EIGRP distribute-list and extended access-lists

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2019 05:20 PM
Hi.
I have tried the following configuration but when I use a named ACL it does not allow me to configure a distribute list, but the numbered ACL does.
R5(config)#ip access-list extended test R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.9.9 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.9.9 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.9.9 R5(config-ext-nacl)#permit ip any any R5(config-ext-nacl)#exit R5(config)#access-list 100 deny ip host 155.1.0.2 host 150.1.9.9 R5(config)#access-list 100 deny ip host 155.1.0.3 host 150.1.9.9 R5(config)#access-list 100 deny ip host 155.1.0.4 host 150.1.9.9 R5(config)#access-list 100 permit ip any any R5(config)#router eigrp 100 R5(config-router)#distri R5(config-router)#distribute-list test in % The ACL cannot be created or an ACL with the same name but incompatible type already exists. R5(config-router)#distribute-list 100 in R5(config-router)#
The routers tells me that both the named and numbered ACLs are supported.
Can anyone tell me why this is not possible?
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2019 11:02 PM
what is your IOS version ? some version may not support this ; others can. Or there is a bug in tour ios version
see your command syntax with ?
distribute-list ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2019 07:16 AM
Hi
My software is:
Cisco IOS Software [Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7
And named accesslists should be allowed according to context sensitive help:
R10(config-router)#distribute-list ? <1-199> IP access list number <1300-2699> IP expanded access list number WORD Access-list name gateway Filtering incoming address updates based on gateway prefix Filter prefixes in address updates route-map Filter prefixes based on the route-map
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2019 02:45 PM
there are some issues or restrictions for CSR1000 when comparing to regular IOS routers like missing options or not working. some behavior of CSR is not the same as router even though IOS version is the same .
you will have to adopt to them, change your lab a bit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2019 11:06 PM
Hello Rasmus,
for advanced route filtering you should use prefix-lists that have been introduced for this purpose.
A distribute-list is intended as a way to filter incoming or outgoing routing updates and not for user traffic.
Your example ACL either in named version or using a numbered ACL has no sense in this context Your ACL is a good ACL for filtering user traffic but not for filtering route updates. Actually all route updates are allowed by your ACL like it is when you don't use the distribute-list command.
The distribute-list should support the prefix-list or directly or by invoking a route-map that uses a match ip address prefix <prefix-list-name>.
read the following document
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2019 07:25 AM
In this example I am not trying to filter user traffic but routing updates, and std and ext ACL are a valid way to filter them as well.
It is not the best way to filter routing updated but it is still a valid way.
In my example I deny routing updates about the 150.1.9.9/32 network if they are received from EIGRP neighbors 155.1.0.2-4. And the ACL filtering works as long as it is numbered.
So my question is not what is the best way to filter updates, but why am I not allowed to use named extended ACLs when I can use numbered, and both seems to be supported? Is it a bug, or is it working as designed, and does someone have a reference to the documentation that says named extended access-list aren't supported?
But thank you for you reply and I do agree that route-maps is the best way to filter routes in IOS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2019 08:38 AM
Hello Rasmus,
>> In my example I deny routing updates about the 150.1.9.9/32 network if they are received from EIGRP neighbors 155.1.0.2-4. And the ACL filtering works as long as it is numbered.
I always used a route map with match ip next-hop referring to standard ACL for cases like this.
About the named ACL issue:
when I started to work on Cisco routers in 1997 named ACLs did not exist and when they were introduced there was at the beginning some performance penalty.
By the way you can always use a remark command to add a comment in a numbered ACL:
access-list 100 remark ACL used for EIGRP distribute-list
My personal opinion is that if you have an easy workaround available use it.
Sometimes the CLI parser offers options that are not available on the specific platform or software version.
Hope to help
Giuseppe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2019 02:46 PM
@Giuseppe Larosa wrote:
Sometimes the CLI parser offers options that are not available on the specific platform or software version.
Strongly Agree !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-09-2024 02:14 AM
Hello Rasmus
I don't know if it's a bug of IOS or not. You must apply the named ACL (standard or extended) in router process first and then define the named ACL. If you apply an existing named ACL in the distribution list in any router process, whatever the router process is, you will encounter this issue.
I'm glad if it's helpful.
-Teck Sing
