RE: Is There a Relationship Between Prefix List and ACL??

From: Brian McGahan (brian@cyscoexpert.com)
Date: Sat Mar 15 2003 - 14:37:25 GMT-3

Yes, these prefixes would be allowed, along with 22.0.0.0/7,
126.0.0.0/7, etc. Anything with the first octet of 0-127 and a mask
ranging from 0-8 is permitted.

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625

> -----Original Message-----
> From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> Sent: Saturday, March 15, 2003 11:24 AM
> To: Brian McGahan; 'OhioHondo'; ccielab@groupstudy.com
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
> Brian
>
> To ease my confusion, would the following prefixes be allowed into an
AS
> if
> "ip prefix-list AllowIn 0.0.0.0/1 le 8" was applied as a 'prefix-list
in'
> to
> an EBGP neighbor?
>
> 22.0.0.0/8
> 126.0.0.0/8
> 49.0.0.0/8
>
>
> I think I understand what you are saying. If I specifically want only
> Class
> A nets (no supernets) then I should use 0.0.0.0/1 ge 8 le 8
>
>
>
> -----Original Message-----
> From: Brian McGahan [mailto:brian@cyscoexpert.com]
> Sent: Saturday, March 15, 2003 12:02 PM
> To: 'OhioHondo'; ccielab@groupstudy.com
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
>
> You are not matching any class A subnets, but you are matching
aggregate
> blocks of class A. If you want to match only classful networks of
class
> A (ie only /8), the syntax of the prefix-list should read:
>
> Ip prefix-list TEST permit 0.0.0.0/1 ge 8 le 8
>
> Now you are saying:
>
> Check the first bit of 0.0.0.0, it must be 0
> The mask is greater than or equal to 8
> The mask is also less than or equal to 8
>
> Where X is mask: 8 <= x <= 8
> Therefore X is only 8
>
> Try it for classes B and C too.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866.CyscoXP
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > OhioHondo
> > Sent: Saturday, March 15, 2003 9:09 AM
> > To: Brian Dennis; 'OhioHondo'; ccielab@groupstudy.com
> > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> >
> > Brian
> >
> > Can this method be used for supernets?
> > Is the following valid/accurate for defining Class A networks, no
> subnets?
> >
> > ip access-list permit 0.0.0.0 127.255.255.255 255.0.0.0 0.0.0.0
> > is the same as
> > ip prefix-list TEST 0.0.0.0/1 le 8
> >
> > -----Original Message-----
> > From: Brian Dennis [mailto:brian@labforge.com]
> > Sent: Friday, March 14, 2003 6:34 PM
> > To: 'OhioHondo'; ccielab@groupstudy.com
> > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> >
> >
> > Prefix lists didn't show up till 12.0T so before that if there was a
> > need to match not only the network but match the subnet mask you
used
> an
> > extended ACL. A standard ACL can only match the network and not
match
> > the subnet mask. An extended ACL is needed to match the subnet mask.
> >
> > Here is the syntax:
> > access-list <ACL #> permit ip <network> <wildcard mask of network>
> > <subnet mask> <wildcard mask of subnet mask>
> >
> > Here are some examples:
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > matches 10.0.0.0/16 - Only
> >
> > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> > matches 10.0.0.0/24 - Only
> >
> > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> > matches 10.1.1.0/24 - Only
> >
> > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> > matches 10.0.X.0/24 - Any number in the 3rd octet of the network
with
> a
> > /24 subnet mask
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> > matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the
network
> > with a /24 subnet mask
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
> 0.0.0.0
> > matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> > network with a /28 subnet mask
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
> 0.0.0.255
> > matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
4th
> > octet of the network with a /24 to /32 subnet mask
> >
> > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > 0.0.0.127
> > matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
4th
> > octet of the network with a /25 to /32 subnet mask
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
> > brian@labforge.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > OhioHondo
> > Sent: Friday, March 14, 2003 1:48 PM
> > To: ccielab@groupstudy.com
> > Subject: Is There a Relationship Between Prefix List and ACL??
> >
> > Every One
> >
> > Does this type of Extended ACL have a special name so I can look up
> > documentation on it??
> >
> > access-list 101 permit ip 12.0.0.0 0.0.0.255 255.255.255.0
> > 255.255.255.255
> >
> > Second: I can see where the 12.0.0.0 0.0.0.255 can be the equivalent
> of
> > the
> > 12.0.0.0/24 part of a prefix list. Do the 255.255.255.0 and the
> > 255.255.255.255 have equivalents in prefix list designation? (i.e.
one
> > is
> > the ge and one is the le?)

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:40 GMT-3