Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 110
  • Last Modified:

Access-List and Distribute-List

Access-List and Distribute-List
Access-Group in/out and Distribute-List in/out


I have seen examples where they use an Access-List to determine the traffic to be Permitted or Denied, then you go to the interface and they use the Access-group command to alllow in/out the traffic

I also have seen Distribute-List  in /out that does pretty much the same thing. I would like to know where each command differs from other.

Access-group in/out can be used at the interface level only
Distribute-List in/out, at interface level  and global config level


Thank you
0
jskfan
Asked:
jskfan
  • 3
  • 2
1 Solution
 
asavenerCommented:
https://supportforums.cisco.com/discussion/11555036/difference-between-acl-distribution-list-and-route-map

A distribution list is actually a misnomer and does not really belong here A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map.
0
 
jskfanAuthor Commented:
I was exactly at that link before I posed the question..
it is a little bit helpful...but they don't elaborate on the difference..for instance  Distribute list can be use the same way as the Access-group  when applied at the Interface level..

I want to know the similarities and the differences between..
Access-Group and Distribute-List
0
 
asavenerCommented:
Can you provide an example of the distribute list command being used at the interface level?
0
 
jskfanAuthor Commented:
I meant for Interface ..

http://www.ciscopress.com/articles/article.asp?p=2273507&seqNum=10



Router(config-router)#distribute-list 3 in fastethernet0/0

Creates an incoming distribute list for interface FastEthernet0/0 and refers to ACL 3

Router(config-router)#distribute-list 4 out serial0/0/0

Creates an outgoing distribute list for interface Serial0/0/0 and refers to ACL 4

Router(config-router)#distribute-list 5 out ospf 1

Filters updates advertised from OSPF process ID 1 into EIGRP autonomous system 10 according to ACL 5
0
 
asavenerCommented:
If you're in the "config-router" context, then you're configuring a routing protocol, not an inteface.  The distribution list is configuring rules for the routing protocol.

Basically you're saying "any routing updates that go out serial/0/0/0 should be filtered by distribution list 4."

So the distribution list is only for managing routing protocols, and which routes are accepted or advertised.


The access-group command is not actually applied to an interface, it is applied to a particular class of traffic transiting the interface.  "IP access-group my_access_list out" says "any ip traffic going out the interface should be checked against access list my_access_list to see whether it is permitted."  Non-IP traffic (Novell traffic, for example) and traffic entering the interface would not be affected by this rule.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now