Basic Differences between access-list, prefix-list, distribute-list, offfset-list, route-map
Access-list is used to filter the traffic when applied on interface. It can also be used for route filtering but it can not be applied directly into any routing protocol. It is used to "match the routes" which are going to advertised or blocked and then that access-list has to be called into any distribute-list/route-map etc.(see detailed explanation below )
Prefix-list is mainly used to filter the Routes...Not user traffic. Hence used in routing protocols only.The main difference in access-list and prefix-list is that access-list only matches the bits specified by wildcard mask but prefix-list can also match sub-net mask and we can specify a range of subnet masks which need to be matched to be permitted or denied.
Distribute-list is mainly used for route filtering. Means to permit or block routes from being advertised but it does not care what is the metric being advertised with those routes.(So, if we want to modify the metric being advertised, then we can use Offset-list. )
Distribute-list is not a standalone list..means it itself doesn't block or permit any route but it will call a access-list or prefix-list and action will be taken based on whatever specified in that access-list or prefix-list.So a distribute-list is used to control incoming or outgoing traffic
Offset-list can modify the metric which is being advertised (incoming or outgoing), for all routes or selected routes. If you want to modify metric for specific routes, then select those routes throgh access-list and call that access-list into offset-list. Offset-list doesnt care if that route is being advertised or not, it is just to modify the metric (for selected routes or all routes.)
Offset-list command is used for distance vector routing protocols mainly, it doesnt work with ospf.
Detailed discussion with example:
(1)Access-list and Distribute-list
For example, if you want to block the traffic from PC1 to PC2, you can do it using Access-list only as it can be directly applied on interface.
PC1 IP: 10.1.1.1, PC2 IP 20.1.1.1. You want to block all traffic from pc1 to pc2.you can create
access-list 10 deny 10.1.1.1 0.0.0.0
access-list 10 permit any
Now this access-list can be applied on incoming interface on R1 or outgoing interface on R4( or any of the outgoing interface in the path which is selected by routing, thats a different discussion, where should be applied)
interface Fastethernet 1/1
ip access-group 10 in
But what if you want to filter the routes from being exchanged between any 2 routers. Means, PC1 belong to 10.1.1.0/24 network. All routers are running EIGRP. You want 10.1.1.0/24 should not be advertised to R2 but it should be advertised to R3. So, now are you are not blocking the traffic from PC1 to PC2, you just want that traffic should go via R3, not R2 and for that you want PC1 subnet not to be advertised to R2. This is not directly possible with JUST Access-list. Means, you can not apply the same access-list to an interface becoz it will block the traffic not routes. So, it has to be applied in a routing protocol but there is no option to directly apply it. So, it has to be called in a Distribute-list or Route-map (Route-map is used mainly during BGP route filtering or while doing redistribution). For normal route filtering in EIGRP, distribute-list is used.
create similar access-list you created above:
access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any
Now, call it in a distribute-list or route-map
router eigrp 1
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
distribute-list 10 out Serial 0/0
(10 is the number of access-list which it has to go through before sending routing update )
S0 now whenever EIGRP is announcing routing update, it will check against distribute-list which will point to a access-list to find what routes to be permitted or denied (just route, not traffic because not applied on interface)
(you can specify incoming/outgoing direction as well as interface. Don't specify interface if you want to block/permit route for all neighbors)
So, as we saw above, access-list can be used to filter traffic. It can also be used to filter routes but not directly, it has to be called into a distribute-list or Route-map).
Distribute can call a access-list or a prefix-list.
For example:
distribute-list prefix 10 out Serial 0/0
or
distribute-list prefix xyz out Serial 0/0
You need to use keyword prefix and then specify the number or name of the prefix-list.
2. Offset-list:
In the above example, as R1 is receiving routes both from R2 and R3 and you want one if the route to be preferred over another, so you can increase the metric on one of routes which are being advertised from R2 or R3.
Lets say you want to increase the metric on all the routes which are being received on S0/1 through R2.
R1(config)#router eigrp 1
R1(config-router)#offset-list 0 in 100000 serial 0/1
In the above configuration 0 is the number given to offset-list. If you specify number 0, that means it is going to modify the metric for all incoming routes.
As we did in above example of distribute-list, we can select specific routes and modify the metric for those electred route also. If you want to do the same for any selected route, then identify those route using a access-list and call that access-list in offset-list command with the access-list number. So, in the above example, after offset-list keyword, use the acutal access-list number or if there is no selection, then mention "0" for all routes.
access-list 10 deny 20.1.1.0 0.0.0.255
access-list 10 permit any
R1(config)#router eigrp 1
R1(config-router)#offset-list 10 in 100000 serial 0/1
So, offset-list 0 = all routes.
offset-list (number or name) = means for specic route which are specified in the access-list number or named access-list.
Important to note that, Off-set list is not blocking or permitting the route, it is just modifiying the metric. Whatever metric we specify in offset-list command, it will get added to original metric.
