CiscoCCNPAdvanced RoutingIntermediate21 min read

What Is ACL for Routing Protocols in Networking?

Also known as: ACL for Routing Protocols, distribute-list, route filtering Cisco, CCNP ENARSI, Cisco routing protocol ACL

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An ACL for Routing Protocols is a tool that network engineers use to control which route information is shared between routers. It works like a filter on a water pipe, letting only certain routing updates pass while blocking others. This helps prevent incorrect or unwanted routes from spreading across the network.

Must Know for Exams

ACLs for Routing Protocols are a core topic in the Cisco CCNP Enterprise (350-401 ENCOR and 300-410 ENARSI) exams. In the ENARSI exam, which focuses on advanced routing and infrastructure security, candidates must demonstrate a deep understanding of how to filter routing updates using distribute-lists, prefix-lists, and route-maps. The exam objectives explicitly list implementing and verifying route filtering as a key skill.

You may be given a scenario where a network has multiple routing protocols and you need to control which routes are redistributed. The correct answer often involves applying an ACL with a distribute-list under the routing protocol configuration. The exam also tests your ability to match ACL entries to specific prefixes, including wildcard mask calculations. For example, you might see a question: Which ACL will deny the 192.168.16.0/20 route? You need to pick the correct wildcard mask.

In the CCNA exam, the topic appears at a foundational level. You might be asked to identify the command that filters EIGRP routes or to explain the effect of an ACL on OSPF neighbor relationships. The exam expects you to know that ACLs for routing protocols do not filter the routing protocol messages themselves (hello packets), only the route entries within those messages.

Furthermore, the exam may present a troubleshooting question where a network is experiencing routing blackholes. The candidate must identify that an ACL is incorrectly denying a necessary route. Understanding the order of operations is critical: ACLs are processed top-down, and an implicit deny any at the end will block all routes if you forget a permit any statement. Mastery of these details is essential for passing CCNP-level exams.

Simple Meaning

Think of a network as a giant postal system where each router is a post office. Routers talk to each other using routing protocols, which are like special postal couriers that carry lists of addresses (network routes) they know about. An ACL for Routing Protocols is like a security guard standing at the post office door with a clipboard. This guard checks every list of addresses the courier brings in or tries to send out. If a certain address range is on the guard's deny list, he tears up that part of the list and does not let it through. If it is on the permit list, he stamps it and allows it to continue.

For example, imagine a company that has a secret network for payroll. They do not want other parts of the company to know about this secret network. They can configure an ACL on the border router that tells the routing protocol: Do not advertise any routes that start with 10.0.5.0. That way, when the routing protocol tries to share its list of known networks, the ACL blocks the secret route and only lets the non-secret routes be shared. This keeps the payroll network hidden and safe.

Without ACLs for routing protocols, a router would blindly share all routes it knows, which could cause problems. A remote office might accidentally learn about a sensitive network, or a bad route could spread across the entire internet and break connectivity. ACLs give network engineers precise control over what routing information flows where, much like a librarian deciding which books from a restricted section can be borrowed by which patrons.

Full Technical Definition

In Cisco networking, an ACL for Routing Protocols is typically applied using a distribute-list command in router configuration mode. A distribute-list references a standard or extended ACL and is applied either inbound or outbound on a routing protocol process (like OSPF, EIGRP, or BGP). The ACL itself contains permit or deny statements that match on IP addresses, specifically the network prefixes (routes) being advertised.

The distribute-list filter operates at the routing protocol level, not at the interface level. This means it intercepts route advertisements before they are installed into the routing table or before they are sent out to neighbors. For example, in EIGRP, you can apply a distribute-list in to filter routes received from neighbors, or distribute-list out to filter routes being advertised. OSPF uses a different mechanism: you apply a distribute-list in on the OSPF process, but OSPF does not support distribute-list out directly because OSPF uses Link State Advertisements (LSAs). Instead, to filter OSPF routes outbound, you use a filter-list with prefix-lists or route-maps.

ACLs for routing protocols can also be used with route-maps, particularly in BGP, where you match on an ACL to permit or deny certain prefixes before applying community attributes or local preference. Standard ACLs (numbered 1-99) typically match only the source network, making them suitable for simple prefix filtering. Extended ACLs (100-199) can match on source and destination, but for routing protocol filtering, standard ACLs are more common because routes are identified by their destination network.

