From: Roger Dellaca (rdellaca@xxxxxxxxxx)
Date: Fri Sep 29 2000 - 14:35:16 GMT-3
Unlike other extended access lists which is source & destination address (with
wildcard for both), this is address & mask (with wildcard for both), as you sta
ted originally.
CCO reference: IP services command reference -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1r
prt2/1rip.htm#xtocid5132
<start relevant text>:
The following examples show how wildcard bits are used to indicate the bits of
the prefix or mask that are relevant. They are similar to the bitmasks that are
used with normal access lists. Prefix/mask bits corresponding to wildcard bits
set to 1 are ignored during comparisons and prefix/mask bits corresponding to
wildcard bits set to 0 are used in comparison.
In the following example, permit 192.108.0.0 255.255.0.0 but deny any more spec
ific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0).
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list
101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
In the following example, permit 131.108.0/24 but deny 131.108/16 and all other
subnets of 131.108.0.0.
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0access-l
ist 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
<end relevant text>
The only part I don't really understand of Halabi's example is why the wildcard
on the 1st part (the network #) - if the second part is only the mask 255.255.
0.0 with no wildcard on the mask, then won't the last 2 octets of the network H
AVE TO be 0.0? But I can live with that.
>>> Kevin Baumgartner <kbaumgar@cisco.com> 09/29 9:50 AM >>>
OK I just had a thought about what this access-list might by all about.
Since this is a aggregiate address this is going to be broadcast (or unicast) t
o
all BGP neighbors. Hence the destination address of 255.255.0.0 0.0.0.0.
So if this is the case than the access-list makes sense. But I could be
completely off with this theory. Best I can come up with.
Kevin
>Date: Fri, 29 Sep 2000 09:36:41 -0700
>To: "Connary, Julie Ann" <jconnary@cisco.com>
>From: Kevin Baumgartner <kbaumgar@witbier.cisco.com>
>Subject: Re: question on extended access-lists for BG P route filtering
>Cc: ccielab@groupstudy.com
>
>Yea I saw the same and was trying to understand how this access-list works.
>
> So the concept was to only allow the summary route 172.16.0.0 through and
>not any of the 172.16.1.0, 172.16.2.0.
>
>And access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
>
>would do this.
>
> But like you I still don't understand how this access-list will do that.
>
> Kevin
>
>
>At 10:46 AM 9/29/00 -0400, you wrote:
>>Hi All,
>>
>>In Halabi's Internet routing Architecture book he has the following example t
hat confuses me (page 310):
>>
>>If you want to filter 172.16.0.0/16 such that only 172.16.0.0/16 and not 172.
16.0.0/17, 172.16.0.0/18 ... are
>>also permitted you must use and extended access-list. Thus the standard acces
s-list of will not work:
>>
>>access-list 1 permit 172.16.0.0 0.0.255.255
>>
>>
>>He then goes on to defined an extended access list as:
>>
>>access-list access-list-number permit ip network-number network-do-no-care-bi
ts mask mask-do-not-care-bit.
>>
>>And gives the following example:
>>
>>access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
>>
>>
>>My question is, where did he get that definition of an extended access-list t
hat says the second
>>set of address/mask pairs is a mask/mask-wildcards pair? Is this specific to
how BGP will
>>use the extended-access list vs. using the access-list in say an ACL? I alwa
ys understood the second pair
>>was the destination network or host.
>>
>>Julie Ann
>>
>>
>>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:09 GMT-3