EIGRP Route-Map Filtering

EIGRP supports filtering with access-lists and prefix-lists but you can also use route-maps. In this lesson I’ll show you how to use a route-map to filter in- and outbound route advertisements. We will use the following topology for this:

r1 r2 multiple loopbacks

We only need two routers for this demonstration. R1 has some networks that it will advertise to R2 through EIGRP. Here’s what the routing table of R2 looks like:

R2#show ip route eigrp is subnetted, 1 subnets
D [90/409600] via, 00:00:45, FastEthernet0/0 is variably subnetted, 4 subnets, 4 masks
D [90/409600] via, 00:00:14, FastEthernet0/0
D [90/409600] via, 00:00:08, FastEthernet0/0
D [90/409600] via, 00:00:14, FastEthernet0/0
D [90/409600] via, 00:00:13, FastEthernet0/0
D [90/409600] via, 00:00:13, FastEthernet0/0

Above you see that R2 has learned all networks behind R1. Let’s start with something simple…let’s say we want to configure R1 so that /24 won’t be advertised to R2. Here’s how we do this:

R1(config)#router eigrp 1
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

We have to use the distribute-list command under the EIGRP process but as you can see it supports a route-map. Let’s use that and give it a name:

R1(config-router)#distribute-list route-map FILTER_OUT ?
  in   Filter incoming routing updates
  out  Filter outgoing routing updates

I’ll call my route-map “FILTER_OUT” and we will choose outgoing updates:

R1(config-router)#distribute-list route-map FILTER_OUT out

Now we can create the route-map:

R1(config)#route-map FILTER_OUT ?      
  <0-65535>  Sequence to insert to/delete from existing route-map entry
  deny       Route map denies set operations
  permit     Route map permits set operations

We will start with a deny statement:

R1(config)#route-map FILTER_OUT deny 10

The route-map will require a match statement. There are a lot of things you can select for the match statement:

R1(config-route-map)#match ?
  as-path           Match BGP AS path list
  clns              CLNS information
  community         Match BGP community list
  extcommunity      Match BGP/VPN extended community list
  interface         Match first hop interface of route
  ip                IP specific information
  ipv6              IPv6 specific information
  length            Packet length
  local-preference  Local preference for route
  metric            Match metric of route
  mpls-label        Match routes which have MPLS labels
  nlri              BGP NLRI type
  policy-list       Match IP policy list
  route-type        Match route-type of route
  source-protocol   Match source-protocol of route
  tag               Match tag of route

Not all of these options are possible when you use the route-map for filtering. Let’s start with a simple example, let’s look at the IP options:

R1(config-route-map)#match ip address ?
  <1-199>      IP access-list number
  <1300-2699>  IP access-list number (expanded range)
  WORD         IP access-list name
  prefix-list  Match entries of prefix-lists

Here we can use an access-list or prefix-list. Let’s try the access-list:

R1(config-route-map)#match ip address NET_192

Don’t forget to create the actual access-list:

R1(config)#ip access-list standard NET_192

The route-map is almost complete. We have a deny statement that matches everything in our access-list. There’s one problem though, our route-map doesn’t have any permit statements. If we don’t add one then everything will be blocked. Let’s add it:

R1(config)#route-map FILTER_OUT permit 20

This permit statement doesn’t require any matches. Let me show you an overview of our configuration so far:

R1#show running-config | section eigrp
router eigrp 1
 distribute-list route-map FILTER_OUT out FastEthernet0/0
 no auto-summary
R1#show route-map 
route-map FILTER_OUT, deny, sequence 10
  Match clauses:
    ip address (access-lists): NET_192 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map FILTER_OUT, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Above you can see that the route-map is attached to the distribute-list command in EIGRP. Our route-map will deny everything that matches our access-list while everything else is permitted. Let’s take a look at R2 to see if this works:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

519 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Hi Rene, I have a question regarding recusive routing and the filtering of routing interfaces.
    I have a network similar to the one shown in the EIGRP Route-MAP Filtering lesson. The difference I have in my network is that the Tunnel areas has two ASAs so that if the primary route fails routing information can be sent over a tunnel to the remote site via the internet. Routing on this network is provided bt EIGRP. Currently when the primary route fails the link that goes over the internet goes into recursive routing and fails.

    interface Tunnel0
     ip address 192.1
    ... Continue reading in our forum

  2. Hi @Robhorseman101,

    The EIGRP route-map filtering lesson only has two routers with a single link so I think you had something else in mind? :smile:

    In your config, I see the tunnel interfaces of your routers:

    interface Tunnel0
     ip address
     tunnel source GigabitEthernet2/0.40
     tunnel destination


    interface Tunnel0
     ip address
     tunnel source GigabitEthernet2/0.40
     tunnel destination

    Not sure on which router you get the recursive routing error but for example, if it’s the first one th

    ... Continue reading in our forum

  3. Hi Rene,

    I had a question on the Design and efficiency portion here.

    We can place access-list on “in” or “out” I looked up the following which says standard access list should be placed near destination.

    Standard Access Control List (ACL) filters the traffic based on source IP address. Therefore a Standard Access Control List (ACL) must be placed on the router which is near to the destination network/host where it is denied. If we place the Standard Access Control List (ACL) near to source of the traffic, there is a chance for denial or other legitimate tr

    ... Continue reading in our forum

  4. Hello Brian

    For access lists it is true that standard should be placed as near to the destination as possible since you are ONLY matching the destination and extended access lists as close as possible to

    ... Continue reading in our forum

  5. Thanks for answering.

    So it seems to me that Best Practice here is just a starting point. Once you get enough knowledge you can be even more efficient depending on the specific design and setup. That was what I was really getting at. I am starting to understand it so my thinking once I have the basic grasp is not held down by specific rules because rules are for the most part general in nature.

    I just wanted to ask and confirm that before hand because while what I just stated is logical and common sense if your not careful and don’t ask questions there may b

    ... Continue reading in our forum

14 more replies! Ask a question or join the discussion by visiting our Community Forum