Filtering routes in EIGRP
EIGRP is often called a hybrid because it has some similar features to link state protocols and
also has distance vector features but the truth is that it is a distance vector protocol.
Even though it is distance vector it does have some nice features and today I will show a
couple of different ways of filtering in EIGRP.
We start out with this topology of four routers. You can download the topology and initial
configs from here.
Routers R1-R3 are running EIGRP in AS1 and routers R2-R4 are running RIP. R4 is announcing
a loopback in RIP. We configure R2 and R3 to redistribute from RIP to EIGRP and then
I will show how to filter the route.
R3 is configured exactly the same. Let’s see if we can see the prefix.
Indeed we can. Now let’s look at our filtering options.
We will start out with a regular distribute-list, everyone knows how to do this. We create
a standard access-list matching our prefix 220.127.116.11/24.
The prefix is now filtered. What if we want to block the prefix but only from R2 and allow
it in from R3? Either we could reuse the ACL and apply it to the interface in our distribute-list
but that might not be possible if R1-R2-R3 were connected on a common Ethernet segment.
We will use an extended access-list instead, the source will match on the gateway
announcing the prefix and the destination will be the prefix we want to filter.
So let’s block the prefix from R2. In this case we must use a numbered ACL, named ACL’s
don’t work for some reason.
That worked as expected. We now only see the route from R3.
The downside of using ACL’s is that we can’t match on prefix length. We need to use
a prefix-list for this. Lets try that. We will announce a /25 subnet from R4 and filter
any prefixes that are longer than /24.
Let’s check that it is reachable from R1.
Indeed it is. Now let’s filter this with a prefix-list.
Hey! Where did all my routes go?! We forgot to permit everything else with 0.0.0.0/0 le 32.
Now we have filtered the /25 but allowed everything else. If we want to be more
specific we can tie this distribute-list to the neighbors and even interfaces.
We can also filter using the distance command. How does that work? Remember that
the lower the AD the more trustworthy a route is. What happens if we set it to 255?
255 is the worst and routes with 255 won’t even be considered for installing into
the routing table. Let’s try that. We start by adding some prefixes on R2.
We add 18.104.22.168/24 on a loopback and then we create two static routes, one that is
redistributed via the network command and one that is redistributed via static.
Let’s look at the routing table of R1.
First notice that 22.214.171.124/24 is an internal route but 126.96.36.199 is an external.
If we redistribute static they will be external, that is well known. No as well known
is the possibility to create a static route and redistribute it via the network command.
If we do this we must route to an interface instead of a next-hop. The advantage is that we
can make the route look internal. Now let’s try some filtering. Unfortunately we can’t
change the AD for specific external routes, it’s all or nothing. Let’s say that we don’t
want to install any external paths. This is the current state of R1 and external routes.
We will set the AD to 255 for all external routes.
Now the routes are gone. What if we want to filter a specific internal route?
We set to distance to 255, we don’t care about the route source and we match ACL 1
which is the route that we want to filter.
There is one more type of filtering I would like to show and it is the route-map.
We will configure a route tag on R3 and match this tag on R1.
First we look at the route to 188.8.131.52/24 on R1, it is installed via R3.
Then we configure tagging on R3.
Now we configure a route-map that matches the tag and denies the prefix.
The route is now installed via R2 instead. The great thing with EIGRP is that we
can use the route-map with the distribute-list which we can’t with other
We can even do more advanced things like matching on source-protocol or metric.
Now look at the routing table.
Only the routes that were not source from RIP are still in the routing table.
This post should give you a good understanding of what filtering is available
in EIGRP. The possibilities are endless!