Access-list is used to filter the traffic when applied on interface. It can also be used for route filtering but it can not be applied directly into any routing protocol. It is used to "match the routes" which are going to advertised or blocked and then that access-list has to be called into any distribute-list/route-map etc.(see detailed explanation below )
Prefix-list is mainly used to filter the Routes...Not user traffic. Hence used in routing protocols only.The main difference in access-list and prefix-list is that access-list only matches the bits specified by wildcard mask but prefix-list can also match sub-net mask and we can specify a range of subnet masks which need to be matched to be permitted or denied.
Distribute-list is mainly used for route filtering. Means to permit or block routes from being advertised but it does not care what is the metric being advertised with those routes.(So, if we want to modify the metric being advertised, then we can use Offset-list. )
Distribute-list is not a standalone list..means it itself doesn't block or permit any route but it will call a access-list or prefix-list and action will be taken based on whatever specified in that access-list or prefix-list.So a distribute-list is used to control incoming or outgoing traffic
Offset-list can modify the metric which is being advertised (incoming or outgoing), for all routes or selected routes. If you want to modify metric for specific routes, then select those routes throgh access-list and call that access-list into offset-list. Offset-list doesnt care if that route is being advertised or not, it is just to modify the metric (for selected routes or all routes.)
Offset-list command is used for distance vector routing protocols mainly, it doesnt work with ospf.
Detailed discussion with example:
(1)Access-list and Distribute-list
For example, if you want to block the traffic from PC1 to PC2, you can do it using Access-list only as it can be directly applied on interface.
access-list 10 deny 10.1.1.1 0.0.0.0
access-list 10 permit any
interface Fastethernet 1/1
ip access-group 10 in
But what if you want to filter the routes from being exchanged between any 2 routers. Means, PC1 belong to 10.1.1.0/24 network. All routers are running EIGRP. You want 10.1.1.0/24 should not be advertised to R2 but it should be advertised to R3. So, now are you are not blocking the traffic from PC1 to PC2, you just want that traffic should go via R3, not R2 and for that you want PC1 subnet not to be advertised to R2. This is not directly possible with JUST Access-list. Means, you can not apply the same access-list to an interface becoz it will block the traffic not routes. So, it has to be applied in a routing protocol but there is no option to directly apply it. So, it has to be called in a Distribute-list or Route-map (Route-map is used mainly during BGP route filtering or while doing redistribution). For normal route filtering in EIGRP, distribute-list is used.
create similar access-list you created above:
access-list 10 deny 10.1.1.0 0.0.0.255
access-list 10 permit any
Now, call it in a distribute-list or route-map
router eigrp 1
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
distribute-list 10 out Serial 0/0
(10 is the number of access-list which it has to go through before sending routing update )
S0 now whenever EIGRP is announcing routing update, it will check against distribute-list which will point to a access-list to find what routes to be permitted or denied (just route, not traffic because not applied on interface)
(you can specify incoming/outgoing direction as well as interface. Don't specify interface if you want to block/permit route for all neighbors)
So, as we saw above, access-list can be used to filter traffic. It can also be used to filter routes but not directly, it has to be called into a distribute-list or Route-map).
Distribute can call a access-list or a prefix-list.
For example:
distribute-list prefix 10 out Serial 0/0
or
distribute-list prefix xyz out Serial 0/0
You need to use keyword prefix and then specify the number or name of the prefix-list.
2. Offset-list:
In the above example, as R1 is receiving routes both from R2 and R3 and you want one if the route to be preferred over another, so you can increase the metric on one of routes which are being advertised from R2 or R3.
Lets say you want to increase the metric on all the routes which are being received on S0/1 through R2.
R1(config)#router eigrp 1
R1(config-router)#offset-list 0 in 100000 serial 0/1
In the above configuration 0 is the number given to offset-list. If you specify number 0, that means it is going to modify the metric for all incoming routes.
As we did in above example of distribute-list, we can select specific routes and modify the metric for those electred route also. If you want to do the same for any selected route, then identify those route using a access-list and call that access-list in offset-list command with the access-list number. So, in the above example, after offset-list keyword, use the acutal access-list number or if there is no selection, then mention "0" for all routes.
access-list 10 deny 20.1.1.0 0.0.0.255
access-list 10 permit any
R1(config)#router eigrp 1
R1(config-router)#offset-list 10 in 100000 serial 0/1
So, offset-list 0 = all routes.
offset-list (number or name) = means for specic route which are specified in the access-list number or named access-list.
Important to note that, Off-set list is not blocking or permitting the route, it is just modifiying the metric. Whatever metric we specify in offset-list command, it will get added to original metric.
Very simple and yet clear explanation.
ReplyDeleteSimple and nice explanation... Really appreciate it.
ReplyDeleteWhat about route map
ReplyDeletegood explanation !!!
ReplyDeleteThank you so much for this explanation. This distinction has been a problem for me for a long time.
ReplyDeleteIf ACL is applied for route, should it exactly match the subnet mask or any route within the range of access list will be permitted?
ReplyDeleteGood
ReplyDeletevery clean information.
ReplyDeleteThank you!!!!!!!!!