I was doing the EIGRP challenge lab in the Lab Portfolio today and I came across something that had not been covered in either the BSCI Exam Cert Guide or the Lab Portfolio itself.
The requirements stated that a particular route should not be advertisted out of a particular router. At first I was thinking that I could do something with access lists and network commands, excluding the particular network from routing updates, but I got to thinking how convoluted that would be in a real network, and that there had to be a better way.
So, I went searching the cisco docs and found part of the solution. I had to use something called a distribute-list. The docs referenced using it with an access-list. I thought there had to be a better way still, so I went to my IE Workbook Volume 1 and searched for distribute-list. Sure enough, I found it used in conjuction with something called a prefix list, which wasn’t mentioned in the cisco docs as an option (but was in the inline help).
So here’s how it actually works. The prefix-list basically tells the distribute list which networks can and can’t be advertised. It uses matching in the same way that access lists do. Each entry has a sequence number, and it proceeds from 1->X in order. Once a match is made, it no longer tries to match against any other entries in your prefix list. When used in conjuction with a distribute-list, anything that isn’t matched, is denied.
Here’s the scenario: R2 receives EIGRP updates from R3. R3 has a series of loopbacks configured, and we want R2 to prevent the network on R3′s loopback 3 from being advertised out.
R2 config:
router eigrp 1
network 172.16.0.0
no auto-summary
neighbor 172.16.12.1 Serial0/0
R3 config:
interface Loopback0
ip address 172.16.3.1 255.255.255.224
!
interface Loopback1
ip address 172.16.3.33 255.255.255.224
!
interface Loopback2
ip address 172.16.3.65 255.255.255.224
!
interface Loopback3
ip address 172.16.3.97 255.255.255.224
router eigrp 1
network 172.16.0.0
no auto-summary
Now what we want to do is Filter the 172.16.3.64/27 network from being advertised out of R2. Ok, no sweat. On R2:
ip prefix-list permitOut seq 5 deny 172.16.3.64/27
ip prefix-list permitOut seq 10 permit 172.16.0.0/16
router eigrp 1
distribute-list prefix permitOut out
On R1 (which is connected to R2):
Show ip route:
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.12.0 is directly connected, Serial0/0
C 172.16.1.0 is directly connected, Loopback0
So what happened? I just wanted to block 172.16.3.64/27 from being advertised, not all EIGRP routes…
There are two things you have to understand about the behavior of distribute lists. The first is that it’s not enough to deny a particular route and expect the rest of your routes to be advertised. You need a permit statement to follow your deny that will explicitly allow all the other routes. The problem with my permit statement is that the ip prefix-list command doesn’t match in the same way that routing protocol network commands do. Matching against 172.16.0.0/16 will ONLY match against a network with the /16 prefix. Consequently, when the router checks 172.16.3.96/27 or 172.16.4.0/25 against 172.16.0.0/16, it will not find a match, and those routes won’t be advertised because there is an implicit deny at the end of the prefix-list. Instead you have to permit all other prefixes. You could do this in a couple of ways:
- ip prefix-list permitOut seq 10 permit 172.16.0.0/16 ge 17
- ip prefix-list permitOut seq 10 permit 0.0.0.0/0 le 32
Either of these will work for our requirements in this lab. #2 is probably better in general because it would help avoid the situation where networks that get added in the future, other than 172.16.0.0/16 wouldn’t get advertised.
Now if I do show ip route on R1 again:
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 9 subnets, 3 masks
D 172.16.34.0/24 [90/41536000] via 172.16.12.2, 00:00:05, Serial0/0
D 172.16.3.32/27 [90/41152000] via 172.16.12.2, 00:00:05, Serial0/0
D 172.16.23.0/24 [90/41024000] via 172.16.12.2, 00:00:05, Serial0/0
C 172.16.12.0/24 is directly connected, Serial0/0
D 172.16.4.0/25 [90/41664000] via 172.16.12.2, 00:00:05, Serial0/0
C 172.16.1.0/24 is directly connected, Loopback0
D 172.16.2.0/24 [90/20640000] via 172.16.12.2, 00:00:05, Serial0/0
D 172.16.3.0/27 [90/41152000] via 172.16.12.2, 00:00:05, Serial0/0
D 172.16.3.96/27 [90/41152000] via 172.16.12.2, 00:00:05, Serial0/0
The 172.16.3.64/27 route is no longer present.
So the final config on R2 is:
ip prefix-list permitOut seq 5 deny 172.16.3.64/27
ip prefix-list permitOut seq 10 permit 0.0.0.0/0 le 32
router eigrp 1
network 172.16.0.0
distribute-list prefix permitOut out
no auto-summary
neighbor 172.16.12.1 Serial0/0
