NETWORK LESSON

Route-Filtering Using Distribute-List

Published by

Recto Orpia

on


This is another series of my learning journey towards my CCIE preparations. On this post, I will be going through the details of Inbound route filtering using distribute-list. My laboratory will be focusing on a simple scenario with three routers running with EIGRP as my routing protocol.

Important commands to remember:


Here is my topology for this laboratory,




Laboratory Objectives:

1. Established the EIGRP adjacency as per the topology above and check that routes on both Manila and Melbourne routers are complete as per the network advertise by each locations.

2. Create a distribute-list in such a way that Manila router should not be able to received the network 10.10.14.0/32 but it should be able to receive the network 10.10.13.3/32.

3. Create a distribute-list so that Melbourne router should be able to received the network 10.10.11.1/32 but not be able to received the route 10.10.12.2/32.

 Here are my router configurations:
 
Manila#sh run | sec eigrp
router eigrp 100
 network 10.10.11.0 0.0.0.255
 network 10.10.12.0 0.0.0.255
 network 192.168.12.0

Singapore#sh run | sec eigrp
router eigrp 100
 network 192.168.12.0
 network 192.168.23.0
Singapore#

Melbourne#sh run | sec eigrp
router eigrp 100
 network 10.10.13.3 0.0.0.0
 network 10.10.14.4 0.0.0.0
 network 192.168.23.0
Melbourne#


Verification:

1. Let’s check the adjacency from the Singapore router.

Singapore#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   192.168.23.3            Se3/1                    10 00:06:47   60   360  0  3
0   192.168.12.1            Se3/0                    12 00:08:38   48   288  0  4
Singapore#

2. Let’s verify the routing table of Manila and Melbourne routers. So we can observed that both routers have the complete routing entries as per the networks advertise from each router.

Manila#show ip route eigrp
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 4 subnets
D        10.10.13.3 [90/2809856] via 192.168.12.2, 00:07:49, Serial3/0
D        10.10.14.4 [90/2809856] via 192.168.12.2, 00:07:49, Serial3/0
D     192.168.23.0/24 [90/2681856] via 192.168.12.2, 00:08:24, Serial3/0
Manila#

Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 4 subnets
D        10.10.11.1 [90/2809856] via 192.168.23.2, 00:08:18, Serial3/1
D        10.10.12.2 [90/2809856] via 192.168.23.2, 00:08:18, Serial3/1
D     192.168.12.0/24 [90/2681856] via 192.168.23.2, 00:08:18, Serial3/1
Melbourne#

Ping from Melbourne to Manila is working.

Melbourne#ping 10.10.11.1 source 10.10.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.11.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.14.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/79/104 ms
Melbourne#
 

Now, let’s start filtering the routes as per the second and third Lab objectives:

@ Manila , the host  10.10.13.3/32 will be allowed but deny 10.10.14.4/32.

IMPORTANT:  I been trying to figured out on implementing both standard access-list and extended access-list to filter the routes in Manila from Sydney. I been puzzled why extended access-list is not really kicking in when I have implemented the distribute-list under EIGR. process. Here’s my observation.

Scenario 1:  I have used extended access-list using the name of FILTER. I’m right on my access-list and how I set up the distribute-list under EIGRP but to my surprise, filtering did not kick in as shown on the Manila routing table. I can still see 10.10.14.4/32.  I did another options for Extended access-list by using numbers ( ACL Extended 100) and it gives me the same results. I have cleared the eigrp neighbor everytime set up the ACL but it really did not work. ANY IDEA WHY?

Manila#show ip access-lists
Extended IP access list FILTER
    10 deny ip host 10.10.14.4 any
    20 permit ip any any (6 matches)
Manila#

Manila#sh run | sec eigr
router eigrp 100
 distribute-list FILTER in Serial3/0  <<<< This is the command required so that filtering will take effect once ACL is created. This means, it filters route defined by the ACL.
 network 10.10.11.0 0.0.0.255
 network 10.10.12.0 0.0.0.255
 network 192.168.12.0
Manila#

Manila#show ip route eigrp
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 4 subnets
D        10.10.13.3 [90/2809856] via 192.168.12.2, 00:00:38, Serial3/0
D        10.10.14.4 [90/2809856] via 192.168.12.2, 00:00:38, Serial3/0
D     192.168.23.0/24 [90/2681856] via 192.168.12.2, 00:00:38, Serial3/0


Scenario 2.  Now, I have to used standard access-list to filtered the routes,

Here’s the ACL that I have set-up previously using Extended ACL.