Implementation in real environments requires careful planning. You must know the exact network prefixes you want to filter. If you deny a route that is needed for reachability, you can cause blackholing of traffic. Engineers often use a combination of ACLs and prefix-lists, where prefix-lists offer more flexible matching (e.g., matching a range of prefix lengths). However, ACLs remain heavily tested in CCNP exams and are a foundational skill.

In Cisco IOS, the configuration syntax is: router eigrp 100, then distribute-list 10 in. The ACL would be access-list 10 deny 192.168.1.0 0.0.0.255, access-list 10 permit any. This configuration blocks the 192.168.1.0/24 route from being received via EIGRP from any neighbor, while permitting all other routes.

Real-Life Example

Imagine a large office building with multiple departments: Sales, Engineering, and HR. Each department has its own internal mail room. The building also has a central mail sorting facility that connects all departments. The couriers from each mail room regularly share information about which rooms and offices they can deliver mail to.

Now, the HR department has a very confidential filing room (their payroll network) that should not appear on any public directory. The building manager can place an ACL-like rule at the central mail facility. This rule says: When any courier from any department tries to announce that they can deliver mail to the HR confidential filing room, the central facility blocks that announcement. The couriers still deliver mail to that room internally, but no other department learns about its existence.

In networking terms, the central mail facility is a router running a routing protocol. The couriers are routing updates (like OSPF LSAs or EIGRP updates). The confidential filing room is the payroll network (e.g., 10.10.100.0/24). The ACL is the building manager's rule that filters out that specific address from all routing advertisements going out.

This analogy maps directly to real-world networking. A company with multiple branch offices uses ACLs on the WAN router to ensure that only the specific subnets intended for inter-office communication are advertised via BGP or OSPF, keeping internal management networks hidden. The ACL acts as a gatekeeper, ensuring that only approved routes are shared, which protects the network from both accidental leaks and deliberate attacks.

Why This Term Matters

ACLs for routing protocols matter because they give network engineers a simple yet powerful way to control the flow of routing information, which directly impacts network security, stability, and performance. In real IT environments, networks are rarely flat. They contain multiple routing domains, redistributions between protocols, and connections to external partners or the internet. Without filtering, a router will advertise every route it knows, including loopbacks, management subnets, and sensitive internal ranges. This can expose critical infrastructure to external entities, making it easier for attackers to map the network.

Additionally, filtering prevents routing loops and suboptimal routing. For example, if you redistribute between OSPF and EIGRP without an ACL, you might accidentally inject a default route or a summary route that causes traffic to take a long detour. ACLs allow you to permit only the routes that are necessary for redistribution, keeping the routing table clean and efficient.

In security-focused networks, ACLs for routing protocols are part of a defense-in-depth strategy. They prevent route hijacking by ensuring that only authorized prefixes are accepted from neighbors. If a rogue router tries to inject a fake route, the ACL on the receiving side will drop it, stopping the attack. This is especially critical in BGP, where a single misconfiguration can cause global outages.

From a troubleshooting perspective, knowing how ACLs interact with routing protocols helps engineers diagnose why certain routes are missing. Often, a missing route is the result of an ACL silently denying it. Understanding this concept saves hours of frustration and enables faster resolution of network issues.

How It Appears in Exam Questions

In certification exams, ACLs for Routing Protocols appear in several question formats. The most common is the scenario-based question. For example: Company A has two routers connected via a WAN link. Router R1 is running EIGRP and knows about networks 10.1.1.0/24, 10.2.2.0/24, and 192.168.1.0/24. The network policy requires that only the 10.x.x.x networks be learned by R2. Which configuration should be applied? The candidate must choose a distribute-list with an ACL that permits 10.0.0.0/8 and denies 192.168.0.0/16.

Configuration questions often require you to write or complete a command. For instance, complete the command to filter OSPF routes received from a neighbor: distribute-list 5 in. Then you must define access-list 5 permit 172.16.0.0 0.0.255.255. These questions test both syntax and logic.

