Monday, December 29, 2014

EIGRP - Extended NAMED ACLs are not allowed in distribute-list.

Quick post regarding an error message I came across when trying to configure eigrp distribute-list with extended NAMED ACLs.

% The ACL cannot be created or an ACL with the same name but incompatible type already exists.

Router version CSR1000v - Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(2)S, RELEASE SOFTWARE (fc2)

 R5(config)#ip access-list extended PBR_EIGRP  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.4.4  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.6.6  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.1.1  
 R5(config-ext-nacl)#deny ip host 155.1.0.1 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.2.2  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.7.7  
 R5(config-ext-nacl)#deny ip host 155.1.0.3 host 150.1.9.9  
 R5(config-ext-nacl)#deny ip host 155.1.0.2 host 150.1.9.9  
 R5(config-ext-nacl)#deny ip host 155.1.0.4 host 150.1.9.9  
 R5(config-ext-nacl)#permit ip any any  

 R5(config-router)#distribute-list PBR_EIGRP in
 % The ACL cannot be created or an ACL with the same name but incompatible type already exists.
 R5(config-router)#^Z


However, numbered extended ACL works just fine.

 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.1 host 150.1.4.4  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.3 host 150.1.4.4  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.4.4  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.1 host 150.1.6.6  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.3 host 150.1.6.6  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.6.6  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.1 host 150.1.1.1  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.2 host 150.1.1.1  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.1.1  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.1 host 150.1.2.2  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.2 host 150.1.2.2  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.2.2    
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.2 host 150.1.7.7  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.3 host 150.1.7.7  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.7.7  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.2 host 150.1.9.9  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.3 host 150.1.9.9  
 R5(config-ext-nacl)# access-list 100 deny ip host 155.1.0.4 host 150.1.9.9  
 R5(config-ext-nacl)# access-list 100 permit ip any any  
 R5(config)# router eigrp 100  
 R5(config-router)# distribute-list 100 in Tunnel0  

Many more articles to come so ....

Please subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

1 comment:

  1. I encountered the same error as well. It seems that you can use named access-lists if you dont have an access list with that name already in place. So if you apply your "distribute-list TEST out e0/0" then go make "ip access extended TEST" It will take.

    ReplyDelete