Networking Blog

Sometimes, it’s necessary to capture packets with tcpdump on a machine without running X-Windows installation.
But most people are not such  cracks, that they can read the confusing output on the console (me included).

To get a better overview, i prefer Wireshark (former known as Ethereal).

With the following tcpdump-flags, you can create a file in .pcap format readable by Wireshark, which you can transfer to another system (perhaps to your PC).

tcpdump -s0 -w <file> -i <interface> [filter]

Example:
bash-3.1# tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
                [ -E algo:secret ] [ -F file ] [ -i interface ] [ -r file ]
                [ -s snaplen ] [ -T type ] [ -w file ] [ -y datalinktype ]
                [ expression ]

bash-3.1# tcpdump -s0 -w ldap.tcpdump -i hme0 port 389
tcpdump: listening on hme0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C

21 packets captured
164 packets received by filter
0 packets dropped by kernel
bash-3.1#
bash-3.1#
bash-3.1# ls -la ldap.tcpdump
-rw-r--r--   1 root     other       2322 Oct 24 10:50 ldap.tcpdump
bash-3.1#

For a deeper overview of the different tcpdump options, you can consult the manpage.

When Access Control List Logging is activated on your Cisco device, you will see log entries like that in syslog:

Jun 14 09:49:13 RTR-1 41716: Jun 14 09:49:12.148 MEZ: %SEC-6-IPACCESSLOGP: list 120 denied udp x.x.x.x(1670) -> x.x.x.x(4808), 1 packet
Jun 16 22:14:09 RTR-1 42271: Jun 16 22:14:08.847 MEZ: %SEC-6-IPACCESSLOGDP: list 125 denied icmp x.x.x.x -> x.x.x.x (0/0), 1 packet
.
.

As you can see, there are different syslog identifiers (blue) depending on the packet being reported.

Here’s a table with valid identifiers:

(Information taken from Cisco website)

When you deal with Cisco and BGP, you probably know syslog messages like this:

Apr 11 16:34:38 ROUTER 1026843: Apr 11 16:34:38.010 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/2 (cease) 0 bytes
Apr 17 14:13:41 ROUTER 30082: Apr 17 14:13:41.126 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/0 (cease) 0 bytes
Apr 27 05:30:39 ROUTER 1028828: Apr 27 05:30:39.833 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/3 (cease) 0 bytes
May  5 08:12:03 ROUTER 38467: May  5 08:12:03.644 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/4 (cease) 0 bytes
May  7 06:06:04 ROUTER 38956: May  7 06:06:04.092 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/6 (cease) 0 bytes
May 10 13:28:39 ROUTER 4366: May 10 13:28:38.919 CET: %BGP-3-NOTIFICATION: received from neighbor 80.x.x.x 6/7 (cease) 0 bytes

I think in backbone environments, your BGP should be stable and you don’t want to see lots of these messages. But at a big peering point, it’s the normal “noise”….

According to RFC4486, Cisco reports the Subcode of Cease Notification Message (blue) in the log message.
Here’s an overview of subcode definition:

and here comes a deeper explanation (also taken from the RFC):

• If a BGP speaker decides to terminate its peering with a neighbor because the number of address prefixes received from the neighbor exceeds a locally configured upper bound,  then the speaker MUST send to the neighbor a NOTIFICATION message  with the Error Code Cease and the Error Subcode “Maximum Number of Prefixes Reached“.
• If a BGP speaker decides to administratively shut down its peering with a neighbor, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Administrative Shutdown“.
• If a BGP speaker decides to de-configure a peer, then the speaker  SHOULD send a NOTIFICATION message with the Error Code Cease and the  Error Subcode “Peer De-configured“.
• If a BGP speaker decides to administratively reset the peering with a neighbor, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Administrative Reset“.
• If a BGP speaker decides to disallow a BGP connection (e.g., the peer is not configured locally) after the speaker accepts a transport protocol connection, then the BGP speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Connection Rejected“.
• If a BGP speaker decides to administratively reset the peering with a neighbor due to a configuration change other than the ones described above, then the speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Other Configuration Change“.
• If a BGP speaker decides to send a NOTIFICATION message with the Error Code Cease as a result of the collision resolution procedure then the subcode SHOULD be set to “Connection Collision Resolution“.
• If a BGP speaker runs out of resources (e.g., memory) and decides to reset a session, then the speaker MAY send a NOTIFICATION message with the Error Code Cease and the Error Subcode “Out of Resources“.

Sometimes you have to convert a dBm value to milliwatts, e.g. when you retrieve the output power of a laser or a xDSL port…
You can calculate these values with the following formulas or have a look in the attached conversion table.

mW to dBm:              dBm=10*log₁₀(P/1mW)

dBm to mW:              mW=10^(dBm/10)

dBm to mW conversion table

If you are using APT (Advanced Package Tool) and you are bound to use a proxy server to connect to the internet, you have to configure it as follows.

If not existent, you have to create the file /etc/apt/apt.conf

touch /etc/apt/apt.conf

Now insert the following line…

Acquire::http::Proxy http://username:password@proxy:8080;

Please adjust the parameters to your requirements.
When you try “apt-get update”, it should work now.

When you need to recover missing BGP MD5 password on Juniper routers, you have the possibility to extract it from a specific file.

First, you have to start a shell:

alex@M10> start shell
% su -
Password:
root@M10%

After changing to the root user, you have the necessary permissions to view the file /var/etc/keyadmin.conf

root@M10% cd /var/etc/
root@M10% more keyadmin.conf
tcp 179 0.0.0.0 <IP address> md5 instance default 0x424157395877553351436a5263586b37
tcp 179 0.0.0.0 <IP address> md5 instance default 0x393831633666333463366663

Now you can convert the HEX keys back to MD5 with this small Perl one-liner:

perl -e 'print "Hex: ";$_=<>;print "MD5: ";s/(\w\w)/\1:/g;for (split(/:/)) {printf "%s", chr(hex($_))};print "\n"'
Hex: 0x424157395877553351436a5263586b37
MD5: BAW9XwU3QCjRcXk7

It was very quite in my blog for more than 2 weeks.
Cause of the fact is that i spend a 2 week holiday in Egypt.
The first week, i did a Nile Cruise from Luxor to Aswan and back.
Second week was relaxing in Hurghada.

Here are some pictures without comments…

here’s the famous Aswan High Dam

and last but not least, the Red Sea with it’s wonderful colors…

I also saw a lot of temples and graves, but that would be too much.

Just now, i added a new sticky page to my blog.

It’s a small comparison between Cisco IOS and Juniper JunOS CLI commands.

See here…

(Information taken from j-nsp mailing list and vendors homepages)

MTU Juniper

NOTE: The actual frames transmitted also contain cyclic redundancy check (CRC) bits, which are not part of the media MTU. For example, the media MTU for a Gigabit Ethernet interface is specified as 1500 bytes, but the largest possible frame size is actually 1504 bytes; you need to consider the extra bits in calculations of MTUs for interoperability.
The physical MTU for Ethernet interfaces does not include the 4-byte frame check sequence (FCS) field of the Ethernet frame.

If you do not configure an MPLS MTU, the JUNOS software derives the MPLS MTU from the physical interface MTU. From this value, the software subtracts the encapsulation-specific overhead and space for the maximum number of labels that might be pushed in the Packet Forwarding Engine. Currently, the software provides for three labels of four bytes each, for a total of 12 bytes.

• Default media MTU = Default IP MTU + L2 encapsulation overhead
• Default IP MTU = Default media MTU -  L2 encapsulation overhead
• MPLS MTU = physical interface MTU - L2 encapsulation overhead - 12
• if IP MTU is already set, so MPLS MTU = IP MTU + 20 byte

If you change the size of the media MTU, you must ensure that the size is equal to or greater than the sum of the protocol MTU and the encapsulation overhead.

Media MTU Sizes by Interface Type for M5, M7i, M10, M10i, M20, and M40 Routers

MTU Cisco

A Cisco router configured for IP+MPLS routing also uses different Maximum Transmission Unit (MTU) values fo different purposes:

• The hardware MTU configured with the mtu interface configuration command
• The IP MTU configured with the ip mtu interface configuration command
• The MPLS MTU configured with the mpls mtu interface configuration command

Changing the MTU value with the mtu interface configuration command can affect values for the protocol-specific versions of the command (the ip mtu command, for example). If the value specified with the ip mtu interface configuration command is the same as the value specified with the mtu interface configuration command, and you change the value for the mtu interface configuration command, the ip mtu value automatically matches the new mtu interface configuration command value. However, changing the values for the ip mtu configuration commands has no effect on the value for the mtu interface configuration command.

