtering

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/eigrp-route-map.html

My friends,

Once again: An extended ACL receives different input values depending on whether it is used in a distribute-list directly, or whether it is used in a route-map that is subsequently used in a distribute-list.

Consider the following topology:

R1 --- R2

R1 has a loopback 10.255.255.1/32, R2 has a loopback 10.255.255.2/32. They are connected through a network 10.0.12.0/24; R1 is 10.0.12.1/24, R2 is 10.0.12.2.

To demonstrate the value an ACL is going receive, I will be using an ACL in the following form:

access-list 100 permit ip any any log

The log keyword is going to log the details of the parameters passed to the ACL so that we can exactly see what data have been passed to the ACL for matching.

So consider the following configuration of both routers:

R1:
access-list 100 permit ip any any log
!
interface Lo0
  ip address 10.255.255.1 255.255.255.255
!
interface e2/0
  ip address 10.0.12.1 255.255.255.0
  no shutdown
!
router eigrp 1
  network 10.0.0.0

R2:
interface Lo0
  ip address 10.255.255.2 255.255.255.255
!
interface e2/1
  ip address 10.0.12.2 255.255.255.0
  no shutdown
!
router eigrp 1
  network 10.0.0.0

R1 has the ACL created but it is not applied yet; it's just ready.

After the adjacency is up, let's see what gets logged if I apply the ACL 100 in the outbound direction on R1:

R1(config)#router eigrp 1
R1(config-router)#distribute-list 100 out e2/0
R1(config-router)#
*Sep 12 10:06:18.723: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed
*Sep 12 10:06:18.747: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 0.0.0.0 -> 10.255.255.1, 1 packet  

So what values do we have here?

• 0 stands for IP protocol; this will always be 0 for ACLs used in routing policies
• 0.0.0.0 is the next hop address; for outbound advertised routes, this will always be 0.0.0.0
• 10.255.255.1 is the network address being advertised to R2
  

In other words, when the ACL is used in a distribute-list directly in the outbound direction, the "source" part of the ACL entry will always see the value 0.0.0.0, and the "destination" part of the ACL entry will see the actual network IP address of the advertised route. Note that the netmask of this route is not passed to the ACL; in other words, an ACL used directly in a distribute-list cannot be used to match on netmasks of the advertised routes.

Let's now remove the ACL from the outbound direction on R1, and place it into the inbound direction:

R1(config-router)#no distribute-list 100 out e2/0
R1(config-router)#distribute-list 100 in e2/0   
R1(config-router)#
*Sep 12 10:12:11.963: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed
*Sep 12 10:12:12.063: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.0.12.2 -> 10.255.255.2, 1 packet  

What do we have here now?

• 0 is the IP protocol; again, it is always going to be 0
• 10.0.12.2 is the advertising router's address, in this case, R2; thus, it is a potential next hop IP
• 10.255.255.2 is the network advertised by R2

Again, we see the next hop address being passed as the "source IP" to the ACL, and the address of the advertised network being passed as the "destination IP" to the ACL. Again, there is no netmask here; an ACL used directly in a distribute-list cannot be used to match on netmasks of advertised networks.

Let's now change the scenario - stop using the ACL in the distribute-list directly; instead, let's "encapsulate" it into a route-map, and test again in an outbound direction:

R1(config-router)#no distribute-list 100 in e2/0
R1(config-router)#exit
R1(config)#route-map Test permit 10
R1(config-route-map)#match ip address 100
R1(config-route-map)#exit
R1(config)#router eigrp 1
R1(config-router)#distribute-list route-map Test out e2/0
R1(config-router)#
*Sep 12 10:18:36.959: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed
*Sep 12 10:18:36.975: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.255.255.1 -> 255.255.255.255, 1 packet  

What we now see is something quite different:

• 0 is the IP protocol; it will always be 0 for this kind of ACL use
• 10.255.255.1 is the address of the advertised network
• 255.255.255.255 is the netmask of the advertised network

In other words, when the ACL is used in a route-map, and the route-map is then used in a distribute-list, the parameters passed to the ACL are very different: The address of the network is passed as the "source IP", and the netmask of the network is passed as the "destination IP".

And what about the opposite direction, inbound?

R1(config-router)#no distribute-list route-map Test out e2/0   
R1(config-router)#distribute-list route-map Test in e2/0   
R1(config-router)#
*Sep 12 10:24:19.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.12.2 (Ethernet2/0) is resync: intf route configuration changed
*Sep 12 10:24:33.383: %SEC-6-IPACCESSLOGNP: list 100 permitted 0 10.255.255.2 -> 255.255.255.255, 1 packet  

Again, it is:

• 0 as the IP protocol
• 10.255.255.2 as the address of the learned network
• 255.255.255.255 as the netmask of the learned network

So to sum up:

• If the ACL is used directly in a distribute-list, then:
  • Protocol = 0 (matches "ip")
  • Source = advertising router's address; will be 0.0.0.0 for outbound routes, and the IP address of the advertising router for inbound routes (potential next-hop IP)
  • Destination = address of the advertised network
• If the ACL is used in a route-map which is then used in a distribute-list, then:
  • Protocol = 0
  • Source = address of the advertised network
  • Destination = netmask of the advertised network

This is what makes the behavior different.

Please note that these rules are only valid for IGP protocols; BGP might be different, but to test this for BGP, I am leaving this to you as an exercise ;) The method of testing would similar to what you see above. If you test this in a lab, keep in mind that logging messages from ACLs are rate-limited; to flush the ACL logging cache to the log immediately, you may need to enter the clear access-list counters command.

Best regards,
Peter

Well, it took me about 6 hours to grasp the concept, and I am still not sure if I fully get it. Either way, it works when I now configure access list 100 as below:

access-list 100 permit ip host 192.168.1.0 host 255.255.255.0

That blocks the route. It looks nothing like an access list, but Peter, your explanation makes sense, thank again...