08-02-2019 05:20 PM
Hi.
I have tried the following configuration but when I use a named ACL it does not allow me to configure a distribute list, but the numbered ACL does.
R5(config)#ip access-list extended test R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.9.9 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.9.9 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.9.9 R5(config-ext-nacl)#permit ip any any R5(config-ext-nacl)#exit R5(config)#access-list 100 deny ip host 155.1.0.2 host 150.1.9.9 R5(config)#access-list 100 deny ip host 155.1.0.3 host 150.1.9.9 R5(config)#access-list 100 deny ip host 155.1.0.4 host 150.1.9.9 R5(config)#access-list 100 permit ip any any R5(config)#router eigrp 100 R5(config-router)#distri R5(config-router)#distribute-list test in % The ACL cannot be created or an ACL with the same name but incompatible type already exists. R5(config-router)#distribute-list 100 in R5(config-router)#
The routers tells me that both the named and numbered ACLs are supported.
Can anyone tell me why this is not possible?
08-02-2019 11:02 PM
what is your IOS version ? some version may not support this ; others can. Or there is a bug in tour ios version
see your command syntax with ?
distribute-list ?
08-03-2019 07:16 AM
Hi
My software is:
Cisco IOS Software [Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7
And named accesslists should be allowed according to context sensitive help:
R10(config-router)#distribute-list ? <1-199> IP access list number <1300-2699> IP expanded access list number WORD Access-list name gateway Filtering incoming address updates based on gateway prefix Filter prefixes in address updates route-map Filter prefixes based on the route-map
08-03-2019 02:45 PM
08-02-2019 11:06 PM
Hello Rasmus,
for advanced route filtering you should use prefix-lists that have been introduced for this purpose.
A distribute-list is intended as a way to filter incoming or outgoing routing updates and not for user traffic.
Your example ACL either in named version or using a numbered ACL has no sense in this context Your ACL is a good ACL for filtering user traffic but not for filtering route updates. Actually all route updates are allowed by your ACL like it is when you don't use the distribute-list command.
The distribute-list should support the prefix-list or directly or by invoking a route-map that uses a match ip address prefix <prefix-list-name>.
read the following document
Hope to help
Giuseppe
08-03-2019 07:25 AM
08-03-2019 08:38 AM
Hello Rasmus,
>> In my example I deny routing updates about the 150.1.9.9/32 network if they are received from EIGRP neighbors 155.1.0.2-4. And the ACL filtering works as long as it is numbered.
I always used a route map with match ip next-hop referring to standard ACL for cases like this.
About the named ACL issue:
when I started to work on Cisco routers in 1997 named ACLs did not exist and when they were introduced there was at the beginning some performance penalty.
By the way you can always use a remark command to add a comment in a numbered ACL:
access-list 100 remark ACL used for EIGRP distribute-list
My personal opinion is that if you have an easy workaround available use it.
Sometimes the CLI parser offers options that are not available on the specific platform or software version.
Hope to help
Giuseppe
08-03-2019 02:46 PM
@Giuseppe Larosa wrote:
Sometimes the CLI parser offers options that are not available on the specific platform or software version.
Strongly Agree !!!
07-09-2024 02:14 AM
Hello Rasmus
I don't know if it's a bug of IOS or not. You must apply the named ACL (standard or extended) in router process first and then define the named ACL. If you apply an existing named ACL in the distribution list in any router process, whatever the router process is, you will encounter this issue.
I'm glad if it's helpful.
-Teck Sing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide