configuring distribute-list

jacquesvaidie · ‎10-05-2005

Is it possible to configure distribute-list with ip extended access-list or only with ip standard access-list ?

amit-singh · ‎10-06-2005

We use distribute-list only to allow or supress the networks advertised via a particular interface. Why do you need an extended Acess-list to control that when you know that a specific n/w should be supressed. You can have distribute-list using extended ACL ( as command allows u to set that ) but doesnot make sense to me.....

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800917e3.html#wp1023230

regards,

-amit singh

amit-singh · ‎10-06-2005

In addition to my last post.. Just want to update you that Extended NAMED ACLS's are not supported with distribute-list, you can only use numbered ACL.

cn-spare-me01-(config-router)#distribute-list test in

Access-list type conflicts with prior definition

% This command only accepts named standard IP access-lists.

cn-spare-me01-(config-router)#distribute-list test out

Access-list type conflicts with prior definition

% This command only accepts named standard IP access-lists.

cn-spare-me01-(config-router)#

regards,

-amit singh

Richard Burts · ‎10-06-2005

I am not sure which routing protocol you were using when you generated your example. There was a thread on one of the forums a while back about using extended access lists to filter routing updates. Using extended access lists has been supported in BGP for a long time. When using an extended access list for controlling BGP routing updates the syntax is different from the usual experience. In filtering BGP it is not source address destination address but is prefix definition and definition of length. This functionality is better done with prefix lists which are a newer and better way to filter BGP updates where you may be concerned not only with the value of the prefix. For example you may want to permit advertisement of 144.144.0.0/16 but deny advertisement of 144.144.0.0/24. A prefix list is the best way to do this but an extended access list can also do it.

Also extended access lists are supported for filtering routing updates in EIGRP.

Having said these things that justify using extended access list for filtering routing updates, I will also say that standard lists are most commonly used and for very good reason. If you have a particular need then an extended access list may help you accomplish it, but for the most part you will be much better off to do your routing update filtering with standard access lists.

HTH

Rick

HTH

Rick

s.niyamangkoon · ‎10-06-2005

That's right. The easiest way to filter not only network address but include network prefix or subnet mask is by using prefix-list.

It is also possible to use extended access-list to filter subnetmask but it not recommended due complexity of the configuration.

amit-singh · ‎10-06-2005

Rick,

Thanks for the reply on this... Would be able to give me an example where we can use the extended ACL to filter tha traffic in case of EIGRP. I dont know much about BGP as I havenot study it yet...

regards,

-amit singh

Richard Burts · ‎10-07-2005

Amit

My experience of using extended access lists to filter routing updates has been with BGP. I have not myself used extended access lists to filter routing updates in EIGRP (the filtering of routing updates that I have done in EIGRP has been done with standard access lists). It was stated in a discussion on the forum that extended access lists worked in EIGRP and I mentioned it based on that discussion. According to the posting in the discussion the extended access list gave the ability to filter the prefix and the address of the source of the update. I do not have experience to directly support that point.

HTH

Rick

HTH

Rick