EIGRP supports filtering with access-lists and prefix-lists but you can also use route-maps. In this lesson I’ll show you how to use a route-map to filter in- and outbound route advertisements. We will use the following topology for this:
We only need two routers for this demonstration. R1 has some networks that it will advertise to R2 through EIGRP. Here’s what the routing table of R2 looks like:
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/409600] via 192.168.12.1, 00:00:45, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks
D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:00:14, FastEthernet0/0
D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:00:08, FastEthernet0/0
D 172.16.2.0/26 [90/409600] via 192.168.12.1, 00:00:14, FastEthernet0/0
D 172.16.3.0/27 [90/409600] via 192.168.12.1, 00:00:13, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 192.168.12.1, 00:00:13, FastEthernet0/0
Above you see that R2 has learned all networks behind R1. Let’s start with something simple…let’s say we want to configure R1 so that 192.168.1.0 /24 won’t be advertised to R2. Here’s how we do this:
R1(config)#router eigrp 1
R1(config-router)#distribute-list ?
<1-199> IP access list number
<1300-2699> IP expanded access list number
WORD Access-list name
gateway Filtering incoming updates based on gateway
prefix Filter prefixes in routing updates
route-map Filter prefixes based on the route-map
We have to use the distribute-list command under the EIGRP process but as you can see it supports a route-map. Let’s use that and give it a name:
R1(config-router)#distribute-list route-map FILTER_OUT ?
in Filter incoming routing updates
out Filter outgoing routing updates
I’ll call my route-map “FILTER_OUT” and we will choose outgoing updates:
R1(config-router)#distribute-list route-map FILTER_OUT out
Now we can create the route-map:
R1(config)#route-map FILTER_OUT ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny Route map denies set operations
permit Route map permits set operations
<cr>
We will start with a deny statement:
R1(config)#route-map FILTER_OUT deny 10
The route-map will require a match statement. There are a lot of things you can select for the match statement:
R1(config-route-map)#match ?
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
ipv6 IPv6 specific information
length Packet length
local-preference Local preference for route
metric Match metric of route
mpls-label Match routes which have MPLS labels
nlri BGP NLRI type
policy-list Match IP policy list
route-type Match route-type of route
source-protocol Match source-protocol of route
tag Match tag of route
Not all of these options are possible when you use the route-map for filtering. Let’s start with a simple example, let’s look at the IP options:
R1(config-route-map)#match ip address ?
<1-199> IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD IP access-list name
prefix-list Match entries of prefix-lists
<cr>
Here we can use an access-list or prefix-list. Let’s try the access-list:
R1(config-route-map)#match ip address NET_192
Don’t forget to create the actual access-list:
R1(config)#ip access-list standard NET_192
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255
The route-map is almost complete. We have a deny statement that matches everything in our access-list. There’s one problem though, our route-map doesn’t have any permit statements. If we don’t add one then everything will be blocked. Let’s add it:
R1(config)#route-map FILTER_OUT permit 20
R1(config-route-map)#exit
This permit statement doesn’t require any matches. Let me show you an overview of our configuration so far:
R1#show running-config | section eigrp
router eigrp 1
network 0.0.0.0
distribute-list route-map FILTER_OUT out FastEthernet0/0
no auto-summary
R1#show route-map
route-map FILTER_OUT, deny, sequence 10
Match clauses:
ip address (access-lists): NET_192
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map FILTER_OUT, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Above you can see that the route-map is attached to the distribute-list command in EIGRP. Our route-map will deny everything that matches our access-list while everything else is permitted. Let’s take a look at R2 to see if this works:
Hi George,
Sure, here’s an example. We have a router that has learned some EIGRP routes on different interfaces:
... Continue reading in our forumDerek,
... Continue reading in our forumRoute-Maps are the swiss-army knife of Cisco. You can use them for all kinds of things in many different ways depending on the situation. With EIGRP, access-lists, prefix-lists, and route-maps are all options of a distribute-list. In other words, the “distribute-list” keyword is entered first, then you can choose which option you want after. Check out the available options below:
Mounir,
You are right that your NET_192 access list would match 192.168.1.0/24 and not match anything else (because of an implicit “deny” at the end of an access-list).
Now, in order for a prefix-list to do the same thing, you must also use the prefix-list with something else, say a route-map. A prefix-list by itself will only match or not match a particular network prefix–it won’t perform an action such as permit or deny.
Let’s start by writing the prefix list that will match only 192.168.1.0/24, since you are asking about this:
... Continue reading in our forum(config)#ip prefix-list PL_MAT
Hi have been working very peripherally on cisco for a few years but signed up and love your explanations. I am working through this lesson but am surprised there is not more of an “intro” to route maps somewhere on the site, seems there is a bit of assumed knowledge on this lesson…
Thank you Laz! It was helpful. I will lab myself some examples and will let you know if there is a doubt.