5.2.b Implement and troubleshoot router security features

5.2.b [i] IPv4 access control lists [standard, extended, time-based]

this is something that peter paluch posted on cln about the differences between route-maps, distribute lists  and acl’s.

thanks peter, i’m hijacking it… thanks for getting it out of him, sarah

Differences between ACL, Route-Maps and Distribution list – Excellent summary by Peter Paluch.

sarah Aug 2, 2015 7:37 AM

Sharing…Quoting…

Difference between ACL , Distribution list and route map | WAN, Routing and Switching | Cisco Support Community | 5991 |…

“Let’s first talk about ACLs and route maps. ACLs, as you already know, were explained in CCNA as mechanisms to filter packets based on their properties – source and destination addresses, transport layer protocol and ports, flags and perhaps some other attributes. However, this is not the only possible use of ACLs. An ACL is basically a mechanism accepting certain input from the IOS (source, destination, protocol, port, etc.) and returning three possible results:

  • found a matching entry and the action is permit
  • found a matching entry and the action is deny
  • not found any matching entry

Now, because the ACL simply performs a matching operation and gives you a permit or deny result, you can use it in different places where some filtering based on addresses or address-like values is required. One of such applications is filtering the networks that are advertised or redistributed in routing protocols. In this case, we do not filter packets but rather, we filter the prefixes that are carried inside routing protocol’s messages.

A route-map is a generalization of ACL. In addition to the capability to match packets or prefixes and permit or deny them, it is also capable of performing certain operations that modify the router’s behavior or the attributes of these prefixes. Sometimes, a route-map is explained as an if-then-else mechanism: if some prefixes match some criteria then perform some specific action about them, else move to the next entry in the route-map.

Thus, the main differences between a route-map and an ACL are:

  • A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, …) that are not matchable by an ACL.
  • A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can’t modify anything about them.

So to put it shortly, an ACL performs matching and filtering based on addressing information. A route-map performs matching, modification and filtering based on several types of matches, and it uses ACLs if the required matching is to be based on addressing information (it may also use other types of matches different from ACLs).

A distribution list is actually a misnomer and does not really belong here  A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map. The relation between route-maps or ACLs and distribute lists is the same as the relation between ACLs and “ip access-groups”. An ACL is a mechanism to perform filtering while “ip access-group” is a command that uses this ACL to filter packets. In the very same way, an ACL or route-map is a mechanism to perform prefix filtering (and optional modification) while “distribute-list” is the command in the particular routing protocol’s configuration that uses this ACL or route-map to filter advertised or received prefixes.

Sometimes a confusion exists about the difference between distribute lists and redistribution. A redistribution is a process of injecting routes from a different source into a particular routing protocol. If filtering is required during this process, route-maps are used. Technically, ACLs could also be used but the Cisco command line does not support referring directly to ACLs when redistributing, so route-maps are used, and these in turn refer to ACLs to perform the actual filtering. A distribute list controls what prefixes are advertised or received within a single routing protocol, i.e. after they have been somehow injected into it, and it does not matter how.

So to sum it up – ACLs and route-maps perform matching, modification and filtering operations. Route-maps can refer to ACLs to perform matching operations based on addressing values. Both route-maps and ACLs can be referred to in a distribute-list command to filter networks advertised or received in a routing protocol. Additionally, route-map are used during redistribution to filter and modify the redistributed networks and their attributes. Route-maps also constitute the main tool used to match and modify attributes of BGP-advertised networks.

A last comment here: increasingly, the ACLs used to filter routing updates are replaced by so-called IP prefix lists. These IP prefix lists are easier to write and understand than ACLs and are evaluated more effectively when matching network prefixes. This would, however, require a totally new thread so I’m not going into that right now
Best regards,
Peter”