cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2014
Views
0
Helpful
19
Replies

EIGRP - unwanted routes

amarula115
Level 1
Level 1

I have Telco MPLS CE router connected to my C4506 (L3) interface. I can see on my C4506 many unwanted routes distributed by Telco through this interface. Most of them are public IP addresses (they use them for loopbacks IPs). To avoid any routing problems in the future I want to stop distributing these IP addresses to my network. I built "access-liststandard DENY_TELCO_LOOPBACK" and then I applied this list under EIGRP using "distribute-list DENY_TELCO_LOOPBACK in".

It didn't stopped these routes from being distrubuted at all. What wrong I am doing? Is there any better way of doing this?

2 Accepted Solutions

Accepted Solutions

Zbigniew

There is a slight difference in syntax when the distribute list will be using a prefix list instead of a more normal access list. I suggest that you change this:

distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32

to this:

distribute-list prefix RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32

try it and let us know if it works better.

HTH

Rick

HTH

Rick

View solution in original post

Hello Rick, Zbigniew

to reference the route-map you need

distribute-list route-map rm-filter-telco-loops in gi6/32

the route-map keyword has to be specified or the router will look for a named ACL with name rm-filter-telco-loops that of course does not exist and no route filtering action occurs

I'm sorry I didn't see this before

ge 32 means only prefixes with len >= 32 that is not what you want keep le 32 that will match whatover prefix len /29, /30, /27 within the IP address block

OR if the distribute-list supports refers directly to the prefix-list as Rick has suggested

Hope to help

Giuseppe

View solution in original post

19 Replies 19

Richard Burts
Hall of Fame
Hall of Fame

zbigniew

I believe that you are going in the right direction. A distribute list under EIGRP using a standard access list is typically the best way to prevent certain routes from being accepted into EIGRP. Perhaps there is some small issue with syntax or something that is preventing it from working as you want it to. Perhaps you could post the specifics from the config and we might be able to identify the issue.

HTH

Rick

HTH

Rick

Thank you for your reply

Here is a part of config and some of unwanted routes which I want to filter:

ip access-list standard DENY_TELUS_LOOPBACK

deny 10.52.0.67

deny 154.11.18.0

deny 206.75.127.0

permit any

router eigrp 100

redistribute static

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet6/32

no passive-interface GigabitEthernet6/47

network 10.0.0.0

distribute-list DENY_TELCO_LOOPBACK out GigabitEthernet6/32 ****

distribute-list DENY_TELCO_LOOPBACK in GigabitEthernet6/32

distribute-list 93 out GigabitEthernet6/47

distribute-list DENY_TELCO_LOOPBACK out ****

distribute-list DENY_TELCO_LOOPBACK in

**** I put "in" and "out" just in case. I think I should use "distribute-list DENY_TELCO_LOOPBACK in GigabitEthernet6/32" only

---------------------------------------------

D EX 206.75.127.248/29

[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32

D EX 206.75.127.240/29

[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32

D EX 206.75.127.232/29

[170/256512] via 10.80.6.6, 00:01:45, GigabitEthernet6/32

Is it a typo;

Access-list is of name " DENY_TELUS_LOOPBACK "

and in eigrp config, access-list called is "

DENY_TELCO_LOOPBACK ".....

Hope to help

It is actually not a typo. For a conversation purpose I wanted to change a name of an access-list before posting it here but I changed only one name and didn't the second one.

In my config both names are DENY_TELUS_LOOPBACK

- Can you post the ouput of show eigrp topology here ?

- Are you seeing any hits on access-list ?

Hope to help

Thank you very much for help

Hello Zbigniew,

a standard ACL when applied for filtering routes works only on exact matches.

So it would require a long list with one line for each unwanted subnet.

If you have a lot of /29 within an ip address block you should use a prefix-list or an ip extended ACL.

I think the prefix-list it's easier to use and I provide you an example

ip prefix-list filter-telco-loops deny 206.75.127.0/24 le 32

a line like this denies any possible subnet of block 206.75.127.0/24

you need the equivalent of permit ip any any

ip prefix-list filter-telco-loops permit 0.0.0./0 le 32

then you apply it adding the prefix-list

in a route map

route-map rm-filter-telco-loops permit 10

match ip address prefix-list filter-telco-loops

the route-map can be invoked by the distribute list command

router eigrp 100

distribute-list route-map rm-filter-telco-loops in gi6/32

see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1018093

This should fix your issue. Add statements before the final permit to deny all other unwanted IP blocks

Hope to help

Giuseppe

Thank you very much for an advice. I will try your solution. I think you are right because I can see hits in access-list if the access- list is very specific. for example:

if I have deny 10.52.113.117 then I see hits, but when I have deny 154.11.18.0 then there are no hits at all.

Thanks again

zbigniew

Giuseppe is giving you good advice. From the perspective of the access list (and distribte list) there must be an exact match between what is stated in the access list and the prefix that is being advertised. I can see from your perspective that you would like to identify an address block and to deny all subnets contained within it. The tool that can do that is prefix lists, as Giuseppe has suggested.

This is why the access list and distribute list that you have configured are not working as you want. If you change the configuration and use prefix lists it should accomplish what you want.

HTH

Rick

HTH

Rick

I did what Giuseppe sugested:

router eigrp 100

redistribute static

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet6/32

no passive-interface GigabitEthernet6/47

network 10.0.0.0

distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32

ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.127.0/24 le 32

ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 le 32

route-map RM-FILTER-TELUS-LOOPS permit 10

match ip address prefix-list FILTER-TELUS-LOOPS

but I still see routes to network 206.75.127.0/24

I replied to Guiseppe as well

Regards

Hello Zbigniew,

two suggestions:

a) the command could be given without providing an interface

distribute-list RM-FILTER-TELUS-LOOPS in

b) after making a change you may need to use commands like clear ip route * or

clear ip eigrp 100 neighbor

and then later see if you achieved the desired results

Also you can check if the prefix-list has matched with

show ip prefix-list FILTER-TELUS-LOOPS

if no matches appear for the deny statement we need to consider another solution

If you like you can post

sh ip route | inc 206.75.127.

Hope to help

Giuseppe

I did what you suggested:

router eigrp 100

redistribute static

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet6/32

no passive-interface GigabitEthernet6/47

network 10.0.0.0

distribute-list RM-FILTER-TELUS-LOOPS in GigabitEthernet6/32

ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.127.0/24 le 32

ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 le 32

route-map RM-FILTER-TELUS-LOOPS permit 10

match ip address prefix-list FILTER-TELUS-LOOPS

I still see routes 206.75.127.0/24

Didi I miss something?

Regards

Either you can make an access-list to exactly match 206.75.127.232/29, 206.75.127.240/29. 206.75.127.248/29....

or

make your prefix-list as:

ip prefix-list FILTER-TELUS-LOOPS seq 5 deny 206.75.126.0/23 ge 32

ip prefix-list FILTER-TELUS-LOOPS seq 10 permit 0.0.0.0/0 ge 32

It will work..

Hope to Help

Should it be "le 32" as suggested by Giuseppe or "ge 32" as you suggested. Giuseppe specified 206.75.126.0/24 and you specified 206.75.126.0/23.

I tried both and still doesn't filter this route.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco