I ran into an issue earlier this week while simulating a change in my GNS3 lab. What I found was interesting on the way that EIGRP deals with inbound distribute-lists that use access-lists with wildcard masks. This diagram shows the small network we are dealing with on this lab.
As you can see R1 has 4 loopback adapters:
Loopback 1: 10.8.0.1/24
Loopback 2: 10.254.254.1/30
Loopback 3: 10.20.20.1/24
Loopback 4: 20.64.0.1/12
All four loopback adapters are included in the EIGRP process on R1. There is a successful EIGRP neighbor adjacency between R1 and R2. The following is configured on R2:
router eigrp 100
distribute-list 50 in Ethernet0/0
distribute-list 50 out Ethernet0/1
network 100.100.100.0 0.0.0.255
access-list 50 permit 10.20.20.0 0.0.0.255
access-list 50 permit 10.8.0.0 0.7.255.255
access-list 50 permit 20.64.0.0 0.7.255.255
What I would expect is that only 10.20.20.0/24 would be installed.
But when I check the routing table on R2 I get the following on R2:
10.0.0.0/24 is subnetted, 2 subnets
D 10.8.0.0 [90/435200] via 100.100.22.3, 00:15:28, Ethernet0/0
D 10.20.20.0 [90/435200] via 100.100.22.3, 00:18:42, Ethernet0/0
20.0.0.0/12 is subnetted, 1 subnets
D 20.64.0.0 [90/435200] via 100.100.22.3, 00:18:42, Ethernet0/0
Why is this? It is due to the way that Cisco IOS processes an access-list when used to filter routes. Basically it doesn’t work as expected. When we turn on debug ip eigrp we see that R2 processes the 20.64.0.0/12 subnet advertised from R1 and then installs it.
*Nov 21 21:20:51.838: EIGRP-IPv4(100): Int 20.64.0.0/12 M 409600 - 10000 6000000000 SM 128256 - 4060086272 76293
*Nov 21 21:20:51.838: EIGRP-IPv4(100): table(default): route installed for 20.64.0.0/12 (90/409600) origin(100.100.100.1)
10.0.0.0/24 is subnetted, 1 subnets D 10.20.20.0 [90/409600] via 100.100.100.1, 00:00:10, Ethernet0/0
Summary: this is just one more reason why you should use prefix-lists when dealing with routing protocols.