EIGRP Route Filtering with ACLs

There are a number of reasons to implement route filtering.  The filters can be used to control what routes are sent as well as what routes are learned from a neighbor.  With ACLs the configuration is very flexible so just about anything is possible!

Configuration Basics

You can see the basic topology we will be working with below.

eigrp_topology_01

EIGRP is configured only for the 192.168.1.0/30 network at this time.  The EIGRP configuration on each router is the same and is shown below.

router eigrp 100
 network 192.168.1.0 0.0.0.3
 no auto-summary

Filter Distribution

Our first item of business is to filter out networks that are part of the EIGRP exchange.  It doesn’t really matter where the routes came from we can filter them to prevent the routes from being sent into the rest of the network.  In our case the routes are local from the loopback interfaces.   First on R1 we need to include the four subnets into the EIGRP process.  Second, create a standard ACL to permit a limited subset of networks.  Finally, apply this ACL as a distribution list to the EIGRP process.  The result can be seen in the example below.

R1

router eigrp 100
 network 10.0.0.0 0.0.3.255

R2

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     10.0.0.0/24 is subnetted, 4 subnets
D       10.0.2.0 [90/156160] via 192.168.1.1, 00:00:12, FastEthernet0/0
D       10.0.3.0 [90/156160] via 192.168.1.1, 00:00:12, FastEthernet0/0
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:00:12, FastEthernet0/0
D       10.0.1.0 [90/156160] via 192.168.1.1, 00:00:12, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

As you can see above all routes are distributed to R2 as per normal.  Now, add the ACL and distribution configuration and check again!

R1

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.1.255
router eigrp 100
 network 192.168.1.0 0.0.0.3
 distribute-list 1 out FastEthernet0/0

R2

R2#show ip route
…
     10.0.0.0/24 is subnetted, 3 subnets
D       10.0.2.0 [90/156160] via 192.168.1.1, 00:00:07, FastEthernet0/0
D       10.0.3.0 [90/156160] via 192.168.1.1, 00:00:07, FastEthernet0/0
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:00:07, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

 

Filter Incoming Updates

To demonstrate the filtering of incoming route updates on R2 the process will be very similar to the example above.  Again, we will need an ACL and that ACL will need applied to an interface inside the routing protocol configuration.

R2

#show ip route
…
     10.0.0.0/24 is subnetted, 3 subnets
D       10.0.2.0 [90/156160] via 192.168.1.1, 00:00:09, FastEthernet0/0
D       10.0.3.0 [90/156160] via 192.168.1.1, 00:00:09, FastEthernet0/0
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:00:09, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0
access-list 1 permit 10.0.0.0 0.0.0.255
router eigrp 100
 distribute-list 1 in FastEthernet 0/0
show ip route
…
     10.0.0.0/24 is subnetted, 1 subnets
D       10.0.0.0 [90/156160] via 192.168.1.1, 00:00:01, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, FastEthernet0/0

I hope you found this useful!  Please feel free to comment below.  In my next article I will be discussing prefix lists and route maps!

This entry was posted in Networking and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *