Difference between ACL , Distribution list and route map

Answered Question
Jul 17th, 2012

Hai am preparing for ccnp route where in Eigrp i came through this topics (Distribution list and route map ) and it confused me . Acl  gives the rights to the user to access a particular server and  distribution list is used to filter the routes , my doubt is when we can get the job done by ACL then why we use Distribution and Route map and why we configure ACL inorder to configure distribution list and route map ? ....... thanks in advance .

I have this problem too.
2 votes
Correct Answer by Peter Paluch about 3 years 1 week ago

Hello Chandra,

These tools are often confusing - I am glad you ask.

Let's first talk about ACLs and route maps. ACLs, as you already know, were explained in CCNA as mechanisms to filter packets based on their properties - source and destination addresses, transport layer protocol and ports, flags and perhaps some other attributes. However, this is not the only possible use of ACLs. An ACL is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:

  • found a matching entry and the action is permit
  • found a matching entry and the action is deny
  • not found any matching entry

Now, because the ACL simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol's messages.

A route-map is a generalization of ACL. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router's behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism: if some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.

Thus, the main differences between a route-map and an ACL are:

  • A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, ...) that are not matchable by an ACL.
  • A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.

So to put it shortly, an ACL performs matching and filtering based on addressing information. A route-map performs matching, modification and filtering based on several types of matches, and it uses ACLs if the required matching is to be based on addressing information (it may also use other types of matches different from ACLs).

A distribution list is actually a misnomer and does not really belong here A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map. The relation between route-maps or ACLs and distribute lists is the same as the relation between ACLs and "ip access-groups". An ACL is a mechanism to perform filtering while "ip access-group" is a command that uses this ACL to filter packets. In the very same way, an ACL or route-map is a mechanism to perform prefix filtering (and optional modification) while "distribute-list" is the command in the particular routing protocol's configuration that uses this ACL or route-map to filter advertised or received prefixes.

Sometimes a confusion exists about the difference between distribute lists and redistribution. A redistribution is a process of injecting routes from a different source into a particular routing protocol. If filtering is required during this process, route-maps are used. Technically, ACLs could also be used but the Cisco command line does not support referring directly to ACLs when redistributing, so route-maps are used, and these in turn refer to ACLs to perform the actual filtering. A distribute list controls what prefixes are advertised or received within a single routing protocol, i.e. after they have been somehow injected into it, and it does not matter how.

So to sum it up - ACLs and route-maps perform matching, modification and filtering operations. Route-maps can refer to ACLs to perform matching operations based on addressing values. Both route-maps and ACLs can be referred to in a distribute-list command to filter networks advertised or received in a routing protocol. Additionally, route-map are used during redistribution to filter and modify the redistributed networks and their attributes. Route-maps also constitute the main tool used to match and modify attributes of BGP-advertised networks.

A last comment here: increasingly, the ACLs used to filter routing updates are replaced by so-called IP prefix lists. These IP prefix lists are easier to write and understand than ACLs and are evaluated more effectively when matching network prefixes. This would, however, require a totally new thread so I'm not going into that right now

Best regards,

Peter

Correct Answer by Giuseppe Larosa about 3 years 1 week ago

Hello Chandra,

with distribute-list we use an ACL to perform route filtering : at process level or at specific interface level we can influence what IP prefixes are advertised or received (depending on direction of distribute-list) by the EIGRP routing process on a specific interface or at process level.

A distribute-list invokes an IP ACL in router eigrp configuration context. A distribute-list can also invoke a route-map to have a more flexible way to define what IP prefixes are permitted

this is a more recent and advanced feature

see

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/12-4t/EIGRP_Support_for_Route_Map_Filtering.html

When we apply an ACL at interface with ip access-group command the ACL is used to filter user traffic ( data plane), when the ACL is used in router eigrp with distribute-list the ACL is used to filter IP routes ( signalling plane).

IP ACLs can have multiple different usages depending on how they are invoked

Hope to help

Giuseppe

Correct Answer by Edison Ortiz about 3 years 1 week ago

ACLs can be used for many tasks and your book is covering 2 essential ones; security ACLs and routing ACLs.

Just view ACLs as a way of grouping hosts/subnets and add some kind of action to it.

In the case of security ACLs, you have a group of hosts/subnets to protect your infrastructure.

An example would be

access-list 1 deny 1.1.1.1

access-list 1 deny 2.2.2.2

access-list 1 permit any

interface fa0/0

ip access-group 1 in

In the example above, you are denying hosts 1.1.1.1 and 2.2.2.2 to enter interface fa0/0 while allowing everyone else.

In the routing ACL, you are not protecting your infrastructure but you are engineering your routing information.

The following example causes only one network (network 172.18.0.0) to be advertised by a EIGRP routing process:

access-list 1 permit 172.18.0.0

!

router eigrp 100

network 172.18.0.0 0.255.255

network 10.0.0.0 0.0.0.255

distribute-list 1 out

no auto-summary

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Correct Answer
Edison Ortiz Tue, 07/17/2012 - 11:55

ACLs can be used for many tasks and your book is covering 2 essential ones; security ACLs and routing ACLs.

Just view ACLs as a way of grouping hosts/subnets and add some kind of action to it.

In the case of security ACLs, you have a group of hosts/subnets to protect your infrastructure.

