IEWB RS vol1 v5 5.22 - EIGRP Filtering with Extended Access-Lists

Hi

This is a problem related to DISTRIBUTE-LIST, whenever I use distribute list inbound or outbound, sometimes it works and sometimes doesn't. its very weird

in 5.22 lab task, I was trying to do this practical but didn't get success as routes are still coming via R3 instead of R2.

Then I checked the soution and I was doing it right with all the configuration done so I am wondering if anybody else has got this problem?

is it any error in GNS with distribute list or IOS caveats?? please help.

 

Comments

  • Hi,

    I am also using GNS3 and never got this issue. Have you seen the EIGRP adjacency being refreshed or reestablished after you used that distribute-list? Can you send the output 'show ip route eigrp' command on R5?

  • is it any error in GNS with distribute list or IOS caveats?? please help.

    I haven't seen this behaviour on my GNS, can you post your  ACL/EIGRP config/debug output (debug  eigrp packets). If your ACL is incorrect, it doesn't work properly.

    Good Luck


  • Hi friends,

    First of all thanks for your reply.
    Here is the access-list I am using

     

    Rack1R5#sh access-list

    Extended IP access list 100

       
    10 deny ip host 155.1.0.2 host 150.1.7.0

       
    20 deny ip host 155.1.0.3 host 150.1.7.0

       
    30 deny ip host 155.1.0.4 host 150.1.7.0

       
    40 deny ip host 155.1.0.2 host 150.1.9.0

       
    50 deny ip host 155.1.0.3 host 150.1.9.0

       
    60 deny ip host 155.1.0.4 host 150.1.9.0

       
    70 deny ip host 155.1.0.1 host 150.1.4.0

       
    80 deny ip host 155.1.0.3 host 150.1.4.0

       
    90 deny ip host 155.1.0.4 host 150.1.4.0

       
    100 deny ip host 155.1.0.1 host 150.1.6.0

       
    110 deny ip host 155.1.0.3 host 150.1.6.0

       
    120 deny ip host 155.1.0.4 host 150.1.6.0

       
    130 deny ip host 155.1.0.1 host 150.1.1.0

       
    140 deny ip host 155.1.0.2 host 150.1.1.0

       
    150 deny ip host 155.1.0.4 host 150.1.1.0

       
    160 deny ip host 155.1.0.1 host 150.1.2.0

       
    170 deny ip host 155.1.0.2 host 150.1.2.0

       
    180 deny ip host 155.1.0.4 host 150.1.2.0

       
    190 permit ip any any

     

    And here is the EIGRP configuration

     

    Rack1R5#sh run | sec eigrp

     router eigrp 100

      
    network 150.1.0.0

      
    network 155.1.0.0

      
    distribute-list 100 in Serial0/0

      
    no auto-summary

     

    AFTER applying ACL with
    Distribute-list and after clearing eigrp neighborship I still get the below
    result  :

     

    Rack1R5#sh ip route eigrp | inc
    150.1.

        
    150.1.0.0/24 is subnetted, 10 subnets

    D       150.1.7.0 [90/2323456] via 155.1.0.3,
    00:07:58, Serial0/0

    D       150.1.6.0 [90/2323456] via 155.1.0.4,
    00:07:58, Serial0/0

    D       150.1.4.0 [90/2297856] via 155.1.0.4,
    00:07:58, Serial0/0

    D       150.1.3.0 [90/2297856] via 155.1.0.3,
    00:07:58, Serial0/0

    D       150.1.2.0 [90/2297856] via 155.1.0.2,
    00:07:58, Serial0/0

    D       150.1.1.0 [90/2297856] via 155.1.0.1,
    00:07:58, Serial0/0

    D       150.1.10.0 [90/435200] via 155.1.58.8,
    00:07:58, FastEthernet0/0

    D       150.1.9.0 [90/2326016] via 155.1.0.3,
    00:07:58, Serial0/0

    D       150.1.8.0 [90/409600] via 155.1.58.8,
    00:07:58, FastEthernet0/0

     

    so basically its not getting stopped. I waited for the adjacency to be refreshed, there is a rysnc:route configuration change message is there. even then its not working? I had this issue on real devices as well when I was teaching CCNP last year although on different topology.

  • I just tested extended ACL with EIGRP distribute-list and it is working just fine (although in different topology).

    Yes the resync route configuration changed message will appear after configuring distribute-list. But have you checked if there are ACL hits on your extended ACL? What is the output of your show ip access-list 100

    Your config looks fine. Maybe you got a buggy IOS or GNS3

  • GOT IT, it was the 3725 series adventerprise12.4 I was using in GNS, then I used 3640 and it worked (urghhhhh!!!) all the time it was the IOS issue.

    By the way anyone else had used 3735 ios and did this practical?

  • Hi,

    Glad to hear that your issue had been solved. I am surprised that the 3725 has this issue, as I am have been using GNS with 3725's image for long time ago, and never facing this issue.

    I just did this lab and the following is the result:

    Rack1R5#sh ip route eigrp | i 150.1.
         150.1.0.0/24 is subnetted, 10 subnets
    D       150.1.7.0 [90/2302976] via 155.1.0.1, 01:03:28, Serial0/0
    D       150.1.6.0 [90/2812672] via 155.1.0.2, 01:03:27, Serial0/0
    D       150.1.4.0 [90/2815232] via 155.1.0.2, 00:58:20, Serial0/0
    D       150.1.3.0 [90/2297856] via 155.1.0.3, 00:58:20, Serial0/0
    D       150.1.2.0 [90/2809856] via 155.1.0.3, 01:03:27, Serial0/0
    D       150.1.1.0 [90/2303232] via 155.1.0.3, 01:03:27, Serial0/0
    D       150.1.10.0 [90/158720] via 155.1.58.8, 01:06:18, FastEthernet0/0
    D       150.1.9.0 [90/2303232] via 155.1.0.1, 01:03:28, Serial0/0
    D       150.1.8.0 [90/156160] via 155.1.58.8, 01:06:18, FastEthernet0/0

    Rack1R5#sh ver

    Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)

  • Good to hear you solved the issue. Most likely this is a GNS3/dynamips bug for that IOS.

  • Hi, mine 3725 series version is 12.4(15)T7 and yours is T10 so might be the one I have has this issue in GNS.

     

    Anyways all is well now and thank you and CarlosG2 for the time and help :)

  • I am using 12.4(15)T5. No problems here.

  • I am having the same issue, in fact with this exact INE lab!  I've tried various versions of GNS3 including the latest 0.8.3.1 to no avail.  I am using the following IOS image for the 3700 series:

    (C3745-ADVIPSERVICESK9-M), Version 12.3(24)

    I tried replacing the 3700 series router with a 2600 Series with the following image:

    (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T7

    Regardless of the image and router model used, "INBOUND" EIGRP distribute-lists just do NOT work.  "OUTBOUND" seems to work just fine.  Has anyone been able to determine the root cause of this issue?

    Thanks in advance

  • Thank you for going through all the effort but I found the cause of the issue. The 2691 image does not process EIGRP inbound distro lists.. at least not in GNS3. Others reported the same issue. Tried 3745 advipservices image but that did not support leak maps need for other labs! Tried 3745 adventerprise image which supported leakmaps, but kept crashing in GNS3! Someone suggested to use 3725 adventerprise image and that resolved my issues! Thanks for all your help and hope this finding is helpful for others who are experiencing this issue.

    Smile


  • Hi CarlosG2 !

    I'm using ACL the same INE WB but have proble:

    My ACL:

    Rack1R5#sh ip access-lists 100
    Extended IP access list 100
        10 deny ip host 155.1.0.3 host 150.1.7.0 (5 matches)
        20 deny ip host 155.1.0.4 host 150.1.7.0 (5 matches)
        30 deny ip host 155.1.0.2 host 150.1.9.0 (1 match)
        40 deny ip host 155.1.0.3 host 150.1.9.0 (5 matches)
        50 deny ip host 155.1.0.4 host 150.1.9.0 (5 matches)
        60 deny ip host 155.1.0.1 host 150.1.4.0 (7 matches)
        70 deny ip host 155.1.0.3 host 150.1.4.0 (7 matches)
        80 deny ip host 155.1.0.4 host 150.1.4.0 (6 matches)
        90 deny ip host 155.1.0.1 host 150.1.6.0 (6 matches)
        100 deny ip host 155.1.0.3 host 150.1.6.0 (6 matches)
        110 deny ip host 155.1.0.4 host 150.1.6.0 (6 matches)
        120 deny ip host 155.1.0.1 host 150.1.1.0 (6 matches)
        130 deny ip host 155.1.0.2 host 150.1.1.0 (3 matches)
        140 deny ip host 155.1.0.4 host 150.1.1.0 (6 matches)
        150 deny ip host 155.1.0.1 host 150.1.2.0 (4 matches)
        160 deny ip host 155.1.0.2 host 150.1.2.0 (6 matches)
        170 deny ip host 155.1.0.4 host 150.1.2.0 (2 matches)
        180 permit ip any any (1170 matches)
    Rack1R5#

     and I lost router:

    Rack1R5#show ip route eigrp | include 150.1.
         150.1.0.0/24 is subnetted, 6 subnets
    D       150.1.7.0 [90/640512] via 155.1.0.1, 00:21:36, Serial0/0/1
    D       150.1.3.0 [90/640000] via 155.1.0.3, 00:21:36, Serial0/0/1
    D       150.1.1.0 [90/1152000] via 155.1.0.3, 00:21:36, Serial0/0/1
    D       150.1.9.0 [90/640768] via 155.1.0.1, 00:21:36, Serial0/0/1
    D       150.1.8.0 [90/130560] via 155.1.58.8, 00:21:33, FastEthernet0/0
    Rack1R5#

    Rack1R5#sh version
    Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Fri 04-Mar-11 03:52 by prod_rel_team

    ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

    Rack1R5 uptime is 3 hours, 22 minutes
    System returned to ROM by power-on
    System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T5.bin"

    I don't understand why ? ACL in solution of INE WB  have problem ?

    Please ! help me

  • Hi man,  just new here but I got the same Issue as you.  I have a real LAB @ home with the 1841 as R5.

    Go to your R2 and see if it has Loopback routes for R4 and R6.  You will see they don't.  Why?
    I
    guess you are saving your configs as you progress.  Have you noticed
    that the initial configs changes 3 times on this lab?  I think that
    might be the issue.  You first start with the INITIAL CONFIG, then BASIC
    CONFIG.  At some point something is missing.   I
    need to verify this myself, the other thing that comes to my mind is if
    split-horizon is really disabled, because once it is let's say R2, must have a route to R4 Loop via R5 and R4.  In the IOU version i didn't have issues at all. 
    BTW forgive my english.  I'm trying to explain the best I could, sometimes it's easier to just show you through the console itself. [:P]

  • I've experienced similar issues with Cisco IOS 3725 images too. The Cisco 3640 series worked best for me.

    GOT IT, it was the 3725 series adventerprise12.4 I was using in GNS, then I used 3640 and it worked (urghhhhh!!!) all the time it was the IOS issue.

    By the way anyone else had used 3735 ios and did this practical?

     

Sign In or Register to comment.