1. Distribution lists
Gateway keyword can be used only with prefix-lists
a. Distribution lists using access-lists.
Common thing among all of the ACL's - it's possible to filter only prefix, but not the prefix-length.
Two types of ACL's can be used:
Standard access-lists can specify the route, but not the origin of the route (i.e. advertising router). Route specified as a host address (0.0.0.0 wildcard bits).
Extended access-lists
Origin is specified in a source portion of an ACL (host address) and the route being filtered is specified in a destination field.
By origin, I mean NH.
b. Prefix-lists.
Logic is following:
distribute-list prefix-list SUBNETS gateway PREFIX_LIST_WITH_NH_IP in
Prefix list PREFIX_LIST_WITH_NH_IP will block everything from the specified NH routers (to deny, use deny keyword) and prefix-list SUBNETS can block any route from the rest of the routes in router database.
Once again. The routes from route sources that are permitted by gateway keyword (with permit statement in prefix-list) can be further filtered with a SUBNETS prefix-list.
The following paragraph applies to both filtering with extended access-lists and filtering with prefix-lists with gateway keyword.
If
"gateway" keyword in prefix-list filtering or source IP in extended list filtering is defined under
distribution-list command then IP has to be one of a next-hop router,
not sending router!!! It's particularity interesting in scenarios with
hub-and-spoke topologies where all spokes and hub share the common
subnet. When hub sends a route to spoke 1 and the next-hop of a route is
spoke 2 (which announced the network to a hub) and you are filtering
inbound on spoke 1 and define "gateway" as IP of a hub (next-hop address
of a route) - it won't work. You have to specify IP of a next hop!
R3#show ip route 10.200.0.1
Routing entry for 10.200.0.1/32
Known via "rip", distance 120, metric 2
Redistributing via rip
Last update from 10.50.0.2 on Serial0/0.3, 00:00:01 ago
Routing Descriptor Blocks:
* 10.50.0.2, from 10.50.0.5, 00:00:01 ago, via Serial0/0.3
Route metric is 2, traffic share count is 1
In other words, as we see from the output above, we need to filter address 10.50.0.2, and not 10.50.0.5.
2. Distance
What is particularly different in distance VALUE route_source mask ROUTE_ACL is that here we have to specify advertising router's address as a route source, not the NH address as we have seen in previous examples of distribute-list.
3. Offset lists
With offset lists the ACL that we specify in the command should PERMIT the networks which we want the offset to be applied to (essentially, we select the networks with PERMIT statement and all the networks that are denied with this ACL are ignored by the offset list command).
