Filtering Routes with EIGRP

Filtering Routes with EIGRP

Problem

You want restrict which routes EIGRP propagates through the network.

Solution

You can filter the routes that EIGRP receives on a particular interface (or subinterface) using the distribute-list in command as follows:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#access-list 34 deny 192.168.30.0
Router2(config)#access-list 34 permit any
Router2(config)#router eigrp 55
Router2(config-router)#distribute-list 34 in Serial0.1
Router2(config-router)#exit
Router2(config)#end
Router2#

EIGRP also provides a distribute-list out command that allows you to filter the routes that are sent out through a particular interface (or subinterface):

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 57 permit 172.25.1.0
Router1(config)#access-list 57 deny any
Router1(config)#router eigrp 55
Router1(config-router)#distribute-list 57 out Serial0/0.2
Router1(config-router)#exit
Router1(config)#end
Router1#

And, with the gateway keyword, you can apply different filters to different neighbors on the same multiple access network:

Router9#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router9(config)#ip prefix-list ALLOWED-PREFIXES permit 10.0.0.0/8 le 32
Router9(config)#ip prefix-list ALLOWED-PREFIXES deny 0.0.0.0/0 le 32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.1/32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS permit 172.18.19.4/32
Router9(config)#ip prefix-list ALLOWED-NEIGHBORS deny 0.0.0.0/0 le 32
Router9(config)#router eigrp 55
Router9(config-router)#distribute-list prefix ALLOWED-PREFIXES gateway ALLOWED-NEIGHBORS in
Router9(config-router)#exit
Router9(config)#end
Router9#

Discussion

The best way to see the action of these distribute-list commands is to look at the routing tables both with and without the filters. In the example, this is how the routing table looked before we applied any distribute lists:

Router2#show ip route eigrp
D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:06, Serial0.1
D 172.22.0.0/16 [90/2172416] via 172.25.2.1, 00:04:04, Serial0.1
172.25.0.0/16 is variably subnetted, 6 subnets, 4 masks
D 172.25.25.6/32 [90/2300416] via 172.25.2.1, 00:04:04, Serial0.1
D 172.25.25.1/32 [90/2297856] via 172.25.2.1, 00:04:04, Serial0.1
D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:04:04, Serial0.1
D 172.25.0.0/16 is a summary, 00:06:39, Null0
D 10.0.0.0/8 [90/4357120] via 172.25.2.1, 00:04:04, Serial0.1
Router2#

Then, after applying the inbound filter, you can see that network 192.168.30.0 is gone:

Router2#show ip route eigrp
D 172.22.0.0/16 [90/2172416] via 172.25.2.1, 00:00:08, Serial0.1
172.25.0.0/16 is variably subnetted, 6 subnets, 4 masks
D 172.25.25.6/32 [90/2300416] via 172.25.2.1, 00:00:08, Serial0.1
D 172.25.25.1/32 [90/2297856] via 172.25.2.1, 00:00:08, Serial0.1
D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:00:08, Serial0.1
D 172.25.0.0/16 is a summary, 00:08:42, Null0
D 10.0.0.0/8 [90/4357120] via 172.25.2.1, 00:00:08, Serial0.1
Router2#

The show ip protocols command shows what filters have been applied to which interfaces, both inbound and outbound:

Router2#show ip protocols 
Routing Protocol is "eigrp 55"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Serial0.1 filtered by 34 (per-user), default is 34
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 55
Automatic network summarization is in effect
Automatic address summarization:
192.168.20.0/24 for Loopback0, Serial0.1
172.25.0.0/16 for Ethernet0
Summarizing with metric 128256
Maximum path: 4
Routing for Networks:
172.25.0.0
192.168.20.0
Routing Information Sources:
Gateway Distance Last Update
172.25.2.1 90 00:02:10
Distance: internal 90 external 170
Router2#

The second example in the Solution section of this recipe shows an outbound distribute list. It is difficult to see the effect of an outbound filter from the router that has the filter. So we will apply this filter to the neighbor device.

Look back at the output of the previous show ip route eigrp command to remember what the routing table looked like before applying this filter. Then, after applying the outbound distribute-list command on the neighboring router, the routing table looks like this:

Router2#show ip route eigrp
172.25.0.0/16 is variably subnetted, 4 subnets, 4 masks
D 172.25.1.0/24 [90/2172416] via 172.25.2.1, 00:03:56, Serial0.1
Router2#

In this case, you will notice that we have applied an extremely restrictive outbound route filter. This technique is often used in WAN situations in which there is only one path from the remote site to the rest of the network. In such cases, it is often possible to send only a few summary routes, perhaps even a single default route, 0.0.0.0/0.