An example would be

access-list 1 deny 1.1.1.1

access-list 1 deny 2.2.2.2

access-list 1 permit any

interface fa0/0

ip access-group 1 in

In the example above, you are denying hosts 1.1.1.1 and 2.2.2.2 to enter interface fa0/0 while allowing everyone else.

In the routing ACL, you are not protecting your infrastructure but you are engineering your routing information.

The following example causes only one network (network 172.18.0.0) to be advertised by a EIGRP routing process:

access-list 1 permit 172.18.0.0

!

router eigrp 100

network 172.18.0.0 0.255.255

network 10.0.0.0 0.0.0.255

distribute-list 1 out

no auto-summary

Correct Answer
Giuseppe Larosa Tue, 07/17/2012 - 12:03

Hello Chandra,

with distribute-list we use an ACL to perform route filtering : at process level or at specific interface level we can influence what IP prefixes are advertised or received (depending on direction of distribute-list) by the EIGRP routing process on a specific interface or at process level.

A distribute-list invokes an IP ACL in router eigrp configuration context. A distribute-list can also invoke a route-map to have a more flexible way to define what IP prefixes are permitted

this is a more recent and advanced feature

see

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_eigrp/configuration/12-4t/EIGRP_Support_for_Route_Map_Filtering.html

When we apply an ACL at interface with ip access-group command the ACL is used to filter user traffic ( data plane), when the ACL is used in router eigrp with distribute-list the ACL is used to filter IP routes ( signalling plane).

IP ACLs can have multiple different usages depending on how they are invoked

Hope to help

Giuseppe

Correct Answer
Peter Paluch Tue, 07/17/2012 - 12:14

Hello Chandra,

These tools are often confusing - I am glad you ask.

Let's first talk about ACLs and route maps. ACLs, as you already know, were explained in CCNA as mechanisms to filter packets based on their properties - source and destination addresses, transport layer protocol and ports, flags and perhaps some other attributes. However, this is not the only possible use of ACLs. An ACL is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:

  • found a matching entry and the action is permit
  • found a matching entry and the action is deny
  • not found any matching entry

Now, because the ACL simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol's messages.

A route-map is a generalization of ACL. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router's behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism: if some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.

Thus, the main differences between a route-map and an ACL are:

  • A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, ...) that are not matchable by an ACL.
  • A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.

So to put it shortly, an ACL performs matching and filtering based on addressing information. A route-map performs matching, modification and filtering based on several types of matches, and it uses ACLs if the required matching is to be based on addressing information (it may also use other types of matches different from ACLs).

A distribution list is actually a misnomer and does not really belong here A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map. The relation between route-maps or ACLs and distribute lists is the same as the relation between ACLs and "ip access-groups". An ACL is a mechanism to perform filtering while "ip access-group" is a command that uses this ACL to filter packets. In the very same way, an ACL or route-map is a mechanism to perform prefix filtering (and optional modification) while "distribute-list" is the command in the particular routing protocol's configuration that uses this ACL or route-map to filter advertised or received prefixes.

Sometimes a confusion exists about the difference between distribute lists and redistribution. A redistribution is a process of injecting routes from a different source into a particular routing protocol. If filtering is required during this process, route-maps are used. Technically, ACLs could also be used but the Cisco command line does not support referring directly to ACLs when redistributing, so route-maps are used, and these in turn refer to ACLs to perform the actual filtering. A distribute list controls what prefixes are advertised or received within a single routing protocol, i.e. after they have been somehow injected into it, and it does not matter how.

So to sum it up - ACLs and route-maps perform matching, modification and filtering operations. Route-maps can refer to ACLs to perform matching operations based on addressing values. Both route-maps and ACLs can be referred to in a distribute-list command to filter networks advertised or received in a routing protocol. Additionally, route-map are used during redistribution to filter and modify the redistributed networks and their attributes. Route-maps also constitute the main tool used to match and modify attributes of BGP-advertised networks.

A last comment here: increasingly, the ACLs used to filter routing updates are replaced by so-called IP prefix lists. These IP prefix lists are easier to write and understand than ACLs and are evaluated more effectively when matching network prefixes. This would, however, require a totally new thread so I'm not going into that right now

Best regards,

Peter

johnlloyd_13 Wed, 03/12/2014 - 20:01

hi peter, giuseppe and edison,

everytime i search for a particular cisco topic, you guys come out.

i'm glad to found such thread. it helped me a lot in my daily networking job.

vegisekhar1255 Tue, 07/17/2012 - 22:30

thankyou very much Mr Edison ortiz , giuseppe larosa and peter paluch sir you people not only cleared my doubt but helped me in increasing my knowledge by 20% thankyou once again .

kdsingh007 Wed, 06/03/2015 - 11:32

In Simple words 

sure just for route filtering u dont need route maps but to perform extra function u have to combine access list with route maps

Route maps make use of access list for route filtering and do extra functions on the result

for example if u use access list for route filtering u will just filter route but nothing else. With access lists in conjuction with route maps, u can set metric weight and many more on filtered route

nealleslie Mon, 05/27/2013 - 08:06

Peter,

I realize this post is almost a year old....just wanted to say this is an excellent explanation of ACLs, distribution lists and route maps.  I'm using CCNP simplified to study for the exam and while overall I think they do a pretty good job with the material I found the explanation of this topic a little confusing especially since for the CCNA you really just focus on access lists for either permitting or denying traffic based on source and destination address.   This post really clears it up!

thanks

Actions

This Discussion

Related Content