• Default media MTU –> Default IP MTU (L2 encapsulation overhead not included)
• MPLS MTU –> MPLS overhead + Default IP MTU

edit 2009/06/08: you can find values  for encapsulation overhead of different interface types here

Differences between Ping implementation on Cisco and Juniper routers

Ping from Juniper with “size 1000″ on an ethernet interface

1042 bytes on wire
- 14 bytes Ethernet header
- 20 bytes IP header
- 8 bytes ICMP header
- 1000 bytes ICMP Data (as spezified with the size keyword)

Ping from Cisco with “size 1000″ on an ethernet interface

1014 bytes on wire
- 14 bytes Ethernet header
- 1000 bytes IP header, ICMP header and ICMP Data
–> 972 bytes ICMP Data

Cisco includes IP and ICMP header in the spezified size of 1000 bytes. That means, that the length of the whole IP packet is specified with the size parameter.  ICMP Payload in this case is 1000-20-8 = 972 bytes.

Juniper adds IP and ICMP header to the payload size spezified. So 1000 becomes 1028 bytes of ip packet.
(Note: This is the same bevahiour as with WinXP)

Example Ping

There’s a Cisco router directly connected to a Juniper olive. The IP mtu on the Cisco’s inteface Fa0/0 facing the Juniper is set to 1000.

interface FastEthernet0/0
 ip address 192.168.222.100 255.255.255.0
 ip mtu 1000
 duplex auto
 speed auto

Cisco#sh ip int f0/0 | i MTU
  MTU is 1000 bytes
Cisco#

When you try to ping from Cisco to Juniper with DF bit set, the largest ping size you can spezify is 1000

Cisco#ping 192.168.222.200 size 1001 df-bit

Type escape sequence to abort.
Sending 5, 1001-byte ICMP Echos to 192.168.222.200, timeout is 2 seconds:
Packet sent with the DF bit set
.
Success rate is 0 percent (0/1)
Cisco#ping 192.168.222.200 size 1000 df-bit

Type escape sequence to abort.
Sending 5, 1000-byte ICMP Echos to 192.168.222.200, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/36 ms
Cisco#

When you do the same ping from Juniper to Cisco, the largest size is 972. This is due to the fact, that Juniper’s ping implementation spezifies the length of the ICMP payload instead the length of the whole IP packet.

root@olive> ping 192.168.222.100 size 973 do-not-fragment   
PING 192.168.222.100 (192.168.222.100): 973 data bytes
^C
--- 192.168.222.100 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

root@olive> ping 192.168.222.100 size 972 do-not-fragment   
PING 192.168.222.100 (192.168.222.100): 972 data bytes
980 bytes from 192.168.222.100: icmp_seq=0 ttl=255 time=27.549 ms
980 bytes from 192.168.222.100: icmp_seq=1 ttl=255 time=34.765 ms
^C
--- 192.168.222.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 27.549/31.157/34.765/3.608 ms

When you use EIGRP as routing protocol, you have two options for filtering advertised routes:

• distribute-lists
• redistribute-statement with route-map

Received networks can only be filtered out with

• distribute-lists

In my simple example, there are 2 routers (R1 and R2) connected via FastEthernet0/1.
Both routers are running EIGRP process 123.

Creating EIGRP process 123 on both routers

With the default configuration, only the link-net 10.0.0.0/30 is advertised via EIGRP.

router eigrp 123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary

R1 and R2 has 10.0.0.0/30 as directly connected in the routing table, you can also see it in the EIGRP topology table.

R2#sh ip route
Gateway of last resort is not set
     10.0.0.0/30 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet0/1

R2#sh ip eigrp topology 10.0.0.0/30
IP-EIGRP (AS 123): Topology entry for 10.0.0.0/30
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 281600
  Routing Descriptor Blocks:
  0.0.0.0 (FastEthernet0/1), from Connected, Send flag is 0x0
      Composite metric is (281600/0), Route is Internal
      Vector metric:
        Minimum bandwidth is 10000 Kbit
        Total delay is 1000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 0

Route redistribution

You can redistribute routes from other routing protocols into EIGRP with the redistribute <protocol> statement in the EIGRP context.

