Access-List and Distribute-List

jskfan used Ask the Experts™
Access-List and Distribute-List
Access-Group in/out and Distribute-List in/out

I have seen examples where they use an Access-List to determine the traffic to be Permitted or Denied, then you go to the interface and they use the Access-group command to alllow in/out the traffic

I also have seen Distribute-List  in /out that does pretty much the same thing. I would like to know where each command differs from other.

Access-group in/out can be used at the interface level only
Distribute-List in/out, at interface level  and global config level

Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

A distribution list is actually a misnomer and does not really belong here A distribution list is really only a command that uses route-maps or ACLs to perform filtering of routing information advertised or received within a particular routing protocol. It is not a standalone filtering mechanism similar to ACLs/route-map.


I was exactly at that link before I posed the question..
it is a little bit helpful...but they don't elaborate on the difference..for instance  Distribute list can be use the same way as the Access-group  when applied at the Interface level..

I want to know the similarities and the differences between..
Access-Group and Distribute-List
Can you provide an example of the distribute list command being used at the interface level?


I meant for Interface ..

Router(config-router)#distribute-list 3 in fastethernet0/0

Creates an incoming distribute list for interface FastEthernet0/0 and refers to ACL 3

Router(config-router)#distribute-list 4 out serial0/0/0

Creates an outgoing distribute list for interface Serial0/0/0 and refers to ACL 4

Router(config-router)#distribute-list 5 out ospf 1

Filters updates advertised from OSPF process ID 1 into EIGRP autonomous system 10 according to ACL 5
If you're in the "config-router" context, then you're configuring a routing protocol, not an inteface.  The distribution list is configuring rules for the routing protocol.

Basically you're saying "any routing updates that go out serial/0/0/0 should be filtered by distribution list 4."

So the distribution list is only for managing routing protocols, and which routes are accepted or advertised.

The access-group command is not actually applied to an interface, it is applied to a particular class of traffic transiting the interface.  "IP access-group my_access_list out" says "any ip traffic going out the interface should be checked against access list my_access_list to see whether it is permitted."  Non-IP traffic (Novell traffic, for example) and traffic entering the interface would not be affected by this rule.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial