Hai am preparing for ccnp route where in Eigrp i came through this topics (Distribution list and route map ) and it confused me . Acl gives the rights to the user to access a particular server and distribution list is used to filter the routes , my doubt is when we can get the job done by ACL then why we use Distribution and Route map and why we configure ACL inorder to configure distribution list and route map ? ....... thanks in advance .
These tools are often confusing - I am glad you ask.
Let's first talk about ACLs and route maps. ACLs, as you already know, were explained in CCNA as mechanisms to filter packets based on their properties - source and destination addresses, transport layer protocol and ports, flags and perhaps some other attributes. However, this is not the only possible use of ACLs. An ACL is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:
- found a matching entry and the action is permit
- found a matching entry and the action is deny
- not found any matching entry
Now, because the ACL simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol's messages.
A route-map is a generalization of ACL. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router's behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism: if some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.
Thus, the main differences between a route-map and an ACL are:
- A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, ...) that are not matchable by an ACL.
- A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.
So to put it shortly, an ACL performs matching and filtering based on addressing information. A route-map performs matching, modification and filtering based on several types of matches, and it uses ACLs if the required matching is to be based on addressing information (it may also use other types of matches different from ACLs).
A distribution list is actually a misnomer and does not really belong here A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map. The relation between route-maps or ACLs and distribute lists is the same as the relation between ACLs and "ip access-groups". An ACL is a mechanism to perform filtering while "ip access-group" is a command that uses this ACL to filter packets. In the very same way, an ACL or route-map is a mechanism to perform prefix filtering (and optional modification) while "distribute-list" is the command in the particular routing protocol's configuration that uses this ACL or route-map to filter advertised or received prefixes.
Sometimes a confusion exists about the difference between distribute lists and redistribution. A redistribution is a process of injecting routes from a different source into a particular routing protocol. If filtering is required during this process, route-maps are used. Technically, ACLs could also be used but the Cisco command line does not support referring directly to ACLs when redistributing, so route-maps are used, and these in turn refer to ACLs to perform the actual filtering. A distribute list controls what prefixes are advertised or received within a single routing protocol, i.e. after they have been somehow injected into it, and it does not matter how.
So to sum it up - ACLs and route-maps perform matching, modification and filtering operations. Route-maps can refer to ACLs to perform matching operations based on addressing values. Both route-maps and ACLs can be referred to in a distribute-list command to filter networks advertised or received in a routing protocol. Additionally, route-map are used during redistribution to filter and modify the redistributed networks and their attributes. Route-maps also constitute the main tool used to match and modify attributes of BGP-advertised networks.
A last comment here: increasingly, the ACLs used to filter routing updates are replaced by so-called IP prefix lists. These IP prefix lists are easier to write and understand than ACLs and are evaluated more effectively when matching network prefixes. This would, however, require a totally new thread so I'm not going into that right now
with distribute-list we use an ACL to perform route filtering : at process level or at specific interface level we can influence what IP prefixes are advertised or received (depending on direction of distribute-list) by the EIGRP routing process on a specific interface or at process level.
A distribute-list invokes an IP ACL in router eigrp configuration context. A distribute-list can also invoke a route-map to have a more flexible way to define what IP prefixes are permitted
this is a more recent and advanced feature
When we apply an ACL at interface with ip access-group command the ACL is used to filter user traffic ( data plane), when the ACL is used in router eigrp with distribute-list the ACL is used to filter IP routes ( signalling plane).
IP ACLs can have multiple different usages depending on how they are invoked
Hope to help
ACLs can be used for many tasks and your book is covering 2 essential ones; security ACLs and routing ACLs.
Just view ACLs as a way of grouping hosts/subnets and add some kind of action to it.
In the case of security ACLs, you have a group of hosts/subnets to protect your infrastructure.
An example would be
access-list 1 deny 188.8.131.52
access-list 1 deny 184.108.40.206
access-list 1 permit any
ip access-group 1 in
In the example above, you are denying hosts 220.127.116.11 and 18.104.22.168 to enter interface fa0/0 while allowing everyone else.
In the routing ACL, you are not protecting your infrastructure but you are engineering your routing information.
The following example causes only one network (network 172.18.0.0) to be advertised by a EIGRP routing process:
access-list 1 permit 172.18.0.0
router eigrp 100
network 172.18.0.0 0.255.255
network 10.0.0.0 0.0.0.255
distribute-list 1 out