From: Brian McGahan (brian@cyscoexpert.com)
Date: Sat Mar 15 2003 - 15:11:09 GMT-3
No it's not.
access-list 100 permit 0.0.0.0 127.255.255.255 128.0.0.0 127.0.0.0
matches:
X.0.0.0/Y where X is 0 - 127 and Y is 1 to 8
In prefix-list syntax this would be:
Ip prefix-list X permit 0.0.0.0/1 ge 1 le 8
The only thing that 'ip prefix-list X permit 0.0.0.0/8 le 8' would match
is actually your default route of 0.0.0.0/0, since no route other than
default can have the first octet of 0.
I think you meant 'ip prefix-list X permit 0.0.0.0/1 le 8' which would
equate to:
access-list 100 permit 0.0.0.0 127.255.255.255 0.0.0.0 255.0.0.0
The only difference is that this prefix-list and access-list pair will
match the default route 0.0.0.0/0, while the first pair will not.
BTW, you keep leaving out the permit or deny statement. Prefix-list
does not default to permit, so you need to add this in.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> Sent: Saturday, March 15, 2003 11:48 AM
> To: Brian McGahan
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
> Brian
>
> With all the confusion I don't think this got answered:
>
> access-list 100 permit 0.0.0.0 127.255.255.255 128.0.0.0 127.0.0.0
>
> is this the same as
>
> ip prefix-list 0.0.0.0/8 le 8 ???
>
> Is it legal to use ACL's in this way??
>
> (Don't worry, I'm sold on prefix lists. I just want to understand the
> extent
> to which ACL's were/canbe used in this manner.)
>
> -----Original Message-----
> From: Brian McGahan [mailto:brian@cyscoexpert.com]
> Sent: Saturday, March 15, 2003 12:37 PM
> To: 'OhioHondo'; ccielab@groupstudy.com
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
>
> Yes, these prefixes would be allowed, along with 22.0.0.0/7,
> 126.0.0.0/7, etc. Anything with the first octet of 0-127 and a mask
> ranging from 0-8 is permitted.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866-CyscoXP
> Outside US: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> > Sent: Saturday, March 15, 2003 11:24 AM
> > To: Brian McGahan; 'OhioHondo'; ccielab@groupstudy.com
> > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> >
> > Brian
> >
> > To ease my confusion, would the following prefixes be allowed into
an
> AS
> > if
> > "ip prefix-list AllowIn 0.0.0.0/1 le 8" was applied as a
'prefix-list
> in'
> > to
> > an EBGP neighbor?
> >
> > 22.0.0.0/8
> > 126.0.0.0/8
> > 49.0.0.0/8
> >
> >
> > I think I understand what you are saying. If I specifically want
only
> > Class
> > A nets (no supernets) then I should use 0.0.0.0/1 ge 8 le 8
> >
> >
> >
> > -----Original Message-----
> > From: Brian McGahan [mailto:brian@cyscoexpert.com]
> > Sent: Saturday, March 15, 2003 12:02 PM
> > To: 'OhioHondo'; ccielab@groupstudy.com
> > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> >
> >
> > You are not matching any class A subnets, but you are matching
> aggregate
> > blocks of class A. If you want to match only classful networks of
> class
> > A (ie only /8), the syntax of the prefix-list should read:
> >
> > Ip prefix-list TEST permit 0.0.0.0/1 ge 8 le 8
> >
> > Now you are saying:
> >
> > Check the first bit of 0.0.0.0, it must be 0
> > The mask is greater than or equal to 8
> > The mask is also less than or equal to 8
> >
> > Where X is mask: 8 <= x <= 8
> > Therefore X is only 8
> >
> > Try it for classes B and C too.
> >
> >
> > HTH
> >
> > Brian McGahan, CCIE #8593
> > Director of Design and Implementation
> > brian@cyscoexpert.com
> >
> > CyscoExpert Corporation
> > Internetwork Consulting & Training
> > Toll Free: 866.CyscoXP
> > Fax: 847.674.2625
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > OhioHondo
> > > Sent: Saturday, March 15, 2003 9:09 AM
> > > To: Brian Dennis; 'OhioHondo'; ccielab@groupstudy.com
> > > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> > >
> > > Brian
> > >
> > > Can this method be used for supernets?
> > > Is the following valid/accurate for defining Class A networks, no
> > subnets?
> > >
> > > ip access-list permit 0.0.0.0 127.255.255.255 255.0.0.0 0.0.0.0
> > > is the same as
> > > ip prefix-list TEST 0.0.0.0/1 le 8
> > >
> > > -----Original Message-----
> > > From: Brian Dennis [mailto:brian@labforge.com]
> > > Sent: Friday, March 14, 2003 6:34 PM
> > > To: 'OhioHondo'; ccielab@groupstudy.com
> > > Subject: RE: Is There a Relationship Between Prefix List and ACL??
> > >
> > >
> > > Prefix lists didn't show up till 12.0T so before that if there was
a
> > > need to match not only the network but match the subnet mask you
> used
> > an
> > > extended ACL. A standard ACL can only match the network and not
> match
> > > the subnet mask. An extended ACL is needed to match the subnet
mask.
> > >
> > > Here is the syntax:
> > > access-list <ACL #> permit ip <network> <wildcard mask of network>
> > > <subnet mask> <wildcard mask of subnet mask>
> > >
> > > Here are some examples:
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> > > matches 10.0.0.0/16 - Only
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> > > matches 10.0.0.0/24 - Only
> > >
> > > access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> > > matches 10.1.1.0/24 - Only
> > >
> > > access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> > > matches 10.0.X.0/24 - Any number in the 3rd octet of the network
> with
> > a
> > > /24 subnet mask
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0
0.0.0.0
> > > matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the
> network
> > > with a /24 subnet mask
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
> > 0.0.0.0
> > > matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of
the
> > > network with a /28 subnet mask
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
> > 0.0.0.255
> > > matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
> 4th
> > > octet of the network with a /24 to /32 subnet mask
> > >
> > > access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> > > 0.0.0.127
> > > matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd &
> 4th
> > > octet of the network with a /25 to /32 subnet mask
> > >
> > > Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
> > > brian@labforge.com
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > OhioHondo
> > > Sent: Friday, March 14, 2003 1:48 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Is There a Relationship Between Prefix List and ACL??
> > >
> > > Every One
> > >
> > > Does this type of Extended ACL have a special name so I can look
up
> > > documentation on it??
> > >
> > > access-list 101 permit ip 12.0.0.0 0.0.0.255 255.255.255.0
> > > 255.255.255.255
> > >
> > > Second: I can see where the 12.0.0.0 0.0.0.255 can be the
equivalent
> > of
> > > the
> > > 12.0.0.0/24 part of a prefix list. Do the 255.255.255.0 and the
> > > 255.255.255.255 have equivalents in prefix list designation? (i.e.
> one
> > > is
> > > the ge and one is the le?)
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:40 GMT-3