Again, the show ip protocols command shows information about both the filters and the interfaces that they act on:

Router1#show ip protocols 
Routing Protocol is "eigrp 55"
Outgoing update filter list for all interfaces is not set
Serial0/0.2 filtered by 57 (per-user), default is 57
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 55
Automatic network summarization is in effect
Automatic address summarization:
172.25.0.0/16 for FastEthernet0/1, Serial0/1
Summarizing with metric 28160
172.22.0.0/16 for FastEthernet0/0.1, Serial0/0.2, Loopback0
Serial0/1
Summarizing with metric 28160
10.0.0.0/8 for FastEthernet0/0.1, Serial0/0.2, Loopback0
FastEthernet0/1
Summarizing with metric 3845120
Maximum path: 4
Routing for Networks:
10.0.0.0
172.22.0.0
172.25.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.1 90 00:04:45
172.25.1.7 90 00:04:45
172.25.2.2 90 00:04:45
172.22.1.4 90 00:04:45
Distance: internal 90 external 170
Router1#

You can also use prefix lists to filter routes with EIGRP. This technique is most commonly used for filtering routes with BGP. Prefix lists do essentially the same thing as the access lists that we have already discussed. But they give you a different way to approaching filtering that is in some ways more in tune with how we think about routing. And because of the highly granular control they offer, it is often much easier to configure a prefix list to do the same job as an access list. Further, in mixed BGP/EIGRP networks, it can be extremely convenient to be able to use the same method for both routing protocols:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip prefix-list Inbound seq 10 permit 10.0.0.0/8
Router2(config)#ip prefix-list Inbound seq 20 deny 10.0.0.0/8 ge 9
Router2(config)#ip prefix-list Inbound seq 30 permit 0.0.0.0/0 le 32
Router2(config)#router eigrp 55
Router2(config-router)#distribute-list prefix Inbound in Serial0.1
Router2(config-router)#exit
Router2(config)#end
Router2#

There are three lines in the prefix list called Inbound in this example. The first line permits the 10.0.0.0/8 network. Then the second line denies any network belonging to 10.0.0.0 that happens to have a mask with nine or more bits. The final line permits all other routes.

Again, to see how this works, it is easiest to look at the routing table before and after applying the filter. So in this case, we start with a routing table that looks like this:

Router2#show ip route eigrp
D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:16, Serial0.1
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
D EX 10.0.0.0/8 [170/4357120] via 172.25.2.1, 00:00:16, Serial0.1
D 10.2.2.0/24 [90/2300416] via 172.25.2.1, 00:00:16, Serial0.1
D 10.1.1.0/30 [90/4357120] via 172.25.2.1, 00:00:16, Serial0.1
D*EX 0.0.0.0/0 [170/2172416] via 172.25.2.1, 00:00:16, Serial0.1
Router2#

After applying this filter, this routing table is reduced to the following:

Router2#show ip route eigrp
D 192.168.30.0/24 [90/2300416] via 172.25.2.1, 00:00:22, Serial0.1
D EX 10.0.0.0/8 [170/4357120] via 172.25.2.1, 00:00:22, Serial0.1
D*EX 0.0.0.0/0 [170/2172416] via 172.25.2.1, 00:00:22, Serial0.1
Router2#

The gateway keyword is useful in some limited situations. This command is only allowed on inbound distribute lists. It then lets you filter which EIGRP neighbors to accept routing updates from. It does not allow you to filter one group of routes from one neighbor and a different group from a different neighbor, which makes the command less useful than it might initially appear.

Although the command allows it, never specify an interface on the distribute-list command if you want to use the gateway keyword. The interface name overrides the gateway feature, causing the router to ignore it quietly.


The command tells the router to accept only routes that are in the list of allowed prefixes, and only if they are received from the allowed group of neighbors:

Router9(config-router)#distribute-list prefix ALLOWED-PREFIXES gateway ALLOWED-NEIGHBORS in

This feature is most useful in situations in which you want to block all routing updates from some neighbors, but you still want these neighbors to receive all of the outbound routing updates.

See Also