R1(config)#router eigrp 123
R1(config-router)#redistribute ?
  bgp        Border Gateway Protocol (BGP)
  connected  Connected
  eigrp      Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis       ISO IS-IS
  iso-igrp   IGRP for OSI networks
  metric     Metric for redistributed routes
  mobile     Mobile routes
  odr        On Demand stub Routes
  ospf       Open Shortest Path First (OSPF)
  rip        Routing Information Protocol (RIP)
  route-map  Route map reference
  static     Static routes
  <cr>

To keep it simple, i add some loopback interfaces on R1 and redistribute them with the “redistribute connected” command

interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback2
 ip address 172.16.2.1 255.255.255.0
!
interface Loopback3
 ip address 172.16.3.1 255.255.255.224
!
interface Loopback4
 ip address 172.16.4.1 255.255.255.0
!
interface Loopback31
 ip address 172.16.31.1 255.255.248.0
!

router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary

After inserting the redistribute-statement, R2 should see 5 routes from R1

R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:00:25, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:50:27, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:50:27, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:50:27, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:50:27, FastEthernet0/1
R2#

Suppress networks from beeing advertised with distribute-lists

The distribute-list statement offers different methods for matching routes that should suppressed from advertising to EIGRP neighbors.

R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates

You can use different distribute-lists according to the protocol from which you will redistribute.

Note: When you perfom changes in the distribute-list configuration, you will see the following log messages indicating that there is a

R1:
*Mar  1 02:44:25.039 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 10.0.0.2 (FastEthernet0/1) is resync: route configuration changed

R2:
.Mar  1 02:41:33.859 UTC: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 10.0.0.1 (FastEthernet0/1) is resync: peer graceful-restart

This means that there is no impact for packet forwarding (assumed that your IOS support EIGRP graceful-restart) .

In the following examples, i will redistribute routes in different manner on R1.
The template for R1 ist followed by the output of R2’s routing table.

Example: Simple IP ACL #1

• Advertise all networks in range 172.16.0.0/21

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list 9 out connected
 no auto-summary
!
access-list 9 remark Prefixes advertised via EIGRP
access-list 9 permit 172.16.0.0 0.0.7.255
access-list 9 deny   any

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:53:22, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:53:22, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:53:22, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:53:22, FastEthernet0/1
R2#

Example: Simple IP ACL #2

• Advertise only 172.16.1.0 and 172.16.3.0

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list 9 out connected
 no auto-summary
!
access-list 9 remark Prefixes advertised via EIGRP
access-list 9 permit 172.16.1.0 0.0.0.255
access-list 9 permit 172.16.3.0 0.0.0.255
access-list 9 deny   any

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 01:20:44, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:00:06, FastEthernet0/1
R2#

As you can see, filtering with standard ACLs is very easy but it don’t cares about the prefix length.
prefix-lists are are more flexible way for filtering.

Example: IP Prefix-List #1

• Advertise only 172.16.1.0/24 and 172.16.3.0/24

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_EIGRP_ADVERTISED_PREFIXES out connected
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.1.0/24
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 10 permit 172.16.3.0/24

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/24 is subnetted, 1 subnets
D EX    172.16.1.0 [170/409600] via 10.0.0.1, 01:31:35, FastEthernet0/1
R2#

Because 172.16.3.0 has a prefix-length of 27, it isn’t accepted. The network would only included with a /24 netmask.