Manila#show ip access-lists
Extended IP access list FILTER
    10 deny ip host 10.10.14.4 any
    20 permit ip any any (6 matches)

Manila#sh run | sec eigr
router eigrp 100
 distribute-list FILTER in Serial3/0
 network 10.10.11.0 0.0.0.255
 network 10.10.12.0 0.0.0.255
 network 192.168.12.0
Manila#
 
 Now. I have to remove the extended ACL.

 Manila(config)#no ip access-list extended FILTER

And I have created a standard ACL by this time,

Manila(config)#ip access-list standard 10
Manila(config-std-nacl)#deny host 10.10.14.4
Manila(config-std-nacl)#permit any
Manila(config-std-nacl)#^Z

Checking the new standard ACL created ,

 Manila#show ip access-lists
Standard IP access list 10
    10 deny   10.10.14.4
    20 permit any

Next is we have to apply a distribute list command under EIGRP process,

Manila(config)#router eigrp 100
Manila(config-router)#distribute-list 10 in  serial 3/0
Manila(config-router)#^Z

An I have to clear the EIGRP neighbors, otherwise, we have to wait for few seconds until the Hold down timer expires.

Manila#clear ip eigrp neighbors
Manila#
*Aug  7 12:33:18.179: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.12.2 (Serial3/0) is down: manually cleared
Manila#
*Aug  7 12:33:20.155: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.12.2 (Serial3/0) is up: new adjacency

As we have observed, the host 10.10.14.4/32 is no longer in Manila’s routing table. Sweet!!! 
This is what I’m expecting to see after all.
 

Manila#show ip route
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 3 subnets
D        10.10.13.3 [90/2809856] via 192.168.12.2, 00:00:07, Serial3/0
D     192.168.23.0/24 [90/2681856] via 192.168.12.2, 00:00:07, Serial3/0
Manila#

Ping should not be working,


Manila#ping 10.10.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.14.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
Manila#


But again we only filter it from Manila so by right, I still should be seeing this host in Singapore router,


Singapore#show ip route  eigrp

      10.0.0.0/32 is subnetted, 4 subnets
D        10.10.11.1 [90/2297856] via 192.168.12.1, 00:04:30, Serial3/0
D        10.10.12.2 [90/2297856] via 192.168.12.1, 00:04:30, Serial3/0
D        10.10.13.3 [90/2297856] via 192.168.23.3, 00:44:57, Serial3/1
D        10.10.14.4 [90/2297856] via 192.168.23.3, 00:44:57, Serial3/1
Singapore#


@Sydney, let’s filter out 10.10.12.2/32 and allow 10.10.11.1/32 as per the third objective of this lab.By this time, I did not numbered my standard ACL, I used “FILTERME” as my standard ACL name.


Melbourne(config)#ip access-list standard FILTERME
Melbourne(config-std-nacl)#deny host 10.10.12.2
Melbourne(config-std-nacl)#permit any

Melbourne(config)#router eigrp 100
Melbourne(config-router)#distribute-list FILTERME in serial 3/1
Melbourne(config-router)#^Z

I had the chance to look into the EIGRP routing table of Sydney before HD timer expires and as seen below, it has the routes towards 10.10.12.2/32.
 


Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 4 subnets
D        10.10.11.1 [90/2809856] via 192.168.23.2, 00:08:08, Serial3/1
D        10.10.12.2 [90/2809856] via 192.168.23.2, 00:08:08, Serial3/1
D     192.168.12.0/24 [90/2681856] via 192.168.23.2, 00:48:14, Serial3/1

Now, I have to clear the EIGRP neighbor manually,

Melbourne#clear ip eigrp neighbors
 
*Aug  7 12:46:55.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.23.2 (Serial3/1) is up: new adjacency

As seen below, the host 10.10.12.2/32 is no longer seen on Sydney’s routing table.
 
Melbourne#show ip route eigrp
!
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 3 subnets
D        10.10.11.1 [90/2809856] via 192.168.23.2, 00:00:03, Serial3/1
D     192.168.12.0/24 [90/2681856] via 192.168.23.2, 00:00:03, Serial3/1
Melbourne#

 Melbourne#ping 10.10.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.12.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

**** This ends my labbing for this topic on Distribute-List for EIGRP , I will be sharing more  about this topic in the future using other routing protocols****

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

"People ask me what I do in the winter when there's no baseball. I'll tell you what I do. I stare out the window and wait for spring."

~ Rogers Hornsby

NETWORK LESSON

About

Passionate about simplifying the complex world of networking and automation for learners everywhere.”.

Topics

Follow Us

Create a website or blog at WordPress.com