Filter list vs. Distribute lists


(Sheldon S) #1

Can access-lists and prefix lists be used interchangeably to perform route-filtering via distribute-lists or filter-lists? Is there an advantage to using one over the other? Also, is there a best practice, considerations when deciding to use distribute lists vs. filter lists?


(Rene Molenaar) #2

Hi Sheldon,

There are some important differences. When you refer to a distribute-list, you can choose between a number of options. For example here’s EIGRP:

R1(config)#router eigrp 1
R1(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

You can choose between an access-list, prefix-list or route-map.

If you want to match specific hosts, subnets or networks then you can use an access-list. You can achieve the same thing with a prefix-list but there is one thing that you can do with a prefix-list that you can’t with an access-list.

Let’s say you want to match all subnets in the 10.x.x.x range that have a subnet mask between /24 and /30. This can be achieved with a prefix-list, not with an access-list. You can find some examples here:

Other protocols like BGP are a bit more restrictive:

R1(config-router)#neighbor 192.168.12.2 filter-list ?
  <1-500>  AS path access list

The filter list is only to filter AS paths, the distribute-list is only for access-lists:

R1(config-router)#neighbor 192.168.12.2 distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP access list number (expanded range)
  WORD         IP Access-list name

As a best practice, it’s best to use route-maps everywhere when possible:

R1(config)#router bgp 1
R1(config-router)#neighbor 192.168.12.2 route-map R2_FILTER out
R1(config)#router eigrp 1
R1(config-router)#distribute-list route-map R2_FILTER out

The reason for this is that the route-map offers a lot of different match options:

R1(config)#route-map R2_FILTER permit 10
R1(config-route-map)#match ?
  additional-paths  BGP Add-Path match policies
  as-path           Match BGP AS path list
  clns              CLNS information
  community         Match BGP community list
  extcommunity      Match BGP/VPN extended community list
  interface         Match first hop interface of route
  ip                IP specific information
  ipv6              IPv6 specific information
  length            Packet length
  local-preference  Local preference for route
  mdt-group         Match routes corresponding to MDT group
  metric            Match metric of route
  mpls-label        Match routes which have MPLS labels
  policy-list       Match IP policy list
  route-type        Match route-type of route
  rpki              Match RPKI state of route
  security-group    Security Group
  source-protocol   Match source-protocol of route
  tag               Match tag of route
  track             tracking object
R1(config-route-map)#match ip address ?
  <1-199>      IP access-list number
  <1300-2699>  IP access-list number (expanded range)
  WORD         IP access-list name
  prefix-list  Match entries of prefix-lists

Not all route-map options are supported when you want to use it for filtering. Combining different options is also possible sometimes.

Rene


(Jermaine D) #3

I am bit new to distribution list, and prefix-list can you explain why they are being used for filtering are give an example of what they are being used for? Is it to reduce the size of the routing table so that every packet does not have to go through the entire routing table to forward packets?

  1. Do route-maps use process switching or fast switching?
  2. If route-maps use process switching and have to inspect every packet that is routed via different path why would you use it if it is CPU intensive?

(Lazaros Agapides) #4

Hello Jermaine

A distribute and prefix lists are used in order to filter particular routes from being learned via a routing protocol. You may want to do this in order to restrict access to these networks from particular areas of the network and to provide access to them from others. It all depends on what your requirements are. The point is not to make the routing table smaller, it just gives you control over what information you want to provide to particular routers on the network and what information you want to restrict. Distribute and prefix lists just function differently from each other. You can find out information about them on these lessons. The first two are the application of distribute lists for OSPF and EIGRP (which is almost identical) and the third is the application of prefix lists in EIGRP:



Now concerning your other questions:

According to the documentation below, policy based routing, which employs route maps, uses
process switching. In order to employ fast switching for policy based routing, the ip route-cache policy interface configuration command must be issued.

For more information about this particular command, take a look at this command reference link:

I hope this has been helpful!

Laz