Example: IP Prefix-List #2

• Advertise all prefixes in the range 172.16.0.0/16 with a prefix length <= 24

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_EIGRP_ADVERTISED_PREFIXES out connected
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:10:23, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:10:23, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 01:51:14, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:10:23, FastEthernet0/1
R2#

Example: IP Prefix-List #3

• Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_EIGRP_ADVERTISED_PREFIXES out connected
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 ge 24

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:12:54, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 01:53:46, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:12:54, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:00:37, FastEthernet0/1
R2#

Example: IP Prefix-List #4

• Advertise all prefixes with a prefix length <= 21 and >=27 (–> 172.16.3.0/27 and 172.16.24.0/21), but not a default-route

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_EIGRP_ADVERTISED_PREFIXES out connected
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 deny 0.0.0.0/0
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 10 permit 0.0.0.0/0 le 21
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 15 permit 0.0.0.0/0 ge 27

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:18:26, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:11:50, FastEthernet0/1
R2#

Example: IP Prefix-List #5

• Advertise all prefixes with a prefix length >= 21 and <=27

EIGRP configuration on R1:
router eigrp 123
 redistribute connected
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_EIGRP_ADVERTISED_PREFIXES out connected
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 10 deny 0.0.0.0/0 ge 28
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 15 deny 0.0.0.0/0 le 20
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 20 permit 0.0.0.0/0 le 27

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:01:37, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:07:21, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:07:21, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:07:21, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:07:21, FastEthernet0/1
R2#

Suppress networks from beeing advertised with route-maps

With route-maps you have a little bit more flexibility compared with distribute lists, because you can e.g. add/match route-tags or redistribute your interface’s IP without specifying the IP in detail,…
But if you don’t need such fancy features, both ways offers the same methods (ACLs, Prefix-Lists) for filtering routes.

Example: route-map with standard access-list

• Advertise only 172.16.1.0 and 172.16.3.0

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
access-list 9 remark Prefixes announced via EIGRP
access-list 9 permit 172.16.1.0 0.0.0.255
access-list 9 permit 172.16.3.0 0.0.0.255
access-list 9 deny   any
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 description Prefixes advertised via EIGRP
 match ip address 9
!

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:07:09, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:07:09, FastEthernet0/1
R2#

Example: route-map with ip prefix-list

• Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 description Prefixes advertised via EIGRP
 match ip address prefix-list PL_EIGRP_ADVERTISED_PREFIXES
!

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:00:24, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:00:24, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:00:24, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:00:24, FastEthernet0/1
R2#

Example: route-map with a combination of ip prefix-list and access-list

• Advertise all prefixes in the range 172.16.0.0/16 with a prefix length >= 24 and 172.16.3.0 (without a specific prefix)

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES description Prefixes advertised via EIGRP
ip prefix-list PL_EIGRP_ADVERTISED_PREFIXES seq 5 permit 172.16.0.0/16 le 24
access-list 9 remark Prefixes advertised via EIGRP
access-list 9 permit 172.16.3.0 0.0.0.255
access-list 9 deny   any
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 description Prefixes filtered with ip prefix-list
 match ip address prefix-list PL_EIGRP_ADVERTISED_PREFIXES
!
route-map RM_CONNECTED_TO_EIGRP123 permit 20
 description Prefixes filtered with access-list
 match ip address 9
!

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:03:54, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:03:54, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:03:54, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:03:54, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:03:02, FastEthernet0/1
R2#

Example: route-map with an interface as match-criteria

• Advertise the prefixes configured on the interface matching the route-map

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 match interface Loopback1 Loopback2 Loopback31
!

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:00:05, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:01:39, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:00:11, FastEthernet0/1
R2#

Example: Adding a tag to an advertised route

• Add the tag 4711 to route 172.16.1.0/24. All other 172.16.0.0/16 networks will be advertised without tag.
  The route-tag could be useful for R2 if he wants to treat routes with tag 4711 different to other routes.

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
access-list 9 remark Prefixes announced via EIGRP
access-list 9 permit 172.16.0.0 0.0.255.255
access-list 9 deny   any
access-list 10 remark Add a tag to these routes
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 deny   any
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 match ip address 10
 set tag 4711
!
route-map RM_CONNECTED_TO_EIGRP123 permit 20
 match ip address 9
!

EIGRP routes on R2:
R2#sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:00:38, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:00:38, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:00:43, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:00:38, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:00:38, FastEthernet0/1
R2#sh ip route 172.16.1.0
Routing entry for 172.16.1.0/24
  Known via "eigrp 123", distance 170, metric 409600
  Tag 4711, type external
  Redistributing via eigrp 123
  Last update from 10.0.0.1 on FastEthernet0/1, 00:00:45 ago
  Routing Descriptor Blocks:
  * 10.0.0.1, from 10.0.0.1, 00:00:45 ago, via FastEthernet0/1
      Route metric is 409600, traffic share count is 1
      Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 4711

Filtering received routes with distribute-lists

For preventing the EIGRP process from neighbors misconfiguration or unmeant networks, we can setup a distribute-list for filtering networks received in EIGRP updates.

