Re: EIGRP distribute-list and extended access-lists

rasmus.elmholt · ‎08-02-2019

Hi.

I have tried the following configuration but when I use a named ACL it does not allow me to configure a distribute list, but the numbered ACL does.

R5(config)#ip access-list extended test
R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.9.9
R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.9.9
R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.9.9
R5(config-ext-nacl)#permit ip any any
R5(config-ext-nacl)#exit
R5(config)#access-list 100 deny ip host 155.1.0.2 host 150.1.9.9
R5(config)#access-list 100 deny ip host 155.1.0.3 host 150.1.9.9
R5(config)#access-list 100 deny ip host 155.1.0.4 host 150.1.9.9
R5(config)#access-list 100 permit ip any any
R5(config)#router eigrp 100
R5(config-router)#distri
R5(config-router)#distribute-list test in
% The ACL cannot be created or an ACL with the same name but incompatible type already exists.
R5(config-router)#distribute-list 100 in
R5(config-router)#

The routers tells me that both the named and numbered ACLs are supported.

Can anyone tell me why this is not possible?

Martin L · ‎08-02-2019

what is your IOS version ? some version may not support this ; others can. Or there is a bug in tour ios version

see your command syntax with ?

distribute-list ?

rasmus.elmholt · ‎08-03-2019

Hi

My software is:

Cisco IOS Software [Denali], CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7

And named accesslists should be allowed according to context sensitive help:

R10(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming address updates based on gateway
  prefix       Filter prefixes in address updates
  route-map    Filter prefixes based on the route-map

Martin L · ‎08-03-2019

there are some issues or restrictions for CSR1000 when comparing to regular IOS routers like missing options or not working. some behavior of CSR is not the same as router even though IOS version is the same .
you will have to adopt to them, change your lab a bit.

Giuseppe Larosa · ‎08-02-2019

Hello Rasmus,

for advanced route filtering you should use prefix-lists that have been introduced for this purpose.

A distribute-list is intended as a way to filter incoming or outgoing routing updates and not for user traffic.

Your example ACL either in named version or using a numbered ACL has no sense in this context Your ACL is a good ACL for filtering user traffic but not for filtering route updates. Actually all route updates are allowed by your ACL like it is when you don't use the distribute-list command.

The distribute-list should support the prefix-list or directly or by invoking a route-map that uses a match ip address prefix <prefix-list-name>.

read the following document

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/eigrp-route-map.html?dtid=osscdc000283

Hope to help

Giuseppe

rasmus.elmholt · ‎08-03-2019

Hi

In this example I am not trying to filter user traffic but routing updates, and std and ext ACL are a valid way to filter them as well.
It is not the best way to filter routing updated but it is still a valid way.

In my example I deny routing updates about the 150.1.9.9/32 network if they are received from EIGRP neighbors 155.1.0.2-4. And the ACL filtering works as long as it is numbered.
So my question is not what is the best way to filter updates, but why am I not allowed to use named extended ACLs when I can use numbered, and both seems to be supported? Is it a bug, or is it working as designed, and does someone have a reference to the documentation that says named extended access-list aren't supported?

But thank you for you reply and I do agree that route-maps is the best way to filter routes in IOS.

Giuseppe Larosa · ‎08-03-2019

Hello Rasmus,

>> In my example I deny routing updates about the 150.1.9.9/32 network if they are received from EIGRP neighbors 155.1.0.2-4. And the ACL filtering works as long as it is numbered.

I always used a route map with match ip next-hop referring to standard ACL for cases like this.

About the named ACL issue:

when I started to work on Cisco routers in 1997 named ACLs did not exist and when they were introduced there was at the beginning some performance penalty.

By the way you can always use a remark command to add a comment in a numbered ACL:

access-list 100 remark ACL used for EIGRP distribute-list

My personal opinion is that if you have an easy workaround available use it.

Sometimes the CLI parser offers options that are not available on the specific platform or software version.

Hope to help

Giuseppe

Martin L · ‎08-03-2019

@Giuseppe Larosa wrote:

Sometimes the CLI parser offers options that are not available on the specific platform or software version.

Strongly Agree !!!