-To filter EIGRP routes by matching them using ACLs, the ACL must match a route with a permit clause to then allow the route to be advertised,
and match the route with a deny clause to filter the route.
-When referenced by the distribute-list command for the purpose of EIGRP route filtering, EIGRP compares the standard ACL source-address field to the subnet
number (prefix) of each EIGRP route.
Note: To find the range of numbers matched by an ACL’s address and wildcard mask values, use the address field as the low end of the range, and simply add the address and wildcard mask to find the high end of the range.
Now, consider R7 should not know about the 172.16.0.12/30 network. R6 should not advertise this route to R7.
Before configuring the distribute list/ACL:
R7#show ip route
...
D 192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:08:12, Serial0/0
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
D 172.16.0.12/30 [90/2707456] via 172.16.0.9, 00:08:11, Serial0/0
C 172.16.0.8/30 is directly connected, Serial0/0
D 172.16.0.4/30 [90/2195456] via 172.16.0.9, 00:08:12, Serial0/0
D 172.16.0.0/30 [90/2681856] via 172.16.0.9, 00:08:12, Serial0/0
D 172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:08:12, Serial0/0
D 192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:08:13, Serial0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, FastEthernet0/1
R 10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:09, FastEthernet0/1
An ACL must be configured on R6 first, which denies the 172.16.0.12/30 network, but allows any other routes to be advertised:
R6(config)#ip access-list standard 99
R6(config-std-nacl)#deny 172.16.0.12 0.0.0.3
R6(config-std-nacl)#permit any
R6#show access-lists
Standard IP access list 99
10 deny 172.16.0.12, wildcard bits 0.0.0.3
20 permit any
Now, the distribution list must be created and applied under the EIGRP process, in the outbound direction to R7:
R6(config)#router eigrp 1
R6(config-router)#distribute-list 99 out serial 0/1
*Mar 1 00:18:51.091: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.10 (Serial0/1) is resync: route configuration changed
Note: If we would have configured the distribute list without specifying the exit interface, then the route matched by the ACL would not be advertised to any EIGRP neighbors.
Verifying the routing table on R7:
R7#
*Mar 1 00:18:49.667: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.0.9 (Serial0/0) is resync: peer graceful-restart
R7#show ip route
...
D 192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:20:52, Serial0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.0.8/30 is directly connected, Serial0/0
D 172.16.0.4/30 [90/2195456] via 172.16.0.9, 00:20:52, Serial0/0
D 172.16.0.0/30 [90/2681856] via 172.16.0.9, 00:20:52, Serial0/0
D 172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:20:52, Serial0/0
D 192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:20:51, Serial0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, FastEthernet0/1
R 10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:02, FastEthernet0/1
If further more, we want R7 to not know also about the 172.16.0.0/30 and 172.16.0.4/30 networks, we should just add 2 deny statements to the same ACL:
R6(config)#ip access-list standard 99
R6(config-std-nacl)#11 deny 172.16.0.0 0.0.0.3
R6(config-std-nacl)#12 deny 172.16.0.4 0.0.0.3
R6#show access-lists
Standard IP access list 99
10 deny 172.16.0.12, wildcard bits 0.0.0.3 (3 matches)
11 deny 172.16.0.0, wildcard bits 0.0.0.3 (2 matches)
12 deny 172.16.0.4, wildcard bits 0.0.0.3
20 permit any (11 matches)
Resulting in:
R7#show ip route
...
D 192.168.44.0/24 [90/2809856] via 172.16.0.9, 00:25:20, Serial0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.8/30 is directly connected, Serial0/0
D 172.16.111.0/24 [90/2297856] via 172.16.0.9, 00:25:21, Serial0/0
D 192.168.55.0/24 [90/2323456] via 172.16.0.9, 00:25:19, Serial0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/30 is directly connected, FastEthernet0/1
R 10.0.200.0/24 [120/1] via 10.0.0.1, 00:00:15, FastEthernet0/1
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment