Help with ACL's, Distribute lists, Prefix lists, and route maps

Dec 26, 2007
11,782
2
76
Please forgive the length and complexity of this post. I am very confused about this, and am looking for some help because our instructor won't (since she has given group 1 the final and I *could* know whats on it). Also distribute list=DL, prefix list=PL, and route map=RM for the rest of this post.

I have a skills final for CCNP BSCI class, and I'm still having issues with ACL's (since they are the building block of the other 2), distribute lists (which seems to be a complex acl basically), and route maps (which are a complete mess to me currently). The issue is 2 fold, one I don't quite remember/get/understand the logic and how they work. Secondly, and more importantly, I'm messing up the commands. Specifically I'm having issues with using these and BGP, but it applies to any kind of redistributed protocol as well.

Most of this post is looking for two things (just gives examples and asks more specific questions) if you don't want to read it. First what is the difference between an ACL, DL, PL, and RM? Secondly, how do I implement them?

So, basic ACL says "for ACL #x, specifically permit or deny source y". Fairly simple.

Now, a distribute list (DL) differs from a basic ACL how? My understanding is that they will only add/forward a route if it is permitted on the interface with the distribute list filtering in/out traffic. For example,

access-list 1 permit 1.0.0.0 0.255.255.255
router rip
distribute-list 1 in

These commands tell a router "if I receive any RIP updates, only add them if they are part of the 1.x.x.x networks. If they aren't do not add them to my routing table" correct? So, if that's the case then DL's differ from ACL's format of "acl # action source", and instead go "acl # action (look for this network/range)" and DL's don't have a "source/destination" but instead the network it applies to?

In the above example, say I wanted to permit more networks, I would just do
Router(config)#access-list 1 permit 2.0.0.0 0.255.255.255
and repeat that for each network I wanted to permit. Now, say I wanted to permit all networks out S0/0/0, but only some out S0/0/1.
Router(config)#access-list 1 permit 1.0.0.0 0.255.255.255
Router(config)#access-list 1 permit 2.0.0.0 0.255.255.255

Router(config)#access-list 2 permit 1.0.0.0 0.255.255.255
Router(config)#access-list 2 permit 2.0.0.0 0.255.255.255
Router(config)#access-list 2 permit 3.0.0.0 0.255.255.255

Router(config)#router (whatever routing process, in this case use BGP)
Router(config-router)#distribute-list 2 out S0/0/0
Router(config-router)#distribute-list 1 out S0/0/1

This is going to say "When distributing BGP routes out S0/0/0, look at ACL 2 to determine if it should be propagated in routing updates. When distributing BGP routing updates out S0/0/1 look at ACL 1 and only the permitted networks should be advertised" then? Which means that the 3.x.x.x network will be sent in updates out S0/0/0, but not S0/0/1.

So, if I want to control what networks get sent out or added to my routing table I would use a DL.

Route Maps
So, a route map is an ACL that has even more functionality then even a complex ACL might have. A route map is like an ACL though, in that it has multiple permit/deny statements. Internal to each statement it has a list of "match" fields with stuff on the same line (i.e. IP x y z) all having to match for it to take action with the "set" commands. Each line (i.e. IP x, IP y, IP z) work as an OR that says if any of these match, then take the action with the "set" commands. Example:
route-map permit 10
match (this) (this) and (this) for the statement to be TRUE
OR
match (this) and (this)

IF one the matches is TRUE then

set (metric x)
AND
set (type y)

Now, I can use ACL to match stuff instead of putting in each network. With the earlier ACL's mentioned, could I say "match ACL 2" which would match any of those 3 networks or would I need to put each network as it's on ACL (so ACL 1x=1.x.x.x., 2x=2.x.x.x, etc then put "match ACL 1x, ACL 2x, etc" to match any of those networks)?

Thanks for any help I can get.
 
Dec 26, 2007
11,782
2
76
One easier/quicker question is this:

Are distribute lists a route map for non-BGP protocols? I.E. do distribute lists roughly equal a route map and just vary based on the protocol being discussed?

In RIP/EIGRP/OSPF/IS-IS I'd use a distribute list to say "put these routes in routing updates you send out" or "put only these routes in my routing table when recieved from int x", and in BGP I'd say "neighbor 10.0.0.1 only gets sent the routes defined (and modified) by route map 1"
 

m1ldslide1

Platinum Member
Feb 20, 2006
2,321
0
0
Lets start with ACL's: You are correct.

Moving on to distribute lists: Don't think of them as having anything to do with ACL's. A distribute-list command is used to filter routes either coming into or out of a routing process. To accomplish this, a distribute-list can call an ACL or a prefix-list to define what those routes will be. If you want to advertise a different subset of routes out of one interface than another, you will need to call different prefix-lists for each.

So IOW:

router eigrp 1
distribute-list prefix FILTER_S0/0 out s0/0
distribute-list prefix FILTER_S0/1 out s0/1

ip prefix-list FILTER_S0/0 seq 5 permit 10.0.0.0/8

ip prefix-list FILTER_S0/1 seq 5 permit 172.16.0.0/16

This config snippet would allow only network 10.0.0.0/8 to be advertised out of int s0/0, and only network 172.16.0.0/16 out of s0/1. This same logic applies "inbound", and for more complex filtering.


A route-map is again its own animal and shouldn't be thought of in the same vein as an ACL. A route-map is a tool used for manipulating parameters having to do with propagation of routes and traffic forwarding characteristics. Typically you'll make use of them for policy-routing (PBR is a great acronym) and for influencing routing protocol functionality. You are right in that there are two components: match and set. You can match based off of a lot of stuff:

aesir(config-route-map)#match ?
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
ipv6 IPv6 specific information
length Packet length
metric Match metric of route
mpls-label Match routes which have MPLS labels
nlri BGP NLRI type
policy-list Match IP policy list
route-type Match route-type of route
tag Match tag of route

aesir(config-route-map)#match ip ?
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route

If you're using a route-map within a routing protocol, like say to influence redistribution, you don't need a set command. However if you're using it to say force a next-hop address for a certain class of traffic, you would use a statement like "set ip next-hop x.x.x.x" and all of that matching traffic would be forced to that next-hop.

Cisco docs are your friend:
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp2.html#wp1044142


Does that help? It's not easy to provide easy answers to this stuff. Good luck with your BSCI.

mild


Please forgive the length and complexity of this post. I am very confused about this, and am looking for some help because our instructor won't (since she has given group 1 the final and I *could* know whats on it). Also distribute list=DL, prefix list=PL, and route map=RM for the rest of this post.

I have a skills final for CCNP BSCI class, and I'm still having issues with ACL's (since they are the building block of the other 2), distribute lists (which seems to be a complex acl basically), and route maps (which are a complete mess to me currently). The issue is 2 fold, one I don't quite remember/get/understand the logic and how they work. Secondly, and more importantly, I'm messing up the commands. Specifically I'm having issues with using these and BGP, but it applies to any kind of redistributed protocol as well.

Most of this post is looking for two things (just gives examples and asks more specific questions) if you don't want to read it. First what is the difference between an ACL, DL, PL, and RM? Secondly, how do I implement them?

So, basic ACL says "for ACL #x, specifically permit or deny source y". Fairly simple.

Now, a distribute list (DL) differs from a basic ACL how? My understanding is that they will only add/forward a route if it is permitted on the interface with the distribute list filtering in/out traffic. For example,



These commands tell a router "if I receive any RIP updates, only add them if they are part of the 1.x.x.x networks. If they aren't do not add them to my routing table" correct? So, if that's the case then DL's differ from ACL's format of "acl # action source", and instead go "acl # action (look for this network/range)" and DL's don't have a "source/destination" but instead the network it applies to?

In the above example, say I wanted to permit more networks, I would just do and repeat that for each network I wanted to permit. Now, say I wanted to permit all networks out S0/0/0, but only some out S0/0/1.


This is going to say "When distributing BGP routes out S0/0/0, look at ACL 2 to determine if it should be propagated in routing updates. When distributing BGP routing updates out S0/0/1 look at ACL 1 and only the permitted networks should be advertised" then? Which means that the 3.x.x.x network will be sent in updates out S0/0/0, but not S0/0/1.

So, if I want to control what networks get sent out or added to my routing table I would use a DL.

Route Maps
So, a route map is an ACL that has even more functionality then even a complex ACL might have. A route map is like an ACL though, in that it has multiple permit/deny statements. Internal to each statement it has a list of "match" fields with stuff on the same line (i.e. IP x y z) all having to match for it to take action with the "set" commands. Each line (i.e. IP x, IP y, IP z) work as an OR that says if any of these match, then take the action with the "set" commands. Example:


Now, I can use ACL to match stuff instead of putting in each network. With the earlier ACL's mentioned, could I say "match ACL 2" which would match any of those 3 networks or would I need to put each network as it's on ACL (so ACL 1x=1.x.x.x., 2x=2.x.x.x, etc then put "match ACL 1x, ACL 2x, etc" to match any of those networks)?

Thanks for any help I can get.
 
Dec 26, 2007
11,782
2
76
Lets start with ACL's: You are correct.

Moving on to distribute lists: Don't think of them as having anything to do with ACL's. A distribute-list command is used to filter routes either coming into or out of a routing process. To accomplish this, a distribute-list can call an ACL or a prefix-list to define what those routes will be. If you want to advertise a different subset of routes out of one interface than another, you will need to call different prefix-lists for each.

So IOW:

router eigrp 1
distribute-list prefix FILTER_S0/0 out s0/0
distribute-list prefix FILTER_S0/1 out s0/1

ip prefix-list FILTER_S0/0 seq 5 permit 10.0.0.0/8

ip prefix-list FILTER_S0/1 seq 5 permit 172.16.0.0/16

This config snippet would allow only network 10.0.0.0/8 to be advertised out of int s0/0, and only network 172.16.0.0/16 out of s0/1. This same logic applies "inbound", and for more complex filtering.


A route-map is again its own animal and shouldn't be thought of in the same vein as an ACL. A route-map is a tool used for manipulating parameters having to do with propagation of routes and traffic forwarding characteristics. Typically you'll make use of them for policy-routing (PBR is a great acronym) and for influencing routing protocol functionality. You are right in that there are two components: match and set. You can match based off of a lot of stuff:

aesir(config-route-map)#match ?
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
ipv6 IPv6 specific information
length Packet length
metric Match metric of route
mpls-label Match routes which have MPLS labels
nlri BGP NLRI type
policy-list Match IP policy list
route-type Match route-type of route
tag Match tag of route

aesir(config-route-map)#match ip ?
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route

If you're using a route-map within a routing protocol, like say to influence redistribution, you don't need a set command. However if you're using it to say force a next-hop address for a certain class of traffic, you would use a statement like "set ip next-hop x.x.x.x" and all of that matching traffic would be forced to that next-hop.

Cisco docs are your friend:
http://www.cisco.com/en/US/docs/ios/12_2/iproute/command/reference/1rfindp2.html#wp1044142


Does that help? It's not easy to provide easy answers to this stuff. Good luck with your BSCI.

mild

First off, thank you very very very much for your help. It's hard to find help for this stuff, and my instructor basically said "nope can't help" so I have to attempt to find other ways of learning this stuff and be able to apply it tomorrow night. I thought I had it, but found out yesterday I definitely did not. So, once again thank you.

So, a distribute-list is used solely to filter routes in/out of a routing process (and a specific interface)? To relate this to a real world question or something she might ask.

Configure R1 to advertise all networks to R2, but R3 should only have loopback 1, 8, and 9 sent to it.

So, what I would do is create a distribution list on R1 for both R2's interface and R3's interface under the routing protocol (can distribution lists be setup for any protocol including BGP?). Now, I could do this one of three ways.

1) I could setup an ACL for each loopback, then create a distribute list referencing the ACL(s).
access-list 1 permit 10.0.0.1
access-list 1 permit 10.0.0.2
access-list 1 permit 10.0.0.3
access-list 1 permit 10.0.0.4
access-list 1 permit 10.0.0.5

access-list 2 permit 10.0.0.1
access-list 2 permit 10.0.0.2
access-list 2 permit 10.0.0.3

router eigrp 1
distribute-list 1 out s0/0
distribute-list 2 out s0/1

Option 2) create a route map for each interface that is going to block the route (although I know this can be used with BGP, could this method be used with other protocols?).
router bgp 109
neighbor 192.168.0.1 route-map complete (although, do I even need a route map for this route if I'm redistributing all the routes?)
neighbor 192.168.0.5 route-map partial

route-map complete permit

route-map partial deny 10
match ip address 10.0.0.4
match ip address 10.0.0.5

route-map partial permit 20
I could use an ACL or prefix list instead of the ip for the partial deny 10 line correct? I feel like I'm missing something with these commands, or that this wouldn't work.

Option 3) your example of using a prefix list to define the IPs and then a distribute list referencing the prefix list.

What is the difference between an ACL and prefix list btw?

Now for a real world route map question/example.
Set the MED of AS 500 so R3 is the preferred route.

R2/R3=AS 500
R1= AS300
____________
/ \
R1------R2-----R3 is how they are connected

So I would setup a route map obviously. Here is the config I would use to do this:
On R2
neighbor (R1 ip) remote-as 300
neighbor (R3 ip) remote-as 500

route-map setMED permit 10
match ip address (this IP is the one for R1, or the network(s) advertised out of R2?)
set metric 10
route-map setMED permit 20
set metric 200

So, the first statement in the route map will match those networks. Are those networks the one that are advertised out of that router, or the destination router IP's?

The second route map statement permits all other routes, but will set their MED to 200 which means that it's going to prefer IP's specified in the setMED 10 route map command.
 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
So, what I would do is create a distribution list on R1 for both R2's interface and R3's interface under the routing protocol (can distribution lists be setup for any protocol including BGP?).

Yes, but in this instance you wouldn't apply anything to R2 since its receiving all routes.

Now, I could do this one of three ways.

1) I could setup an ACL for each loopback, then create a distribute list referencing the ACL(s).

Yes

Option 2) create a route map for each interface that is going to block the route (although I know this can be used with BGP, could this method be used with other protocols?).

again, no need to filter R2. the route-map statement match ip address refers to an ACL, not a host address. route-maps can be applied to IGPs, but they use the distribute-list command.

I could use an ACL or prefix list instead of the ip for the partial deny 10 line correct? I feel like I'm missing something with these commands, or that this wouldn't work.

as with most things, it depends. there are multiple ways of doing the same thing, and sometimes it comes down to personal preference. with BGP, prefix lists are easier to use but if you need more advanced techniques of matching networks you could also use an extended ACL.

Option 3) your example of using a prefix list to define the IPs and then a distribute list referencing the prefix list.

What is the difference between an ACL and prefix list btw?

Now for a real world route map question/example.

So I would setup a route map obviously. Here is the config I would use to do this:
On R2
neighbor (R1 ip) remote-as 300
neighbor (R3 ip) remote-as 500

route-map setMED permit 10
match ip address (this IP is the one for R1, or the network(s) advertised out of R2?)
set metric 10
route-map setMED permit 20
set metric 200

the question/use of MED doesn't make sense, but for commands sake it would be:

neighbor (R1 ip) remote-as 300
neighbor (R1 ip) route-map r1-med-out out
neighbor (R3 ip) remote-as 500
neighbor (R3 ip) route-map r3-med-out out

route-map r1-med-out permit 10
match ip address prefix-list 1
set metric 10

route-map r3-med-out permit 10
match ip address prefix-list 2
set metric 200

ip prefix-list 1 seq 5 permit x.x.x.x/ab
ip prefix-list 2 seq 5 permit y.y.y.y/cd

the prefix-lists are the BGP prefix's which you want to set the MED attribute.
 

m1ldslide1

Platinum Member
Feb 20, 2006
2,321
0
0
Your option 1 looks fine.

Your option 2 is flawed, but close. You are correct that you reference a route-map in the neighbor statement, but the match ip address statement is going to call an ACL, rather than an address you type in. Your route-map should look more like this:

route-map partial permit 10
match ip address 10

access-list 10 permit x.x.x.x
access-list 10 permit x.x.x.x
access-list 10 permit x.x.x.x
access-list 10 permit x.x.x.x
<implicit deny at the bottom filters all other routes>

For the neighbor that is receiving all routes, you are correct - no route-map is necessary.

The difference between an ACL and a prefix list: An extended ACL can match on source and destination IP address and a bunch of layer-4 information. A prefix-list simply lists prefixes, but is niftier than a standard ACL in that it allows you to remove individual lines without deleting the whole ACL. I tend to use prefix-lists when doing distribute-lists and stuff like that, but maybe its a matter of preference. If I thought about it long enough I could probably come up with a scenario where a prefix-list would have to be used instead of an ACL.

As for setting MED, check out this doc:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094934.shtml
Essentially you're using the route-map to call an ACL that will match on the prefix for which you will be setting MED. You set MED on a prefix basis - not the whole neighbor like in your example. With that said, you could create an ACL that basically matches any, and in that case you'll be setting MED for each and every prefix you advertise.

No problem on the assistance - hope it helps!
 

rasczak

Lifer
Jan 29, 2005
10,437
22
81
sorry to bump an old thread. need to reference this later as I am thoroughly confused.
 

joke1972

Junior Member
Apr 10, 2013
1
0
0
Are distribute lists a route map for non-BGP protocols? I.E. do distribute lists roughly equal a route map and just vary based on the protocol being discussed?
 

m1ldslide1

Platinum Member
Feb 20, 2006
2,321
0
0
Are distribute lists a route map for non-BGP protocols? I.E. do distribute lists roughly equal a route map and just vary based on the protocol being discussed?

Welcome to AT forums.

All protocols can use both distribute-lists and route-maps (although there are protocol-specific idiosyncracies to each). They can both accomplish the same thing - filtering out prefixes from advertisements - but route-maps offer a lot of additional functions like metric manipulation, community or route tagging, etc etc etc.