Technical thoughts: Route filtering by means of distribution lists with ACLs, IP Prefix Lists and Route Maps

Friday, October 5, 2012

Route filtering by means of distribution lists with ACLs, IP Prefix Lists and Route Maps

When using ACLs with Distribution lists, the most confusing thing for me is that:

Deny statement in ACL is used to deny the route from being accepted or sent;
If there is no "Permit Any" in the end of ACL then it will "pass" only routes explicitly mentioned with "Permit" statement.

I'm used to know, that to "catch" something, ACL's should do it with "Permit" statement (for example, this is the case when using distribution lists with route maps).

IP Prefix Lists use the same logic:

"Each command has a permit or deny action, but because it is used only for matching routes, and not for packet filtering, the permit or deny keyword just implies whether a route is matched (permit) or not (deny)." - CCNP ROUTE Off Cert Guide.

So, to permit the route in distribution list, "Permit" statement must be used in IP Prefix List and to deny the route "Deny" statement is used. As always, at the end of list is implicit "Deny All" statement.