EIGRP supports filtering with access-lists and prefix-lists but you can also use route-maps. In this lesson I’ll show you how to use a route-map to filter in- and outbound route advertisements. We will use the following topology for this:
We only need two routers for this demonstration. R1 has some networks that it will advertise to R2 through EIGRP. Here’s what the routing table of R2 looks like:
R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/409600] via 192.168.12.1, 00:00:45, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks
D 172.16.0.0/24 [90/409600] via 192.168.12.1, 00:00:14, FastEthernet0/0
D 172.16.1.0/25 [90/409600] via 192.168.12.1, 00:00:08, FastEthernet0/0
D 172.16.2.0/26 [90/409600] via 192.168.12.1, 00:00:14, FastEthernet0/0
D 172.16.3.0/27 [90/409600] via 192.168.12.1, 00:00:13, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 192.168.12.1, 00:00:13, FastEthernet0/0Above you see that R2 has learned all networks behind R1. Let’s start with something simple…let’s say we want to configure R1 so that 192.168.1.0 /24 won’t be advertised to R2. Here’s how we do this:
R1(config)#router eigrp 1
R1(config-router)#distribute-list ?
<1-199> IP access list number
<1300-2699> IP expanded access list number
WORD Access-list name
gateway Filtering incoming updates based on gateway
prefix Filter prefixes in routing updates
route-map Filter prefixes based on the route-mapWe have to use the distribute-list command under the EIGRP process but as you can see it supports a route-map. Let’s use that and give it a name:
R1(config-router)#distribute-list route-map FILTER_OUT ?
in Filter incoming routing updates
out Filter outgoing routing updatesI’ll call my route-map “FILTER_OUT” and we will choose outgoing updates:
R1(config-router)#distribute-list route-map FILTER_OUT outNow we can create the route-map:
R1(config)#route-map FILTER_OUT ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny Route map denies set operations
permit Route map permits set operations
<cr>We will start with a deny statement:
R1(config)#route-map FILTER_OUT deny 10The route-map will require a match statement. There are a lot of things you can select for the match statement:
R1(config-route-map)#match ?
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
ipv6 IPv6 specific information
length Packet length
local-preference Local preference for route
metric Match metric of route
mpls-label Match routes which have MPLS labels
nlri BGP NLRI type
policy-list Match IP policy list
route-type Match route-type of route
source-protocol Match source-protocol of route
tag Match tag of routeNot all of these options are possible when you use the route-map for filtering. Let’s start with a simple example, let’s look at the IP options:
R1(config-route-map)#match ip address ?
<1-199> IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD IP access-list name
prefix-list Match entries of prefix-lists
<cr>Here we can use an access-list or prefix-list. Let’s try the access-list:
R1(config-route-map)#match ip address NET_192Don’t forget to create the actual access-list:
R1(config)#ip access-list standard NET_192
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255The route-map is almost complete. We have a deny statement that matches everything in our access-list. There’s one problem though, our route-map doesn’t have any permit statements. If we don’t add one then everything will be blocked. Let’s add it:
R1(config)#route-map FILTER_OUT permit 20
R1(config-route-map)#exitThis permit statement doesn’t require any matches. Let me show you an overview of our configuration so far:
R1#show running-config | section eigrp
router eigrp 1
network 0.0.0.0
distribute-list route-map FILTER_OUT out FastEthernet0/0
no auto-summaryR1#show route-map
route-map FILTER_OUT, deny, sequence 10
Match clauses:
ip address (access-lists): NET_192
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map FILTER_OUT, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytesAbove you can see that the route-map is attached to the distribute-list command in EIGRP. Our route-map will deny everything that matches our access-list while everything else is permitted. Let’s take a look at R2 to see if this works:
Hi George,
Sure, here’s an example. We have a router that has learned some EIGRP routes on different interfaces:
... Continue reading in our forumDerek,
... Continue reading in our forumRoute-Maps are the swiss-army knife of Cisco. You can use them for all kinds of things in many different ways depending on the situation. With EIGRP, access-lists, prefix-lists, and route-maps are all options of a distribute-list. In other words, the “distribute-list” keyword is entered first, then you can choose which option you want after. Check out the available options below:
Mounir,
You are right that your NET_192 access list would match 192.168.1.0/24 and not match anything else (because of an implicit “deny” at the end of an access-list).
Now, in order for a prefix-list to do the same thing, you must also use the prefix-list with something else, say a route-map. A prefix-list by itself will only match or not match a particular network prefix–it won’t perform an action such as permit or deny.
Let’s start by writing the prefix list that will match only 192.168.1.0/24, since you are asking about this:
... Continue reading in our forum(config)#ip prefix-list PL_MATHi have been working very peripherally on cisco for a few years but signed up and love your explanations. I am working through this lesson but am surprised there is not more of an “intro” to route maps somewhere on the site, seems there is a bit of assumed knowledge on this lesson…
ok I’m in over my head…
in seq 20 why is there an ge 26 when trying to limit prefix to smaller then 26? I’ll reread in the morning hopefully it will make sense then…