RE: Is There a Relationship Between Prefix List and ACL??

From: Mr. Richard L. Pickard (nettable_walker@attbi.com)
Date: Mon Mar 17 2003 - 21:37:05 GMT-3

• Next message: Yinka Daramola: "Re: port filtering"
• Previous message: TV: "Re: How do you match BGP AS number up to a Owner/Domain name?"
• Maybe in reply to: OhioHondo: "Is There a Relationship Between Prefix List and ACL??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Example please --- I need help with this

Richard

//

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
OhioHondo
Sent: Saturday, March 15, 2003 11:24 AM
To: Brian McGahan; 'OhioHondo'; ccielab@groupstudy.com
Subject: RE: Is There a Relationship Between Prefix List and ACL??

Brian

To ease my confusion, would the following prefixes be allowed into an AS if
"ip prefix-list AllowIn 0.0.0.0/1 le 8" was applied as a 'prefix-list in' to
an EBGP neighbor?

22.0.0.0/8
126.0.0.0/8
49.0.0.0/8

I think I understand what you are saying. If I specifically want only Class
A nets (no supernets) then I should use 0.0.0.0/1 ge 8 le 8

-----Original Message-----
From: Brian McGahan [mailto:brian@cyscoexpert.com]
Sent: Saturday, March 15, 2003 12:02 PM
To: 'OhioHondo'; ccielab@groupstudy.com
Subject: RE: Is There a Relationship Between Prefix List and ACL??

You are not matching any class A subnets, but you are matching aggregate
blocks of class A. If you want to match only classful networks of class
A (ie only /8), the syntax of the prefix-list should read:

Ip prefix-list TEST permit 0.0.0.0/1 ge 8 le 8

Now you are saying:

Check the first bit of 0.0.0.0, it must be 0
The mask is greater than or equal to 8
The mask is also less than or equal to 8

Where X is mask: 8 <= x <= 8
Therefore X is only 8

Try it for classes B and C too.

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> OhioHondo
> Sent: Saturday, March 15, 2003 9:09 AM
> To: Brian Dennis; 'OhioHondo'; ccielab@groupstudy.com
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
> Brian
>
> Can this method be used for supernets?
> Is the following valid/accurate for defining Class A networks, no
subnets?
>
> ip access-list permit 0.0.0.0 127.255.255.255 255.0.0.0 0.0.0.0
> is the same as
> ip prefix-list TEST 0.0.0.0/1 le 8
>
> -----Original Message-----
> From: Brian Dennis [mailto:brian@labforge.com]
> Sent: Friday, March 14, 2003 6:34 PM
> To: 'OhioHondo'; ccielab@groupstudy.com
> Subject: RE: Is There a Relationship Between Prefix List and ACL??
>
>
> Prefix lists didn't show up till 12.0T so before that if there was a
> need to match not only the network but match the subnet mask you used
an
> extended ACL. A standard ACL can only match the network and not match
> the subnet mask. An extended ACL is needed to match the subnet mask.
>
> Here is the syntax:
> access-list <ACL #> permit ip <network> <wildcard mask of network>
> <subnet mask> <wildcard mask of subnet mask>
>
> Here are some examples:
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.0.0 0.0.0.0
> matches 10.0.0.0/16 - Only
>
> access-list 100 permit ip 10.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
> matches 10.0.0.0/24 - Only
>
> access-list 100 permit ip 10.1.1.0 0.0.0.0 255.255.255.0 0.0.0.0
> matches 10.1.1.0/24 - Only
>
> access-list 100 permit ip 10.0.0.0 0.0.255.0 255.255.255.0 0.0.0.0
> matches 10.0.X.0/24 - Any number in the 3rd octet of the network with
a
> /24 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.0 255.255.255.0 0.0.0.0
> matches 10.X.X.0/24 - Any number in the 2nd & 3rd octet of the network
> with a /24 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.240
0.0.0.0
> matches 10.X.X.X/28 - Any number in the 2nd, 3rd & 4th octet of the
> network with a /28 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.0
0.0.0.255
> matches 10.X.X.X/24 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> octet of the network with a /24 to /32 subnet mask
>
> access-list 100 permit ip 10.0.0.0 0.255.255.255 255.255.255.128
> 0.0.0.127
> matches 10.X.X.X/25 to 10.X.X.X/32 - Any number in the 2nd, 3rd & 4th
> octet of the network with a /25 to /32 subnet mask
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
> brian@labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> OhioHondo
> Sent: Friday, March 14, 2003 1:48 PM
> To: ccielab@groupstudy.com
> Subject: Is There a Relationship Between Prefix List and ACL??
>
> Every One
>
> Does this type of Extended ACL have a special name so I can look up
> documentation on it??
>
> access-list 101 permit ip 12.0.0.0 0.0.0.255 255.255.255.0
> 255.255.255.255
>
> Second: I can see where the 12.0.0.0 0.0.0.255 can be the equivalent
of
> the
> 12.0.0.0/24 part of a prefix list. Do the 255.255.255.0 and the
> 255.255.255.255 have equivalents in prefix list designation? (i.e. one
> is
> the ge and one is the le?)

• Next message: Yinka Daramola: "Re: port filtering"
• Previous message: TV: "Re: How do you match BGP AS number up to a Owner/Domain name?"
• Maybe in reply to: OhioHondo: "Is There a Relationship Between Prefix List and ACL??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3