Troubleshooting questions present a network diagram and show that a certain route is missing from the routing table. You are given show commands output, such as show ip route or show ip protocols. The candidate must deduce that an inbound distribute-list is filtering the route. Or the question might show that the distribute-list is applied but the ACL is missing a permit any statement, causing all routes to be denied.

Another pattern is the concept question: Which of the following is true about using an ACL with OSPF? The correct answer might be: The distribute-list in filters routes after they are received but before they enter the routing table. Distractors include incorrect statements about filtering hello packets or affecting neighbor adjacencies.

Finally, there are design questions where you are asked to recommend a solution to hide certain subnets from a partner network. The correct answer involves applying an outbound distribute-list on the border router using a standard ACL. These questions test your ability to apply the concept in a real-world design context.

Study enarsi

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company, ABC Corp, has three branch offices connected via a corporate WAN. The network team uses EIGRP as the routing protocol. The main office (HQ) has a server subnet 10.10.10.0/24 that hosts the payroll application. The company policy strictly forbids any other branch from knowing about this subnet.

A junior network engineer is asked to configure the HQ router so that the 10.10.10.0/24 subnet is not advertised to the branches. The engineer creates an ACL with access-list 10 deny 10.10.10.0 0.0.0.255 and then access-list 10 permit any. Then, under router eigrp 100, the engineer applies distribute-list 10 out.

Now, when the HQ router sends EIGRP updates to its neighbors, the distribute-list checks each route against ACL 10. The payroll subnet is denied, so it is removed from the update. All other routes are permitted by the permit any statement. The branches receive only the intended routes, and the payroll subnet remains hidden. This ensures security while maintaining full connectivity for other services. The engineer verifies the configuration with show ip eigrp topology and show ip route on a branch router, confirming that the payroll subnet is absent.

Common Mistakes

Applying an ACL directly on the interface instead of using distribute-list under the routing protocol.

An ACL applied on the interface filters data packets, not routing updates. Interface ACLs do not prevent routes from being advertised or learned. This means the route may still appear in the routing table, and only traffic to that network is blocked, which does not achieve the goal of hiding the network.

Always use distribute-list under the routing protocol configuration to filter routes, not an interface ACL.

Forgetting to add 'permit any' at the end of the ACL, causing all routes to be denied.

Every ACL has an implicit deny any statement at the end. If you only have a single deny statement for the route you want to block, the implicit deny will block all other routes as well, breaking all connectivity.

Always include 'permit any' as the last statement in the ACL when you only want to deny specific routes, unless you intend to deny everything else.

Using an extended ACL instead of a standard ACL for route filtering.

Standard ACLs (1-99) match on source IP address only, which is sufficient for filtering routes because a route is identified by its destination network. Extended ACLs add unnecessary complexity and can cause unexpected matches on source/destination combinations.

Use a standard ACL (numbers 1-99 or 1300-1999) for most route filtering scenarios. Reserve extended ACLs for more advanced filtering with route-maps if needed.

Applying distribute-list under the wrong routing protocol process or in the wrong direction.

If you apply distribute-list in on the wrong protocol, it may not filter the desired updates. Also, applying out when you meant in can allow unwanted routes to be learned or block routes that should be advertised.

Double-check the routing protocol process number and the direction (in for received routes, out for advertised routes). Use show ip protocols to verify the distribute-list is applied correctly.

Exam Trap — Don't Get Fooled

In an OSPF scenario, distribute-list out does not work because OSPF is a link-state protocol. Many candidates incorrectly apply distribute-list out on OSPF thinking it will filter advertised LSAs, but it only works for distance-vector protocols like EIGRP and RIP. For OSPF, you must use a different method such as filter-list with a prefix-list or a route-map on the ABR/ASBR.

Memorize that OSPF is link-state and does not support distribute-list out. Instead, to filter OSPF routes outbound, use a filter-list command under the area configuration (area filter-list prefix), or use a route-map on the redistribution point. Always verify the protocol behavior before applying a filtering technique.

Commonly Confused With

ACL for Routing ProtocolsvsInterface ACL (standard or extended)

An interface ACL filters actual data packets traversing the router, such as HTTP traffic or ping requests. An ACL for routing protocols filters routing updates (routes) themselves, not the user data. The interface ACL affects what traffic can pass through, while the routing protocol ACL affects which networks the router knows about.

