Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

EIGRP route filtering, use distribute-list, or ip sumary-address

I have a situation where I want to filter EIGRP routes being sent to a down stream switch (Layer 3). In this senario we have a 6513 sending routes to a down stream 3560E configured as a EIGRP stub-connected. My question is what is the preferred method to filter the EIGRP routes and only send a EIGRP default route to the downstream 3560E? Is it best to use a distribute list or the ip summary-address command? I know they pretty much do about the same thing. I have heard that a distribute-list is less risky since it does not place a default route to null0 in EIGRP topology route table.

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

You posted the output of show ip eigrp topology. Can you post the output of 'show ip route 0.0.0.0'?

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Brandon

First: I thought from previous posts that the router in question was learning a default route. From the recent post I see that it is the router that is doing the redistribution. Even with this change in the environment I believe that our previous answers were valid and that the summary address with adjusted AD is a good solution.

Second: I agree with Sundar that seeing the content of the routing table would be helpful.

I do note in your post that the remote stub router is correctly learning the default route from your router:

P 0.0.0.0/0, 2 successors, FD is 28416

via 10.201.2.3 (28416/2816), FastEthernet1/0/8

so I believe that this demonstrates that our suggestion is a workable solution.

Third: the notes from the config guide do correctly identify the risk of using a summary address to create a default route. By default the summary address creates a route to null0 with a very favorable AD (defaults to 5 on the local router). As long as you take our advice and make the AD of the summary address greater than the AD of the other default route then things will work as you want them to.

If it makes you more comfortable to follow the suggestion from the config guide and to use a distribute list to filter out all advertisements other than the default route then go ahead and do this. I am convinced that both approaches (if carefully implemented) will work. I made a suggestion that I though was perhaps more operationally simple (and perhaps slightly more efficient - though I have no hard data to support that). Perhaps the author of the config guide is considering something that we have not considered. The stated problem with the summary address is the potential to displace a "real" default route - and we have demonstrated a way to prevent that problem. Perhaps there is some other aspect that they considered but did not specify. I believe that both will work and that you can be comfortable with either alternative.

I wonder if any of the senior Cisco engineers who participate in this forum might have thoughts to share?

HTH

Rick

23 REPLIES
Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Brandon

Is there a viable default route on the router where your EIGRP process is runnig? If there is a default route there then I agree with Sundar that it is best to use the summary address command. I might not use the Administrative Distance of 255, but you do want to make sure that the Administrative Distance of the entry based on the summary address is higher than the Administrative Distance of the summary route. (and if there is not a viable default route then the distribute list will not advertise one).

HTH

Rick

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Rick,

Thanks for your response. Yes we do have a defaul route 0.0.0.0 0.0.0.0 10.x.x.x pointing to our default gateway (Firewall). Can you please briefly explain what you mean by:

"but you do want to make sure that the Administrative Distance of the entry based on the summary address is higher than the Administrative Distance of the summary route"?

Thanks

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Brandon

How you are learning your default route will assign it an administrative distance. If it is a static route then its AD defaults to 1. If it is learned via EIGRP it would default to 90, etc. There is an optional parameter that you can specify when configuring the EIGRP summary address and you want to use that parameter to make sure that the summary you are configuring has AD higher than your real default route. The potential issue is that the summary address command will default to an AD of 5 and that could displace the default route that you really want to use.

HTH

Rick

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Rick,

On the 6513 giving the summary we are also using redistribute static under the EIGRP process. When you do this and also advertise a default summary to a down stream it makes the eigrp ad 170 and is thus flagged as an external route. On my 6513 I configured my summary advertisement as 0.0.0.0 0.0.0.0 250. Is the 250 (AD specified) the optional parameter you mention to use?

Thanks,

Brandon

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Brandon

Yes the 250 is the AD and is the optional parameter that I mentioned.

HTH

Rick

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

I would suggest using 'ip summary-address' command because of ease of management and configuration simplicity. To stop the router from installing a null route set the admin distance to 255 in the 'ip summary-adress' command.

Eg.

ip summary-address eigrp 1 0.0.0.0 0.0.0.0 255 --> changes the admin distance to 255 (default is 5).

HTH

Sundar

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

When I use 255 as the AD it still installs a null route.

Attached is a config from my lab showing the config snippets and eigrp topology.

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

You posted the output of show ip eigrp topology. Can you post the output of 'show ip route 0.0.0.0'?

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

This is straight from Cisco IP routing 12.4 guide about using the summary-address command vs. a distribute-list. See what you think.

You should not use the ip summary-address eigrp summarization command to generate

the default route (0.0.0.0) from an interface. This causes the creation of an EIGRP summary

default route to the null 0 interface with an administrative distance of 5. The low

administrative distance of this default route can cause this route to displace default routes

learned from other neighbors from the routing table. If the default route learned from the

neighbors is displaced by the summary default route, or if the summary route is the only

default route present, all traffic destined for the default route will not leave the router,

instead, this traffic will be sent to the null 0 interface where it is dropped.

