[c-nsp] Cisco distribute-list configs

Justin Krejci JKrejci at usinternet.com
Thu Oct 27 19:30:20 EDT 2016 

(Starting new thread based on the already deviated branch)

What about a distribute-list using a prefix-list instead of an ACL?


router(config-router-af)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates

router(config-router-af)#distribute-list ?


I get it if it's a soon-to-be-deprecated method that you don't want your configs to depend on them, but if xns, X.25, and ipx are still functional (anyone add "service pad" to their routers at all?) where does the removal of distribute-lists fall on the priority list for Cisco?

If distribute-list entries are slow, it makes sense to avoid them, especially on a busy router.
However it seems like a good way to implement a protocol-wide filter (eg BGP) and you don't want (or don't have) a BGP community setup for some situation, and you have many peers and/or peer-groups that updating a bunch of prefix-lists/route-maps would be cumbersome and itself error prone, especially across multiple routers each with their own unique set of neighbors.

I've also seen the below on some BGP speaking routers to prevent any accidental too-small or too-big prefix from getting into their BGP route exchanges when making config changes.

ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24
router bgp XXX
  address-family ipv4
    distribute-list prefix max24 out
    distribute-list prefix max24 in


Sure there should be sufficient change control processes in place to prevent silly mistakes like the IGP routes getting accidentally injected into BGP but silly mistakes happen, eg http://www.networkworld.com/article/3128104/lan-wan/level-3-blames-huge-network-outage-on-unspecified-configuration-error.html


Just curious and playing devils advocate :)



________________________________
From: Mark Tinka [mark.tinka at seacom.mu]
Sent: Thursday, October 27, 2016 4:13 PM
To: Justin Krejci; Nick Cutting; Jared Mauch
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Router memory problem



On 27/Oct/16 21:54, Justin Krejci wrote:


We use prefix-lists (not ACL) in our route-maps, BGP filtering, etc but I am curious what is wrong with distribute-lists specifically.
Is it just that they are old and less efficient CPU-wise or something? Are there known bugs in certain use cases?

They are slow, prone to mistakes due to the dependency on ACL's, scale poorly, and are so legacy that you don't know if newer code will either deprecate or break them.

It's kind of like using CAR when MQC is the way forward.

Mark.

More information about the cisco-nsp mailing list