Re: Extended ACL with distribute list

From: wing_lam@jossynergy.com
Date: Tue Jun 17 2003 - 23:35:10 GMT-3

Hi, Sharma,

Yes, it's right. If you use standard access-list, all longer prefixes will
match in BGP's view.

So access-list 10 permit 172.16.0.0 0.0.3.255 will match /21, /22, /23 and
so on.

For extended access-list, the "destination" part means the subnet mask, in
your example,

"access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0"

means only prefix 172.16.0.0/22, with subnet mask exactly equal to /22.

"access-list 100 permit ip host 172.16.0.0 host 255.255.252.0" will do the
same as above, but use host keyword can only means exact match in prefix
length, not any longer prefixes can be represented. i.e. only 172.16.0.0/22

But if you use "access-list 100 permit 172.16.0.0 0.0.255.255 255.255.252.0
0.0.0.0", that may be 172.16.0.0/22, 172.16.4.0/22, 172.16.8.0/22 and so
on.

Your example "access-list 100 permit 172.16.0.0 0.0.0.255 255.255.252.0
0.0.0.0" will match nothing as there will be no case that 172.16.0.0/24
with subnet mask /22

Anyway, all three format can be used.

Thx,
BBD (Big Black Dog)

                                                                                                                                       
                      "SHARMA,MOHIT
                      (HP-Germany,ex1)" To: ccielab@groupstudy.com
                      <mohit.sharma@hp. cc:
                      com> Subject: Extended ACL with distribute list
                      Sent by:
                      nobody@groupstudy
                      .com
                                                                                                                                       
                                                                                                                                       
                      06/18/2003 05:01
                      AM
                      Please respond to
                      "SHARMA,MOHIT
                      (HP-Germany,ex1)"
                                                                                                                                       
                                                                                                                                       

HI All,

Going thru the PArkhurst BGP book, found an example for the acl while using
BGP distribute list-
According to the book to match the aggregate 172.16.0.0 255.255.252.0, you
use-

access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0

IS this really right????????

Can I also use -

access-list 100 permit 172.16.0.0 0.0.0.255 255.255.252.0 0.0.0.0

Why do I need a 0.0.3.255 and not a complete 0.0.0.0 to match the network??

Also will these work as well-

access-list 100 permit host 172.16.0.0 host 255.255.252.0

or

prefix-list seq 5 permit 172.16.0.0/22.

PLease do help.

Thanks as always.

Smiles,

Mohit.____________________________________________________________________

****** _/ ****** | Mohit Sharma
***** _/ ***** | Network Operations Engineer
**** _/_/_/ _/_/_/ **** | HP Operations
**** _/ _/ _/ _/ **** |
**** _/ _/ _/_/_/ **** |
***** _/ ***** |
****** ******* | email: mohit_sharma@hp.com
                              |
 i n v e n t |

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:59 GMT-3