The recommended way to send only the default route out a given interface is to use a

distribute-list command. You can configure this command to filter all outbound route

advertisements sent out the interface with the exception of the default (0.0.0.0).

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Brandon

First: I thought from previous posts that the router in question was learning a default route. From the recent post I see that it is the router that is doing the redistribution. Even with this change in the environment I believe that our previous answers were valid and that the summary address with adjusted AD is a good solution.

Second: I agree with Sundar that seeing the content of the routing table would be helpful.

I do note in your post that the remote stub router is correctly learning the default route from your router:

P 0.0.0.0/0, 2 successors, FD is 28416

via 10.201.2.3 (28416/2816), FastEthernet1/0/8

so I believe that this demonstrates that our suggestion is a workable solution.

Third: the notes from the config guide do correctly identify the risk of using a summary address to create a default route. By default the summary address creates a route to null0 with a very favorable AD (defaults to 5 on the local router). As long as you take our advice and make the AD of the summary address greater than the AD of the other default route then things will work as you want them to.

If it makes you more comfortable to follow the suggestion from the config guide and to use a distribute list to filter out all advertisements other than the default route then go ahead and do this. I am convinced that both approaches (if carefully implemented) will work. I made a suggestion that I though was perhaps more operationally simple (and perhaps slightly more efficient - though I have no hard data to support that). Perhaps the author of the config guide is considering something that we have not considered. The stated problem with the summary address is the potential to displace a "real" default route - and we have demonstrated a way to prevent that problem. Perhaps there is some other aspect that they considered but did not specify. I believe that both will work and that you can be comfortable with either alternative.

I wonder if any of the senior Cisco engineers who participate in this forum might have thoughts to share?

HTH

Rick

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Rick,

I certainly appreciate you and Sundar extremely helpful insight. I noted you both for credit on the solution. I like you would like to hear input for senior Cisco engineers who participate in this forum if any. It seems like most things Cisco there is no real cut best practice and always an exception to the rule. ;-)

HTH

Brandon

Gold

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

There is no hard and fast rule in this case.... It's a matter of preference, which config you like better, and which one you think is "more obvious." THe summary with the admin distance is the shorter config, but the less common, so there are advantages on both sides.

There are some who would not recommend doing this with an admin distance of 255, which prevents the discard route from being installed at all, because if you lose the "underlying" route, then it's possible to build routing loops pretty easily. OTOH, using the admin distance of 250, rather than 255, is safe from these sorts of problems.

So, no hard and fast rule either way.

:-)

Russ

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Russ,

Thanks I really appreciate the response.

HTH,

Brandon

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Hi Russ,

I have some points I'd like to mention, based on experience with this issue in our network, and I also have a related question:

- Regarding the use of ip summary-address vs distribution list, and comparing the administrative overhead to manage them, it really is the same. With the ip summary-address, you need to apply this command to every interface you add to the router where you want to only send the default route. With the distribute list, you create the list policy once, and then add a distribute-list entry to your eigrp process for every interface you add where you only want to send the default route. So, for ongoing changes, you still need to add an entry per new interface, it's just a matter of whether you put an ip summary-address command on an interface or a distribute-list command into eigrp.

- Regarding a default route on the stub router, what I do in conjunction with the above (we use the distribute-list method) is to create a default route on each stub router (ip route 0.0.0.0 0.0.0.0 ww.xx.yy.zz 200) with an AD of 200. That way, the stub router will have a static 'default' route (AD=1) that it can use if it does not learn an advertised default (AD=90) from eigrp. If you don't change the AD of the default route on the stub, it will never install the eigrp default route into it's routing table, so all the work at the hub router to create and advertise only a default route to the stub routers will be a waste of time.

Finally, I have a question regarding the AD for a summary-address. By default, the AD for the summary route is 5. However, I am trying to understand what issues I should be concerned with regarding this AD, as compared to AD=90 or AD=130 for my eigrp internal and external routes. For a normal network, where I have numerous IP subnets connected to a regional hub, and I want to advertise a few summary routes from the hub to other hubs which will cover the numerous IP subnets, is there anything to gain by changing the AD of the summary route from 5 to something lesser than 90 or greater than 90? I am assuming that the reason a summary route has an AD of 5 since it is something explicitly configured, meaning that someone who should 'know' their network has created this explicit route summary, so it should be trusted more than a normal learned route from eigrp (AD=90)? If this assumption is correct, is the AD=5 designed to tell the router performing the summarization that it should trust this summary above the learned routes, or is it something that the eigrp neighbors benefit from? I've tested it in a lab environment and see the summary route received by the eigrp neighbors with an AD=90, so it looks like the AD=5 preference is really only for the advertising router, to choose advertising the summary over the more specific routes?

