• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 800
  • Last Modified:

DIFFERENCE BETWEEN ACL & DISTRIBUTE-LISTS & PASSIVE-INTERFACE

Hi, Ive been reading about these and can practically do these tasks, but although I ask for clarity in my 'explanation', I dont think Im grasping the difference between 'Distribute-list & ACL's. - ?

Ive just been configuring for further understanding with 'RIP v2'

ACL's - Can deny or permit networks, hosts, port or protocols via 'Standard/Extended ACL's' - So why use a 'Distribute-list' as below: (I cant grasp it)!!!!?

Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in 'RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!! - I cant spot where Im mis-understanding! ?

Or is Distribute-list also to do with (Not wasting unnecessary cpu resources or Flash memory) etc - As it is an example 'LAB' Im following - ?

Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?

The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:

- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
0
mikey250
Asked:
mikey250
  • 6
  • 4
3 Solutions
 
SteveJCommented:
Dist lists can be used to control what routes are accepted or advertised. The ACL defines the list and the distribute list statement applies the ACL to the routing protocol.

Steve
0
 
mikey250Author Commented:
Hi Steve, thanks for your comments!!!  What Im trying to find out is that, am I 'correct' in my own explanation otherwise my question specific for 'Distribute-lists' is why use it if I can just use 'ACL's' or is it because if still needs to be a part of the network via 'RIP' then 'ACL's by itself would not be sufficient?

Hopefully I get a response for the other questions from other comments as just wont to confirm my understanding!!
0
 
SteveJCommented:
ACLs alone would block a source or destination, not a route. Say you have an ACL 'deny 1.1.1.1'. Traffic from 1.1.1.1 would be denied on the interface where the ACL was applied. That same ACL referred to in a distribute list on a routing protocol would not have any effect on traffic on an interface, it would prevent a route to 1.1.1.1 from being added to the routing table.

Steve
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mikey250Author Commented:
Hi Steve,  Yes my (bad) I understand 'ACL's'.  Also that is what I meant as wanted to check why 'Distribute-lists' were useful and as you say 'it would prevent a route to 1.1.1.1 from being added to the routing table.'

My first part of this setence I have explained wrong:

Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in  -  ('RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!!) As per my 'MAIN' thread, so I did understand after all!!

Thanks for bringing clarity as I thought there was more to it!!

Just got 'passive-interface' now to understand as this did not work for me from my checks as per main thread!!
0
 
SteveJCommented:
Well, passive interface in RIP simply means that the interface will listen for and process updates received on that interface, but it won't advertise.

Steve
0
 
mikey250Author Commented:
Hi SteveJ, Yes thats what I understand but how do I confirm that it does not advertise as per main thread:

Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?

The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:

- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
0
 
SteveJCommented:
Im not following your comment. Let's say I have a router (A). I receive a route (2.2.2.2) on interface 1 from router B. Interface 2 on router A is "passive" but connected to router C. Router C will not "see" the route 2.2.2.2 because the interface on router A is set to passive and will not send 2.2.2.2 out of that interface. Router C sends a route (3.3.3.3) to interface 2 on router A. Router A will add 3.3.3.3 to the routing table.

One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router  A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.

I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.

Steve
0
 
mikey250Author Commented:
Yes I totally understand but my network setup was slightly different!  For My Router A was linked to Router B only. Router A & B were configured with 'RIP v2'.  sh ip route confirms this was all good!!

Router B was attached to another Router C which was not part of 'RIP v2', affectively a 'Stub'.

What I was expecting was to logon Router B and 'NOT' see Router A's 'passive entry', but from what you are saying I needed to have a 3rd router which should NOT receive updates of Router A passive entry.

I will check this tomorrow to clarify!!
0
 
mikey250Author Commented:
Ive read your other comments below, and yes I added 'Redistribute' on my Router B for eg and 'Redistribute static' on my Router C, as per my lab but still on Router B I could see the passive.  It was never seen on Router C though.

'One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router  A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.

I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.'

I will do again tomorrow!!  thanks!!
0
 
mikey250Author Commented:
Hi Steve, apologies for taking so long!!  As per your last thread ive attached my configs.  The 'passive-interfaces' are still showing on 'Vista'!! - Why?

Although as per my notes it states:  Vista will not have a route to 172.16.5.0/30, is variably subnetted and RIPv1 does not support VLSM.  The /32 networks you see are allowed by the classless command to support default networks in RIP and IGRP.

My routers use /24, but even changing it to '0.0.0.3 area 0' this does not make a difference!
sanjose1-routera.txt
Baypoint-routerb.txt
Vista-routerc.txt
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now