[info]Basic configuration[/info]
R1 and R2:
R1(config)#router eigrp 100 R1(config-router)#passive-interface default R1(config-router)#no passive-interface fa0/0 R1(config-router)#network 10.1.1.0 0.0.0.3 R1(config-router)#no auto-summary
R2(config)#router eigrp 100 R2(config-router)#passive-interface default R2(config-router)##no passive-interface fa0/0 R2(config-router)#network 10.1.1.0 0.0.0.3 R2(config-router)#no auto-summary
With this configuration only the 10.1.1.0/30 is advertised via EIGRP.
[success]ROUTE REDISTRIBUTION [/success]
Configure some loopbacks for testing purposes:
R1:
R1(config)#int loopback 1 R1(config-if)#ip address 172.16.1.1 255.255.255.0 R1(config-if)#exit R1(config)#int loopback 2 R1(config-if)#ip address 172.16.2.1 255.255.255.0 R1(config-if)#exit R1(config)#int loopback 3 R1(config-if)#ip address 172.16.3.1 255.255.255.224 R1(config)#int loopback 4 R1(config-if)#ip address 172.16.4.1 255.255.255.0 R1(config-if)#exit R1(config)#int loopback 31 R1(config-if)#ip address 172.16.31.1 255.255.248.0 R1(config-if)#exit
Now redistribute them into AS 100 using the “redistribute connected” command:
R1:
R1(config)#router eigrp 100 R1(config-router)#redistribute connected
Now check R2 to see if there are any routes for these loopbacks:
R2:
R2#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:00:36, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:00:36, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:00:36, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:00:36, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:00:36, FastEthernet0/0 10.0.0.0/30 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 R2#
[success]SUPPRESS NETWORKS FROM BEING ADVERTISED WITH DISTRIBUTE-LISTS[/success]
[info]IP ACL #1[/info]
Advertise all networks in range 172.16.0.0/21 (172.16.0.0 – 172.16.7.255):
R1:
R1(config)#router eigrp 100 R1(config-router)#distribute-list 5 out connected R1(config-router)#exit R1(config)#access-list 5 remark Prefixes advertised via EIGRP R1(config)#access-list 5 permit 172.16.0.0 0.0.7.255 R1(config)#access-list 5 deny any
On R2 see if 172.16.24.0/21 has been removed:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:04:53, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:04:53, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:04:53, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:04:53, FastEthernet0/0 R2#
[info]IP ACL #2[/info]
Advertise only 172.16.1.0 and 172.16.3.0:
Just change the ACL:
R1:
R1(config)#no access-list 5 R1(config)#access-list 5 remark Prefixes advertised via EIGRP R1(config)#access-list 5 permit 172.16.1.0 0.0.0.255 R1(config)#access-list 5 permit 172.16.3.0 0.0.0.255 R1(config)#access-list 5 deny any
No go to R2 and you should see only the two routes:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:13:26, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:13:26, FastEthernet0/0 R2#
As you can see, filtering with standard ACLs is very easy but it doesn’t care about the prefix length. Prefix-lists are are more flexible way for filtering.
[info]PREFIX LIST #1[/info]
Advertise only 172.16.1.0/24 and 172.16.3.0/24:
R1:
R1(config-router)#distribute-list prefix EIGRP_ADVERTISED_PREFIXES out connected R1(config-router)#exit R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.1.0/24 R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 10 permit 172.16.3.0/24
Now go to R2 and you should only see 172.16.1.0/24 and NOT 172.16.3.0 because it has a prefix of 27:
R2:
R2#sh ip route eigrp 172.16.0.0/24 is subnetted, 1 subnets D EX 172.16.1.0 [170/409600] via 10.1.1.1, 00:42:06, FastEthernet0/0 R2#
[info]PREFIX LIST #2[/info]
Advertise all prefixes in the range 172.16.0.0/16 with a prefix length <= 24:
Delete the prefix list above and put this in:
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24
On R2 you should see all prexix with a /24 or less than /24 (172.16.3.0/27 is missing):
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:01:33, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:01:33, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:47:03, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:01:33, FastEthernet0/0 R2#
[info]PREFIX LIST #3[/info]
Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24:
Again remove the ip prefix-list above and now put this:
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 ge 24
Now go to R2 and notice the prefixes with a /24 and greater (172.16.24.0/21 is missing):
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:06:03, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:51:33, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:06:03, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:01:40, FastEthernet0/0 R2#
[info]PREFIX LIST #4[/info]
Advertise all prefixes with a prefix length <= 21 and >=27 (–> 172.16.3.0/27 and 172.16.24.0/21), but not a default-route:
Remove the ip prefix-list above and now put this:
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 deny 0.0.0.0/0 R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 10 permit 0.0.0.0/0 le 21 R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 15 permit 0.0.0.0/0 ge 27
R2 will see all routes except for the /24′s and only see the two specified above:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:18:44, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:22:31, FastEthernet0/0 R2#
[info]PREFIX LIST #5[/info]
Advertise all prefixes with a prefix length >= 21 and <=27:
Remove the ip prefix-list above and now put this:
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 10 deny 0.0.0.0/0 ge 28 R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 15 deny 0.0.0.0/0 le 20 R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 20 permit 0.0.0.0/0 le 27
R2 will show ALL routes:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:38:05, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:02:56, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:02:56, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:02:56, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:41:52, FastEthernet0/0 R2#
[success]SUPRESS NETWORKS FROM BEING ADVERTISE WITH ROUTE-MAPS[/success]
[info]ROUTE-MAP WITH STANDARD ACCESS-LIST[/info]
Advertise only 172.16.1.0 and 172.16.3.0:
R1:
R1(config)#router eigrp 100 R1(config-router)#redistribute connected route-map CONNECTED_TO_EIGRP100 R1(config-router)#exit R1(config)#access-list 5 remark Prefixes announced via EIGRP R1(config)#access-list 5 permit 172.16.1.0 0.0.0.255 R1(config)#access-list 5 permit 172.16.3.0 0.0.0.255 R1(config)#access-list 5 deny any R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)# description Prefixes advertised via EIGRP R1(config-route-map)# match ip address 5 R1(config-route-map)#exit
On R2 you will only see those two routes:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:00:13, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:00:13, FastEthernet0/0 R2#
[info]ROUTE-MAP WITH IP PREFIX-LIST[/info]
Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24:
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24 R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)#description Prefixes advertised via EIGRP R1(config-route-map)#match ip address prefix-list EIGRP_ADVERTISED_PREFIXES R1(config-route-map)#exit
On R2 you should see that route 172.16.3.0/27 is missing:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:07:42, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:07:42, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:12:32, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:07:42, FastEthernet0/0 R2#
[info]ROUTE-MAP WITH A COMBINATION OF IP PREFIX-LIST AND ACCESS-LIST[/info]
Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24 and 172.16.3.0 (without a specific prefix):
R1:
R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP R1(config)#ip prefix-list EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24 R1(config)#access-list 5 remark Prefixes advertised via EIGRP R1(config)#access-list 5 permit 172.16.3.0 0.0.0.255 R1(config)#access-list 5 deny any R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)#description Prefixes filtered with ip prefix-list R1(config-route-map)#match ip address prefix-list EIGRP_ADVERTISED_PREFIXES R1(config-route-map)#exit R1(config)#route-map CONNECTED_TO_EIGRP100 permit 20 R1(config-route-map)#description Prefixes filtered with access-list R1(config-route-map)#match ip address 5
On R2 you will see all routes:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:02:16, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:02:16, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:02:16, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:02:16, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:02:14, FastEthernet0/0 R2#
[info]ROUTE-MAP WITH AN INTERFACE AS MATCH-CRITERIA[/info]
Advertise the prefixes configured on the interface matching the route-map:
Remove the route-maps and ACLs and put this:
R1:
R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)#match interface Loopback1 Loopback2 Loopback31
On R2 you will see the three loopback segment routes:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:00:09, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:00:09, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:00:09, FastEthernet0/0 R2#
[info]ADDING A TAG TO AN ADVERTISED ROUTE[/info]
Add the tag 4711 to route 172.16.1.0/24. All other 172.16.0.0/16 networks will be advertised without tag. The route-tag could be useful for R2 if he wants to treat routes with tag 4711 different to other routes.
Remove the route-map above and add this:
R1:
R1(config)#access-list 5 remark Prefixes announced via EIGRP R1(config)#access-list 5 permit 172.16.0.0 0.0.255.255 R1(config)#access-list 5 deny any R1(config)#access-list 10 remark Add a tag to these routes R1(config)#access-list 10 permit 172.16.1.0 0.0.0.255 R1(config)#access-list 10 deny any R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)#match ip address 10 R1(config-route-map)#set tag 4711 R1(config)#route-map CONNECTED_TO_EIGRP100 permit 20 R1(config-route-map)#match ip address 5
As you can see below R2 has a route tag of 4711:
R2:
R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:00:07, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:00:07, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:00:08, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:00:07, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:00:07, FastEthernet0/0 R2#sh ip route 172.16.1.0 Routing entry for 172.16.1.0/24 Known via "eigrp 100", distance 170, metric 409600 Tag 4711, type external Redistributing via eigrp 100 Last update from 10.1.1.1 on FastEthernet0/0, 00:01:15 ago Routing Descriptor Blocks: * 10.1.1.1, from 10.1.1.1, 00:01:15 ago, via FastEthernet0/0 Route metric is 409600, traffic share count is 1 Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 Route tag 4711 R2#
[success]FILTERING RECEIVED ROUTES WITH DISTRIBUTE-LISTS[/success]
For preventing the EIGRP process from neighbors misconfiguration or unmeant networks, we can setup a distribute-list for filtering networks received in EIGRP updates.