Any clarification for this issue is greatly appreciated.

Ron Buchalski

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Ron

You are correct that the AD for a summary route in EIGRP of 5 is for the local router only. The neighbor to whom you advertise the summary sees the incoming subnet as a regular advertisement and applies its normal AD for it. There is no benefit (and really no impact at all) to the neighbor when the AD for a summary is 5.

The AD of 5 for a summary route is for the local router. The reason for the default value of 5 is to indicate that this is a configured element and therefore should be more trusted than something that is learned dynamically. However there is a potential impact of this which we should understand. Perhaps an example will help to clarify this. Assume a router A which has several active interfaces and a neighbor on each interface. Assume that a router U is an upstream router and advertises a default route to A. Assume that router S on another interface is a stub router and as such you want to advertise only a default route to it. So you configure a summary-address on the interface for router S. Creation of the summary address 0.0.0.0/0 inserts its prefix into the routing table with AD of 5 and displaces the prefix learned from router U. Now assume router N is a neighbor router but not a stub. You would like to advertise the default route to neighbor N. But since the route in the routing table is from the summary address on interface S you can not advertise the default route to neighbor N. The solution is to configure the summary-address with AD higher than the AD of the learned default route.

HTH

Rick

New Member

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Rick,

Thank you for the excellent explanation.

Ron Buchalski

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Ron

I am glad that you found my explanation helpful. Thanks for the compliment and for the rating.

HTH

Rick

Gold

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

An aside--I would never set the AD on the created summary to 255, to prevent building permanent routing loops into the network through the summary.

:-)

Russ

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Really interesting post.. I was designing a three tier network with EIGRP and wanted to discuss a very small thing. This is also related to default route advertisement, though my scenario is a little different.. The network looks like:

Corporate WAN -- Dual core routers -- Dual Core switches -- Dual Distribution switches -- access switches...

Core routers have default route towards POP segment which connects to Firewalls/internet etc.. There are actually two or three POP segments in the whole of the WAN, and hence this default route isnt redistributed onto the WAN.. There are some 50 static routes which point to different segments in POP, which is ONLY redistributed into EIGRP, using distribute list..

Now, am designing Core/distribution switches in this network. My question is:

1) Since the core router is redistributing only 50 odd static routes into EIGRP, my Core switch will not get a default route advertisement in.. and so do my distribution/access switches. will summary address or interface based distribute list work well here, just to inject the default route towards the LAN, and not on the WAN ?

The admin here have plans to use dual static default routes internally on the Core/distribution switches, to avoid all these filtering issues, which doesnt seem a good idea to me ! I think we should really avoid static routes, if we run a full fledged dynamic routing protocol like EIGRP..

Any comments ?

Raj

Hall of Fame Super Silver

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Raj

I agree with you that I would prefer to advertise from upstream toward downstream and avoid static routes on the down stream devices. One of several reasons that I would prefer this is that is communications are disrupted between upstream and downstream and the downstream loses its upstream neighbor then it removes any routes learned from upstream via dynammic routing out of the routing table. But if the downstream has static routes configured and you lose communication with upstream the static routes are likely to remain in the routing table (assuming some type of Ethernet connection, the interface will probably remain "up" even though it has lost communication, and the static route is removed only if the outbound interface goes protocol down).

HTH

Rick

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Rick

Thanks for the reply..To make life simpler, I'm attaching a sample diagram of the design.. You can see that the default route injection is restricted right on the core router and hence the core/distribution switches do not get it.. I have a standard distribute list on the core router which does this.. All the switches on LAN have dual connectivities, cross connects...

Two solutions now:

1) take default route via eigrp, but have different filters at different places

2) have static routes on the core/distribution switches pointing to next hops

am trying to avoid the second solution.. if so, what is the best way to go about the first solution ?

Raj

Re: EIGRP route filtering, use distribute-list, or ip sumary-add

Forgot to add the attachment :)

New Member

EIGRP route filtering, use distribute-list, or ip sumary-address

Ok i have some thoughts to share.

Let's consider the following simple scheme:

We have two hub routers each with link to core cloud and to stub router and hub-to-hub interconnection link.

Default route passed from core. Hub routers have configured "ip summary address eigrp n 0.0.0.0 0.0.0.0 250" on

their interfaces facing stub router. Hubs passes default to stub router and all seems ok.

Now let's imagine the following scenario - one of the hubs loses contact with the other hub and the core.

Then the following occurs: hub installs default route to null0 in its routing table and send it to stub who

then sends its traffic to this hub router where it is discarded.

Thus stub router does not use his second link to another hub to forward traffic.

In this case  use of distribution list instead of the summary help us to avoid this undesirable behavior.

And I understand why the guide recommends the use of distribute-list command.

1611
Views
8
Helpful
23
Replies
CreatePlease to create content