mikey250
asked on
DIFFERENCE BETWEEN ACL & DISTRIBUTE-LISTS & PASSIVE-INTERFACE
Hi, Ive been reading about these and can practically do these tasks, but although I ask for clarity in my 'explanation', I dont think Im grasping the difference between 'Distribute-list & ACL's. - ?
Ive just been configuring for further understanding with 'RIP v2'
ACL's - Can deny or permit networks, hosts, port or protocols via 'Standard/Extended ACL's' - So why use a 'Distribute-list' as below: (I cant grasp it)!!!!?
Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in 'RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!! - I cant spot where Im mis-understanding! ?
Or is Distribute-list also to do with (Not wasting unnecessary cpu resources or Flash memory) etc - As it is an example 'LAB' Im following - ?
Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?
The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:
- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
Ive just been configuring for further understanding with 'RIP v2'
ACL's - Can deny or permit networks, hosts, port or protocols via 'Standard/Extended ACL's' - So why use a 'Distribute-list' as below: (I cant grasp it)!!!!?
Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in 'RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!! - I cant spot where Im mis-understanding! ?
Or is Distribute-list also to do with (Not wasting unnecessary cpu resources or Flash memory) etc - As it is an example 'LAB' Im following - ?
Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?
The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:
- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Steve, Yes my (bad) I understand 'ACL's'. Also that is what I meant as wanted to check why 'Distribute-lists' were useful and as you say 'it would prevent a route to 1.1.1.1 from being added to the routing table.'
My first part of this setence I have explained wrong:
Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in - ('RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!!) As per my 'MAIN' thread, so I did understand after all!!
Thanks for bringing clarity as I thought there was more to it!!
Just got 'passive-interface' now to understand as this did not work for me from my checks as per main thread!!
My first part of this setence I have explained wrong:
Distribute-lists - If a router wishes to block a specific interface, then by adding an 'ACL' but then inputting the 'Distribute-list' command within 'router rip', means that the 'network statement' in question, in - ('RIP' does NOT need to be removed as still needs to be advertised via other connected networks via this 'RIP' process!!) As per my 'MAIN' thread, so I did understand after all!!
Thanks for bringing clarity as I thought there was more to it!!
Just got 'passive-interface' now to understand as this did not work for me from my checks as per main thread!!
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi SteveJ, Yes thats what I understand but how do I confirm that it does not advertise as per main thread:
Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?
The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:
- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
Passive-interface -This allows a network to be 'Advertised' to a directly connected network but NOT passed onto others via the 'RIP' process as unnecessary -?
The reason why I explain 'passive-interface' like this is because after adding this command I could still see the network in question on the actual router (as expected) but on the (connected router Not expected) so I also did used command on connected router:
- sh ip route - This still showed me the network that I expected Not to see due to the passive-interface command being added - ?
- sh ip rip database - As the above command did show my Unexpected network I did think maybe (Here) it would NOT show the network in question confirming my explanation, but Im now lost?
Im not following your comment. Let's say I have a router (A). I receive a route (2.2.2.2) on interface 1 from router B. Interface 2 on router A is "passive" but connected to router C. Router C will not "see" the route 2.2.2.2 because the interface on router A is set to passive and will not send 2.2.2.2 out of that interface. Router C sends a route (3.3.3.3) to interface 2 on router A. Router A will add 3.3.3.3 to the routing table.
One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.
I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.
Steve
One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.
I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.
Steve
ASKER
Yes I totally understand but my network setup was slightly different! For My Router A was linked to Router B only. Router A & B were configured with 'RIP v2'. sh ip route confirms this was all good!!
Router B was attached to another Router C which was not part of 'RIP v2', affectively a 'Stub'.
What I was expecting was to logon Router B and 'NOT' see Router A's 'passive entry', but from what you are saying I needed to have a 3rd router which should NOT receive updates of Router A passive entry.
I will check this tomorrow to clarify!!
Router B was attached to another Router C which was not part of 'RIP v2', affectively a 'Stub'.
What I was expecting was to logon Router B and 'NOT' see Router A's 'passive entry', but from what you are saying I needed to have a 3rd router which should NOT receive updates of Router A passive entry.
I will check this tomorrow to clarify!!
ASKER
Ive read your other comments below, and yes I added 'Redistribute' on my Router B for eg and 'Redistribute static' on my Router C, as per my lab but still on Router B I could see the passive. It was never seen on Router C though.
'One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.
I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.'
I will do again tomorrow!! thanks!!
'One way to confirm this would be to configure 2 routers. Router A and Router B. Configure a passive interface on Router A and connect Router B to that interface.Add a static route (5.5.5.5) to Router A, add the "redistribute static" command to the routing protocol on Router A and you should NOT see the static route added to the routing table of Router B. This is because it should not be advertised out of the passive interface. Remove "passive" from the interface and the route should appear on Router B. Then add another static route (4.4.4.4). Add an ACL to router A that denies 5.5.5.5. Add a distribute list statement to the routing protocol on Router A referring to the ACL you just created. Now Router B will show the route to 5.5.5.5 from Router A but it will not show the route 4.4.4.4 from router A because it has been excluded from the advertised routes.
I wrote this fairly quickly and I may have overlooked something. But generally this is how passive interface and distribute lists are designed to work.'
I will do again tomorrow!! thanks!!
ASKER
Hi Steve, apologies for taking so long!! As per your last thread ive attached my configs. The 'passive-interfaces' are still showing on 'Vista'!! - Why?
Although as per my notes it states: Vista will not have a route to 172.16.5.0/30, is variably subnetted and RIPv1 does not support VLSM. The /32 networks you see are allowed by the classless command to support default networks in RIP and IGRP.
My routers use /24, but even changing it to '0.0.0.3 area 0' this does not make a difference!
sanjose1-routera.txt
Baypoint-routerb.txt
Vista-routerc.txt
Although as per my notes it states: Vista will not have a route to 172.16.5.0/30, is variably subnetted and RIPv1 does not support VLSM. The /32 networks you see are allowed by the classless command to support default networks in RIP and IGRP.
My routers use /24, but even changing it to '0.0.0.3 area 0' this does not make a difference!
sanjose1-routera.txt
Baypoint-routerb.txt
Vista-routerc.txt
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Hopefully I get a response for the other questions from other comments as just wont to confirm my understanding!!