Interface ACL blocks users from accessing a server. Routing protocol ACL prevents the router from even knowing that the server's network exists.

ACL for Routing ProtocolsvsPrefix-list

A prefix-list is a more advanced and flexible tool than an ACL for route filtering. Prefix-lists can match both the network address and the prefix length (subnet mask) precisely, while standard ACLs only match the network portion using wildcard masks. Prefix-lists also have an implicit deny at the end and use a different syntax (ip prefix-list).

ACL permit 10.0.0.0 0.255.255.255 permits any route starting with 10.x.x.x regardless of subnet mask. Prefix-list permit 10.0.0.0/8 le 24 permits only routes with a mask between /8 and /24, giving more control.

ACL for Routing ProtocolsvsRoute-map

A route-map is a comprehensive policy tool that can match on ACLs or prefix-lists and then set attributes like metric, next-hop, or community. An ACL alone only permits or denies a route. A route-map can do much more, such as manipulating BGP path attributes during redistribution.

ACL simply says deny route 10.1.1.0/24. Route-map says if route matches ACL, then set metric 100 and permit it.

ACL for Routing ProtocolsvsDistribute-list vs Filter-list

A distribute-list works with distance-vector protocols like EIGRP and RIP, and also with OSPF for inbound filtering only (distribute-list in). A filter-list is specific to OSPF and is used to filter Type 3 LSAs between areas on an ABR. Filter-list uses a prefix-list, not an ACL.

To filter routes entering an OSPF area, you use area 0 filter-list prefix LIST_NAME in. For EIGRP, you use distribute-list ACL_NUM in.

Step-by-Step Breakdown

1

Identify the routing protocol and direction

First, determine which routing protocol you need to filter (EIGRP, OSPF, BGP, or RIP). Then decide if you want to filter routes coming into the router (in) or routes being advertised out (out). This will determine the placement of the distribute-list.

2

Create the ACL

Use global configuration mode to create a standard ACL. For example, access-list 10 deny 192.168.1.0 0.0.0.255. This entry will match the 192.168.1.0/24 network. You can add multiple deny and permit statements. Always include a permit any statement at the end unless you intend to block all routes.

3

Enter routing protocol configuration mode

Use the router command followed by the protocol and autonomous system or process ID. For example, router eigrp 100 or router ospf 1. This enters the configuration context where the distribute-list will be applied.

4

Apply the distribute-list

Use the distribute-list command with the ACL number and direction. For example, distribute-list 10 in. This tells the routing protocol to check every incoming route against ACL 10. Alternatively, use distribute-list 10 out to filter routes being advertised to neighbors.

5

Verify the configuration

Use show ip protocols to see that the distribute-list is active. Use show ip route to check that the filtered route is no longer present. On a neighbor router, use show ip route to confirm the route was not received. If troubleshooting, check show ip access-lists to see packet matches on the ACL.

6

Test and adjust

After applying the filter, test connectivity to ensure that the desired routes are still reachable and that the filtered route is indeed hidden. If you accidentally blocked a necessary route, adjust the ACL statements. Remember that changes to the ACL take effect immediately without needing to reapply the distribute-list.

Practical Mini-Lesson

Let us walk through a real-world configuration scenario so you understand ACLs for routing protocols inside and out. Imagine you are the network administrator for a company with two locations connected via a private WAN. Each location has its own router. The router at HQ (RouterA) is running EIGRP AS 100 and knows about three networks: the corporate LAN (10.1.1.0/24), a DMZ network (172.16.1.0/24), and a management network (192.168.100.0/24). The branch office router (RouterB) should only learn about the corporate LAN and the DMZ. The management network must remain hidden because it contains sensitive monitoring equipment.

Your goal is to configure RouterA so that when it sends EIGRP updates to RouterB, the management network is not included. The correct approach is to use an ACL with a distribute-list out under the EIGRP process.

Step 1: Create the ACL on RouterA. You want to deny the management network but permit everything else. So you type: access-list 5 deny 192.168.100.0 0.0.0.255 and then access-list 5 permit any. Notice that the wildcard mask for a /24 network is 0.0.0.255. If you miscompute the wildcard mask, you might accidentally permit or deny the wrong network range.

