Today we will discuss about basics, Everybody is aware about ACL and Route-maps. But then also some confusion, Here in this post I will share some information about ACL and route-maps. Which can help you to understand these two terms more…
ACL :
| The Cisco ACL are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the configured ACL, a packet is allowed or blocked from interface. Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. Majorly we are using TCP/IP ACLs for TCP/IP traffic filtering are classified into two types:
|
Standard Access Control Lists:
Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific IP address ( source). We can’t filter packet on destination basis.
Syntax: access-list access-list-number {permit|deny} {host|source source-wildcard|any}
Standard ACL example:access-list 10 permit 10.1.1.0 0.0.0.255
This list allows traffic from all addresses in the range 10.1.1.0 to 10.1.1.255
There is an implicit deny added to every access list at last.
show access-list 10
The output looks like:
show access-list 10
The output looks like:
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 deny any
access-list 10 deny any
Extended Access Control Lists:
Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements.
the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699)
access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
Extended ACL example:
access-list 110 permit tcp 10.1.1.0 0.0.0.255 any eq 80
ACL 110 permits traffic originating from any address on the 10.1.1.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80.
Applying an ACL to a router interface:
After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:
interface
ip access-group {number|name} {in|out}
ip access-group {number|name} {in|out}
An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.
Example:
To apply the standard ACL created in the previous example, use the following commands:
Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out
Rouer(config-if)#ip access-group 10 out
Route-map
Route-maps have many features in common with widely known access control lists (ACLs). These are some of the traits common to both mechanisms:They are an ordered sequence of individual statements; each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
These are some of the differences between route-maps and ACLs:
Route-maps frequently use ACLs as matching criteria.
The result from an access list is a yes or no answer—an ACL either permits or denies input data. Applied to redistribution, an ACL determines if a particular route can (route matches ACLs permit statement) or cannot (matches deny statement) be redistributed.
Typical route-maps not only permit redistributed routes but also modify information associated with the route, when it is redistributed into another protocol.
route-map ospf-to-eigrp deny 10 match tag 6 match route-type external type-2!route-map ospf-to-eigrp permit 20 match ip address 110 set metric 20000 2000 255 1 1500!route-map ospf-to-eigrp permit 30 set tag 8!router eigrp 1 redistribute ospf 1 route-map ospf-to-eigrp default-metric 20000 2000 255 1 1500
Route-maps are more flexible than ACLs and can verify routes based
on criteria which ACLs can not verify. For example, a route-map can verify if
the type of route is internal or if it has a specific tag.Each ACL ends with an implicit deny statement, there is no similar convention for route-maps. If the end of a route-map is reached during matching attempts, the result depends on the specific application of the route-map.Route-maps that are applied to redistribution behave the same way as ACLs: if the route does not match any clause in a route-map then the route redistribution is denied, as if the route-map contained deny statement at the end
Route-maps is used in BGP, redistribution,etc.
In BGP :
- Route-map can match on:
- A network number and subnet mask match with an IP prefix list
- Route originator
- BGP next hop address
- BGP origin
- Tag attached to IGP route
- AS-path
- BGP community
- IGP route type (internal/external)
- Route-maps can also change the attributes of BGP routes
- Route-maps can set
- Origin
- BGP community
- BGP next hop
- Local preference
- Weight
- MED
Hope this information will help you.
