From: Tim Fletcher (tim@fletchmail.net)
Date: Mon Apr 07 2003 - 17:30:26 GMT-3
At 10:55 AM 4/7/2003 -0700, Jason Wydra wrote:
>I don't quite understand the logic of this access list.
>
>access-list access-list-number permit ip network-number
>network-do-not-care-bits mask mask-do-not-care-bits
>
>If you want to filter on 172.16.0.0 only you would do this (according to
>Halabi page 314):
>
>access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
Think of a route as 2 completely separate parts, the address and the mask.
In your access list above you are specifying a network of 172.16.0.0, while
your mask (0.0.255.255) says you don't care about the last 2 octets (more
about this in a minute). You are also specifying a mask of 255.255.0.0,
while your mask (0.0.0.0) says all bits must match, so this access list
will only match a route with a 16 bit mask.
Because the network address always has all zero's, and we are only matching
a 16 bit mask, you could have accomplished the same thing with 172.16.0.0
0.0.0.0 for the network address.
Another example might help. If we wanted to match 172.16.0.0/16 - 24, we
would have to have a mask range from 255.255.0.0 255.255.255.0. To achieve
this, we could use a mask of 255.255.0.0 with a "don't care" mask of
0.0.255.0. So our access list would then be
access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.255.0
>Another example would be if you wanted to pass an aggregate-address with
>the more specifics to one AS but only pass the summary to anything beyond.
>The Halabi book (p. 348) shows this for of the access list using the
>summary 172.16.0.0/16.
>
>access-list 101 permit ip 172.16.0.0 0.0.255.255 host 255.255.0.0
>
>Can someone explain the logic behind these access lists and also the
>difference in using "host" statements within. Also, could you use a
>prefix-list to accomplish the same with less confusion and complexity?
The host statement is really just a shortcut, and makes much more sense in
the context of packet filtering. "Host" is just short for an exact match,
meaning all 0s in the "don't care" mask. For example:
host 172.16.0.0
is exactly the same as:
172.16.0.0 0.0.0.0
This sort of makes sense in the network section, and although it works
exactly the same in the mask section, it is less intuitive. If you want to
match 1 mask exactly, you could just replace the "0.0.0.0" following the
mask with a "host" preceding the mask. So the 2 examples you gave above are
exactly the same.
Prefix lists are much easier to use and understand, but slightly less
flexible. Prefix lists assume a contiguous mask, which in almost all real
word applications is just fine. Where it doesn't work is in some exercises
where you must match addresses with an odd 2nd octet, or something along
those lines.
>Thanks,
>
>Jason Wydra
>
>
>
>---------------------------------
>Do you Yahoo!?
>Yahoo! Tax Center - File online, calculators, forms, and more
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:48 GMT-3