From: Brian McGahan (brian@cyscoexpert.com)
Date: Mon Apr 07 2003 - 20:19:31 GMT-3
Jason,
This is legacy syntax that was a workaround before the
prefix-list was supported. The only advantage of this access-list
syntax now is that you can match on random bit positions. With a
prefix-list, you can only match bits sequentially starting with the most
significant.
access-list 101 permit ip 172.16.0.0 0.0.255.255 host 255.255.0.0
translates to:
ip prefix-list 101 permit 172.16.0.0/16
A prefix-list can be referenced in three ways:
1. Directly applied to a BGP neighbor
neighbor 1.2.3.4 prefix-list X [in|out]
2. In a route-map
route-map Y permit 10
match ip address prefix-list X
3. As a distribute-list in IGP
distribute-list prefix X [in|out]
When matching a prefix-list in a route-map, be sure to include
the 'prefix-list' keyword. Otherwise you will be matching a named
access-list. Since you can have a named access-list and prefix-list of
the same name, the router will not give you an error message.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Tim Fletcher
> Sent: Monday, April 07, 2003 3:30 PM
> To: Jason Wydra; ccielab@groupstudy.com
> Subject: Re: IP EXTENDED ACCESS-LIST USAGE IN BGP
>
> At 10:55 AM 4/7/2003 -0700, Jason Wydra wrote:
> >I don't quite understand the logic of this access list.
> >
> >access-list access-list-number permit ip network-number
> >network-do-not-care-bits mask mask-do-not-care-bits
> >
> >If you want to filter on 172.16.0.0 only you would do this (according
to
> >Halabi page 314):
> >
> >access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.0.0
>
> Think of a route as 2 completely separate parts, the address and the
mask.
>
> In your access list above you are specifying a network of 172.16.0.0,
> while
> your mask (0.0.255.255) says you don't care about the last 2 octets
(more
> about this in a minute). You are also specifying a mask of
255.255.0.0,
> while your mask (0.0.0.0) says all bits must match, so this access
list
> will only match a route with a 16 bit mask.
>
> Because the network address always has all zero's, and we are only
> matching
> a 16 bit mask, you could have accomplished the same thing with
172.16.0.0
> 0.0.0.0 for the network address.
>
> Another example might help. If we wanted to match 172.16.0.0/16 - 24,
we
> would have to have a mask range from 255.255.0.0 255.255.255.0. To
achieve
> this, we could use a mask of 255.255.0.0 with a "don't care" mask of
> 0.0.255.0. So our access list would then be
>
> access-list 101 permit ip 172.16.0.0 0.0.255.255 255.255.0.0 0.0.255.0
>
>
> >Another example would be if you wanted to pass an aggregate-address
with
> >the more specifics to one AS but only pass the summary to anything
> beyond.
> >The Halabi book (p. 348) shows this for of the access list using the
> >summary 172.16.0.0/16.
> >
> >access-list 101 permit ip 172.16.0.0 0.0.255.255 host 255.255.0.0
> >
> >Can someone explain the logic behind these access lists and also the
> >difference in using "host" statements within. Also, could you use a
> >prefix-list to accomplish the same with less confusion and
complexity?
>
> The host statement is really just a shortcut, and makes much more
sense in
> the context of packet filtering. "Host" is just short for an exact
match,
> meaning all 0s in the "don't care" mask. For example:
>
> host 172.16.0.0
>
> is exactly the same as:
>
> 172.16.0.0 0.0.0.0
>
> This sort of makes sense in the network section, and although it works
> exactly the same in the mask section, it is less intuitive. If you
want to
> match 1 mask exactly, you could just replace the "0.0.0.0" following
the
> mask with a "host" preceding the mask. So the 2 examples you gave
above
> are
> exactly the same.
>
> Prefix lists are much easier to use and understand, but slightly less
> flexible. Prefix lists assume a contiguous mask, which in almost all
real
> word applications is just fine. Where it doesn't work is in some
exercises
> where you must match addresses with an odd 2nd octet, or something
along
> those lines.
>
>
> >Thanks,
> >
> >Jason Wydra
> >
> >
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Tax Center - File online, calculators, forms, and more
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:48 GMT-3