DIFFERENCE BETWEEN ACL & DISTRIBUTE-LISTS & PASSIVE-INTERFACE

Hi, Ive been reading about these and can practically do these tasks, but although I ask for clarity in my 'explanation', I dont think Im grasping the difference between 'Distribute-list & ACL's. - ?

Ive just been configuring for further understanding with 'RIP v2'

ACL's - Can deny or permit networks, hosts, port or protocols via 'Standard/Extended ACL's' - So why use a 'Distribute-list' as below: (I cant grasp it)!!!!?

Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in 'RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!! - I cant spot where Im mis-understanding! ?

Or is Distribute-list also to do with (Not wasting unnecessary cpu resources or Flash memory) etc - As it is an example 'LAB' Im following - ?

Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?

The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:

- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
mikey250Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve JenningsSr Manager Cloud Networking OpsCommented:
Dist lists can be used to control what routes are accepted or advertised. The ACL defines the list and the distribute list statement applies the ACL to the routing protocol.

Steve

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
Hi Steve, thanks for your comments!!!  What Im trying to find out is that, am I 'correct' in my own explanation otherwise my question specific for 'Distribute-lists' is why use it if I can just use 'ACL's' or is it because if still needs to be a part of the network via 'RIP' then 'ACL's by itself would not be sufficient?

Hopefully I get a response for the other questions from other comments as just wont to confirm my understanding!!
Steve JenningsSr Manager Cloud Networking OpsCommented:
ACLs alone would block a source or destination, not a route. Say you have an ACL 'deny 1.1.1.1'. Traffic from 1.1.1.1 would be denied on the interface where the ACL was applied. That same ACL referred to in a distribute list on a routing protocol would not have any effect on traffic on an interface, it would prevent a route to 1.1.1.1 from being added to the routing table.

Steve
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mikey250Author Commented:
Hi Steve,  Yes my (bad) I understand 'ACL's'.  Also that is what I meant as wanted to check why 'Distribute-lists' were useful and as you say 'it would prevent a route to 1.1.1.1 from being added to the routing table.'

My first part of this setence I have explained wrong:

Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in  -  ('RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!!) As per my 'MAIN' thread, so I did understand after all!!

Thanks for bringing clarity as I thought there was more to it!!

Just got 'passive-interface' now to understand as this did not work for me from my checks as per main thread!!
Steve JenningsSr Manager Cloud Networking OpsCommented:
Well, passive interface in RIP simply means that the interface will listen for and process updates received on that interface, but it won't advertise.

Steve
mikey250Author Commented:
Hi SteveJ, Yes thats what I understand but how do I confirm that it does not advertise as per main thread:

Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?

The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:

- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
Steve JenningsSr Manager Cloud Networking OpsCommented:
Im not following your comment. Let's say I have a router (A). I receive a route (2.2.2.2) on interface 1 from router B. Interface 2 on router A is "passive" but connected to router C. Router C will not "see" the route 2.2.2.2 because the interface on router A is set to passive and will not send 2.2.2.2 out of that interface. Router C sends a route (3.3.3.3) to interface 2 on router A. Router A will add 3.3.3.3 to the routing table.

One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router  A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.

I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.

Steve
mikey250Author Commented:
Yes I totally understand but my network setup was slightly different!  For My Router A was linked to Router B only. Router A & B were configured with 'RIP v2'.  sh ip route confirms this was all good!!

Router B was attached to another Router C which was not part of 'RIP v2', affectively a 'Stub'.

What I was expecting was to logon Router B and 'NOT' see Router A's 'passive entry', but from what you are saying I needed to have a 3rd router which should NOT receive updates of Router A passive entry.

I will check this tomorrow to clarify!!
mikey250Author Commented:
Ive read your other comments below, and yes I added 'Redistribute' on my Router B for eg and 'Redistribute static' on my Router C, as per my lab but still on Router B I could see the passive.  It was never seen on Router C though.

'One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router  A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.

I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.'

I will do again tomorrow!!  thanks!!
mikey250Author Commented:
Hi Steve, apologies for taking so long!!  As per your last thread ive attached my configs.  The 'passive-interfaces' are still showing on 'Vista'!! - Why?

Although as per my notes it states:  Vista will not have a route to 172.16.5.0/30, is variably subnetted and RIPv1 does not support VLSM.  The /32 networks you see are allowed by the classless command to support default networks in RIP and IGRP.

My routers use /24, but even changing it to '0.0.0.3 area 0' this does not make a difference!
sanjose1-routera.txt
Baypoint-routerb.txt
Vista-routerc.txt
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.