First i will advertise a default route and add another Loopback interface to R1’s configuration.

interface Loopback999
 ip address 2.2.2.2 255.248.0.0
end

EIGRP configuration on R1:
router eigrp 123
 redistribute connected route-map RM_CONNECTED_TO_EIGRP123
 redistribute static route-map RM_STATIC_TO_EIGRP123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Null0 tag 666
!
access-list 9 remark Prefixes advertised via EIGRP
access-list 9 permit 172.16.0.0 0.0.255.255
access-list 9 deny   any
access-list 10 remark Add a tag to these routes
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 deny   any
!
route-map RM_STATIC_TO_EIGRP123 permit 10
 description Static-Routes with tag 666 will be advertised via EIGRP
 match tag 666
!
route-map RM_CONNECTED_TO_EIGRP123 permit 10
 description Add tag 4711 to routes matching access-list 10
 match ip address 10
 set tag 4711
!
route-map RM_CONNECTED_TO_EIGRP123 permit 20
 description Advertise routes matching access-list 9 via EIGRP
 match ip address 9
!
route-map RM_CONNECTED_TO_EIGRP123 permit 30
 description Advertise network from Lo999 via EIGRP
 match interface Loopback999
!

EIGRP routes on R2:
R2#sh ip route eigrp
     2.0.0.0/13 is subnetted, 1 subnets
D EX    2.0.0.0 [170/409600] via 10.0.0.1, 00:00:38, FastEthernet0/1
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:56:37, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:56:37, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:56:41, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:56:37, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:56:37, FastEthernet0/1
D*EX 0.0.0.0/0 [170/281600] via 10.0.0.1, 00:10:26, FastEthernet0/1
(the asterisk marks that 10.0.0.1 is chosen as gateway of last resort)

After adjusting the configuration on R1, we can add an incoming distribute-list on R2.
First we will filter out the default route, because we don’t want to use it. All other networks are desired.

EIGRP configuration on R2:
router eigrp 123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_ALLOWED_INCOMING_EIGRP_ROUTES in
 no auto-summary
!
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES description Desired Prefixes
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 5 deny 0.0.0.0/0
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 10 permit 0.0.0.0/0 le 32

EIGRP routes on R2:
R2#sh ip route eigrp
     2.0.0.0/13 is subnetted, 1 subnets
D EX    2.0.0.0 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:03:04, FastEthernet0/1
R2#

If you also don’t want to see 2.0.0.0/13, because it’s not a RFC 1918 address and you will only allow those addresses, you have to adjust the prefix-list.

EIGRP configuration on R2:
router eigrp 123
 passive-interface default
 no passive-interface FastEthernet0/1
 network 10.0.0.0 0.0.0.3
 distribute-list prefix PL_ALLOWED_INCOMING_EIGRP_ROUTES in
 no auto-summary
!
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES description Only RFC1918 networks desired
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 5 permit 172.16.0.0/12 le 32
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 10 permit 192.168.0.0/16 le 32
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 15 permit 10.0.0.0/8 le 32
ip prefix-list PL_ALLOWED_INCOMING_EIGRP_ROUTES seq 20 deny 0.0.0.0/0 le 32

EIGRP routes on R2:
R2# sh ip route eigrp
     172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
D EX    172.16.24.0/21 [170/409600] via 10.0.0.1, 00:18:42, FastEthernet0/1
D EX    172.16.4.0/24 [170/409600] via 10.0.0.1, 00:18:42, FastEthernet0/1
D EX    172.16.1.0/24 [170/409600] via 10.0.0.1, 00:18:42, FastEthernet0/1
D EX    172.16.2.0/24 [170/409600] via 10.0.0.1, 00:18:42, FastEthernet0/1
D EX    172.16.3.0/27 [170/409600] via 10.0.0.1, 00:18:42, FastEthernet0/1
R2#