Step 2: Enter EIGRP configuration: router eigrp 100. Then apply the distribute-list: distribute-list 5 out. The out direction means that any route advertised out from RouterA to its neighbors will be checked against ACL 5.

Now, let us test your understanding with a common pitfall. What if you applied distribute-list 5 in instead? That would filter routes that RouterA receives from its neighbors, not the routes it sends. Since RouterB does not send routes in this simple scenario, the filter would have no effect, and the management network would still be advertised. This is a classic mistake on exams.

What if you forgot the permit any statement? The ACL would have only one deny entry. When the EIGRP process checks the corporate LAN route (10.1.1.0/24), it does not match the deny statement (which matches 192.168.100.0), so it continues to the implicit deny any at the end and the route is denied. Suddenly, RouterB loses connectivity to the corporate LAN. The entire branch goes down because you blocked all routes except the management network, which you intended to block. This is why the permit any is critical.

In professional practice, engineers often test ACLs with a lab environment first. They run show ip route on the branch router before and after applying the filter to verify the change. They also use debug ip packet or debug ip routing cautiously in production. The lesson is clear: plan your ACL statements carefully, always include the permit any unless you have a specific reason to block everything, and verify the direction of the distribute-list. This same logic applies to OSPF and BGP, though the exact commands differ slightly. For OSPF inbound, it is still distribute-list in; for OSPF outbound, you need a filter-list or other mechanism. Understanding these nuances is what separates a CCNP-level engineer from a beginner.

Memory Tip

Remember DROP: Direction first, then Router process, then ACL, then Permit any. Always confirm the direction and never skip the permit any.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do ACLs for routing protocols filter hello packets or neighbor relationships?

No. ACLs for routing protocols filter only the route entries within routing updates. They do not affect hello packets or neighbor adjacency formation. An ACL on an interface can block hello packets and prevent neighbor relationships, but that is a different use case.

Can I use an extended ACL with distribute-list?

Yes, technically you can use an extended ACL with distribute-list, but it is not recommended for most scenarios. Standard ACLs are sufficient because routes are identified by a single network address. Extended ACLs may create confusion and unexpected matches.

Does the distribute-list apply to all neighbors or just specific ones?

By default, a distribute-list applied under the routing protocol process applies to all neighbors. To apply it to a specific neighbor, you must use a neighbor distribute-list command under BGP or use a route-map. In EIGRP and OSPF, the distribute-list is global to the protocol process.

What is the difference between distribute-list in and distribute-list out?

Distribute-list in filters routes that are received from neighbors and processed by the routing protocol. Distribute-list out filters routes that are advertised to neighbors. In filters affect the local routing table's learning, while out filters affect what other routers learn.

Will a distribute-list affect routes already in the routing table?

A distribute-list in will remove routes from the routing table if they are denied, because the router will not install them. A distribute-list out does not affect the local routing table; it only prevents routes from being sent to neighbors.

Can I use a named ACL instead of a numbered ACL?

Yes. Cisco IOS supports named ACLs. You can create a named standard ACL with ip access-list standard BLOCK_MGMT and then use distribute-list BLOCK_MGMT in. The syntax is the same as with numbered ACLs.

Is the distribute-list command available for all routing protocols?

The distribute-list command is available for EIGRP, OSPF, and RIP. For BGP, you should use a route-map with neighbor options. The command may not work as expected for OSPF outbound filtering, as OSPF uses filter-list instead.

Summary

ACL for Routing Protocols is a vital concept in Cisco networking that allows engineers to control which network routes are shared between routers using routing protocols. By applying a standard ACL through a distribute-list command, you can permit or deny specific prefixes from being advertised or received. This tool is essential for securing sensitive networks, preventing routing loops, and maintaining clean routing tables.

In CCNP and ENARSI exams, you must understand the correct syntax, the direction of filtering, and the behavior differences between distance-vector and link-state protocols. Common mistakes include using interface ACLs instead of distribute-lists, forgetting the permit any statement, and misapplying the direction. Remember that OSPF outbound filtering requires a different approach using filter-list.

Mastering ACLs for routing protocols gives you precise control over your network's routing information, a skill that is both exam-critical and practically indispensable in production environments.