First i will advertise a default route and add another Loopback interface to R1’s configuration:
Let’s add a redistribute static command to EIGRP:
R1:
R1(config)#router eigrp 100 R1(config-router)#redistribute static route-map STATIC_TO_EIGRP100 R1(config-router)#exit R1(config)#
Add the loopback, descriptions and a new route-map:
R1:
R1(config)#interface Loopback222 R1(config-if)# ip address 2.2.2.2 255.248.0.0 R1(config-if)#end R1(config)#ip route 0.0.0.0 0.0.0.0 Null0 tag 666 R1(config)#route-map STATIC_TO_EIGRP100 permit 10 R1(config-route-map)#description Static-Routes with tag 666 will be advertised via EIGRP R1(config-route-map)#match tag 666 R1(config)#exit R1(config)#route-map CONNECTED_TO_EIGRP100 permit 10 R1(config-route-map)#description Add tag 4711 to routes matching access-list 10 R1(config)#exit R1(config)#route-map CONNECTED_TO_EIGRP100 permit 20 R1(config-route-map)#description Advertise routes matching access-list 5 via EIGRP R1(config)#exit R1(config)#route-map CONNECTED_TO_EIGRP100 permit 30 R1(config-route-map)#description Advertise network from Lo222 via EIGRP R1(config-route-map)#match interface Loopback222
On R2 you’ll notice all routes and the default route:
R2:
R2#sh ip route eigrp 2.0.0.0/13 is subnetted, 1 subnets D EX 2.0.0.0 [170/409600] via 10.1.1.1, 00:03:09, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:20:59, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:20:59, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:21:01, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:20:59, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:20:59, FastEthernet0/0 D*EX 0.0.0.0/0 [170/281600] via 10.1.1.1, 00:00:15, FastEthernet0/0 R2#
(the asterisk marks that 10.1.1.1 is chosen as gateway of last resort)
After adjusting the configuration on R1, we can add an incoming distribute-list on R2.
First we will filter out the default route on R2, because we don’t want to use it. All other networks are desired:
R2:
R2(config)#router eigrp 100 R2(config-router)#distribute-list prefix ALLOWED_INCOMING_EIGRP_ROUTES in R2(config-router)#exit R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES description Desired Prefixes R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 5 deny 0.0.0.0/0 R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 10 permit 0.0.0.0/0 le 32
On R2 you will now see the default route gone:
R2:
R2#sh ip route eigrp 2.0.0.0/13 is subnetted, 1 subnets D EX 2.0.0.0 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:06:22, FastEthernet0/0 R2#
If you also don’t want to see 2.0.0.0/13, because it’s not a RFC 1918 address and you will only allow those addresses in RFC1918, you have to adjust the prefix-list:
Remove the prefix-list above and add this:
R2:
R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES description Only RFC1918 networks desired R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 5 permit 172.16.0.0/12 le 32 R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 10 permit 192.168.0.0/16 le 32 R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 15 permit 10.0.0.0/8 le 32 R2(config)#ip prefix-list ALLOWED_INCOMING_EIGRP_ROUTES seq 20 deny 0.0.0.0/0 le 32
On R2 you will see the RFC1918 addresses:
R2:
R2# R2#sh ip route eigrp 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks D EX 172.16.24.0/21 [170/409600] via 10.1.1.1, 00:11:13, FastEthernet0/0 D EX 172.16.4.0/24 [170/409600] via 10.1.1.1, 00:11:13, FastEthernet0/0 D EX 172.16.1.0/24 [170/409600] via 10.1.1.1, 00:11:13, FastEthernet0/0 D EX 172.16.2.0/24 [170/409600] via 10.1.1.1, 00:11:13, FastEthernet0/0 D EX 172.16.3.0/27 [170/409600] via 10.1.1.1, 00:11:13, FastEthernet0/0 R2#