Re: selecting based on SN-mask in ACL

From: Jeff K. (jeffbk@xxxxxxxxxxxxx)
Date: Thu Aug 02 2001 - 18:14:34 GMT-3

• Next message: Brian: "Re: points distribution"
• Previous message: Fred: "Re: boot from tftp"
• Maybe in reply to: SPIKKER,FRED (HP-Netherlands,ex1): "selecting based on SN-mask in ACL"
• Next in thread: SPIKKER,FRED (HP-Netherlands,ex1): "RE: selecting based on SN-mask in ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
When you use an extended IP ACL in routing filters, it is not the same as a
'typical' extended ACL that filters based on source and destination address.
In this case, it is used as a host network / subnet mask filter. Where you
would normally put the source address, you put the network prefix (this part
is normal), where the destination part would go, however, you put the mask
you want an exact match for (this is what separates from a normal extended
ACL). So, in the example from the original post, you are denying all host
routes (32-bit mask) -- meaning they are advertised since it was a suppress
list.

Extended ACLs and especially prefix-lists give you a lot of flexibility in
BGP to control which specific networks are / aren't advertised.

HTH,

-Jeff

----- Original Message -----
From: "Charles Airhienbuwa" <airhienbuwa@lagos.sns.slb.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, August 02, 2001 3:59 PM
Subject: Re: selecting based on SN-mask in ACL

> Fred,
> The 255.255.255.255 address is the all-subnet broadcast address.
> This is used by older routing protocols like RIP among others.
>
> Your access list is telling the router basically to block any ip packet
> with a destination address of 255.255.255.255. Routers that understands
> CIDR, it will treat this address (as used in our access-list) as any
> other host address.
>
> Charles
>
> At 09:07 PM 8/2/2001, Ademola Osindero wrote:
>
> I am more than surprised at your claim. Do you have
> any explanation for the host 255.255.255.255? I am
> still dazzled on how host masks really work (for
> instance ip add 14.1.2.30 255.255.255.255) and now I
> am seeing another one.
>
> --- "SPIKKER,FRED (HP-Netherlands,ex1)"
> <fred_spikker@hp.com> wrote:
> > Hi all,
> >
> > When looking at suppress maps for BGP, I ran into an
> > ACL-line that I find
> > hard to understand (though it works!).
> > Can anyone try to explain this to me?
> >
> > "access-list 110 deny ip any host 255.255.255.255"
> >
> > I would translate it into english like: "deny from
> > any source to a host with
> > dest. ip address 255.255.255.255."
> >
> > Apparently, it should be something like: " deny any
> > source with SN mask of
> > 255.255.255.255"
> >
> > I could learn this line by heart for implementing
> > suppress maps, but rather
> > understand what I'm doing..
> >
> > So please let me know.
> >
> > Thanks!
> >
> > Fred.
> > **Please
> > read:http://www.groupstudy.com/list/posting.html
> >

• Next message: Brian: "Re: points distribution"
• Previous message: Fred: "Re: boot from tftp"
• Maybe in reply to: SPIKKER,FRED (HP-Netherlands,ex1): "selecting based on SN-mask in ACL"
• Next in thread: SPIKKER,FRED (HP-Netherlands,ex1): "RE: selecting based on SN-mask in ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:43 GMT-3