Cisco ACL and Route Map

Today we will discuss about basics, Everybody is aware about ACL and Route-maps. But then also some confusion, Here in this post I will share some information about ACL and route-maps. Which can help you to understand these two terms more…

ACL :

The Cisco ACL  are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the configured ACL, a packet is allowed or blocked from interface. Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. Majorly we are using TCP/IP ACLs for TCP/IP traffic filtering are classified into two types: Standard Access Lists, and Extended Access Lists

Standard Access Control Lists: 

Standard IP ACLs range from 1 to 99. A Standard Access List  allows you to permit or deny traffic FROM specific IP address ( source). We can’t filter packet on destination basis.

Syntax: access-list access-list-number {permit|deny} {host|source source-wildcard|any}

Standard ACL example:

access-list 10 permit 10.1.1.0 0.0.0.255

This list allows traffic from all addresses in the range 10.1.1.0 to 10.1.1.255

There is an implicit deny added to every access list at last.

show access-list 10

The output looks like:

access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 deny any

Extended Access Control Lists:

 Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements.

the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699)

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]

Extended ACL example:

access-list 110 permit tcp 10.1.1.0 0.0.0.255 any eq 80

ACL 110 permits traffic originating from any address on the 10.1.1.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80.

Applying an ACL to a router interface:

After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:

interface
ip access-group {number|name} {in|out}

An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.

Example:

To apply the standard ACL created in the previous example, use the following commands:

Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out

Route-map

Route-maps have many features in common with widely known access control lists (ACLs). These are some of the traits common to both mechanisms:
They are an ordered sequence of individual statements; each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in  order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
These are some of the differences between route-maps and ACLs:
Route-maps frequently use ACLs as matching criteria.
The result from an access list is a yes or no answer—an ACL either permits or denies input data. Applied to redistribution, an ACL determines if a particular route can (route matches ACLs permit statement) or cannot (matches deny statement) be redistributed.
Typical route-maps not only permit redistributed routes but also modify information associated with the route, when it is redistributed into another protocol.

route-map ospf-to-eigrp deny 10

 match tag 6

 match route-type external type-2

!

route-map ospf-to-eigrp permit 20

 match ip address 110

 set metric 20000 2000 255 1 1500

!

route-map ospf-to-eigrp permit 30

 set tag 8

!

router eigrp 1

 redistribute ospf 1 route-map ospf-to-eigrp

 default-metric 20000 2000 255 1 1500

Route-maps are more flexible than ACLs and can verify routes based
on criteria which ACLs can not verify. For example, a route-map can verify if
the type of route is internal or if it has a specific tag.

Each ACL ends with an implicit deny statement, there is no similar
convention for route-maps. If the end of a route-map is reached during matching
attempts, the result depends on the specific application of the route-map.Route-maps
that are applied to redistribution behave the same way as ACLs: if the route
does not match any clause in a route-map then the route redistribution is
denied, as if the route-map contained deny statement at the end

Route-maps is used in BGP, redistribution,etc.

In BGP :

• Route-map can match on:
• A network number and subnet mask match with an IP prefix list
• Route originator
• BGP next hop address
• BGP origin
• Tag attached to IGP route
• AS-path
• BGP community
• IGP route type (internal/external)
• Route-maps can also change the attributes of BGP routes
• Route-maps can set
• Origin
• BGP community
• BGP next hop
• Local preference
• Weight
• MED

Hope this information will help you.