From: damien (damien@xxxxxxxxxxx)
Date: Sat Sep 30 2000 - 08:57:59 GMT-3
Without knowing or wanting to know the intricacies of how the BGP software
interprets the access-list expression, just accept the fact that extended
access lists when used for filtering BGP prefixes are treated differently,
this can be very confusing........hence why prefix lists came into the
picture.....because a lot of people complained.
To give you examples:
access-list 100 permit ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
This matches prefixes..........172.16.x.x/y - 172.31.x.x/y
access-list 100 permit ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
This matches 224.x.x.x/y - 255.x.x.x/y
where y >= 3. This is class D and E addresses.....
and Sanjay's right it does work and is in use all over the
shop....!!......hope this has helped to confuse u a little bit more... ;-)
----- Original Message -----
From: "Kevin Baumgartner" <kbaumgar@cisco.com>
To: <jconnary@cisco.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, September 29, 2000 4:50 PM
Subject: Fwd: Re: question on extended access-lists for BG P route filtering
> OK I just had a thought about what this access-list might by all about.
> Since this is a aggregiate address this is going to be broadcast (or
unicast) to
> all BGP neighbors. Hence the destination address of 255.255.0.0 0.0.0.0.
>
> So if this is the case than the access-list makes sense. But I could be
> completely off with this theory. Best I can come up with.
>
> Kevin
>
>
> >Date: Fri, 29 Sep 2000 09:36:41 -0700
> >To: "Connary, Julie Ann" <jconnary@cisco.com>
> >From: Kevin Baumgartner <kbaumgar@witbier.cisco.com>
> >Subject: Re: question on extended access-lists for BG P route filtering
> >Cc: ccielab@groupstudy.com
> >
> >Yea I saw the same and was trying to understand how this access-list
works.
> >
> > So the concept was to only allow the summary route 172.16.0.0 through
and
> >not any of the 172.16.1.0, 172.16.2.0.
> >
> >And access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
> >
> >would do this.
> >
> > But like you I still don't understand how this access-list will do
that.
> >
> > Kevin
> >
> >
> >At 10:46 AM 9/29/00 -0400, you wrote:
> >>Hi All,
> >>
> >>In Halabi's Internet routing Architecture book he has the following
example that confuses me (page 310):
> >>
> >>If you want to filter 172.16.0.0/16 such that only 172.16.0.0/16 and not
172.16.0.0/17, 172.16.0.0/18 ... are
> >>also permitted you must use and extended access-list. Thus the standard
access-list of will not work:
> >>
> >>access-list 1 permit 172.16.0.0 0.0.255.255
> >>
> >>
> >>He then goes on to defined an extended access list as:
> >>
> >>access-list access-list-number permit ip network-number
network-do-no-care-bits mask mask-do-not-care-bit.
> >>
> >>And gives the following example:
> >>
> >>access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
> >>
> >>
> >>My question is, where did he get that definition of an extended
access-list that says the second
> >>set of address/mask pairs is a mask/mask-wildcards pair? Is this
specific to how BGP will
> >>use the extended-access list vs. using the access-list in say an ACL? I
always understood the second pair
> >>was the destination network or host.
> >>
> >>Julie Ann
> >>
> >>
> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:10 GMT-3