RE: Extended ACL with distribute list

From: wing_lam@jossynergy.com
Date: Wed Jun 18 2003 - 00:15:39 GMT-3

Thx, Brian, it's a typo.

                                                                                                                                       
                      "Brian Dennis"
                      <brian@labforge.c To: <wing_lam@jossynergy.com>
                      om> cc: <ccielab@groupstudy.com>
                                               Subject: RE: Extended ACL with distribute list
                      06/18/2003 11:12
                      AM
                                                                                                                                       
                                                                                                                                       

You need to specify the keyword "ip" in the extended ACL. He's missing
it in the book also ;-)

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
wing_lam@jossynergy.com
Sent: Tuesday, June 17, 2003 7:35 PM
To: SHARMA,MOHIT (HP-Germany,ex1)
Cc: ccielab@groupstudy.com
Subject: Re: Extended ACL with distribute list

Hi, Sharma,

Yes, it's right. If you use standard access-list, all longer prefixes
will
match in BGP's view.

So access-list 10 permit 172.16.0.0 0.0.3.255 will match /21, /22, /23
and
so on.

For extended access-list, the "destination" part means the subnet mask,
in
your example,

"access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0"

means only prefix 172.16.0.0/22, with subnet mask exactly equal to /22.

"access-list 100 permit ip host 172.16.0.0 host 255.255.252.0" will do
the
same as above, but use host keyword can only means exact match in prefix
length, not any longer prefixes can be represented. i.e. only
172.16.0.0/22

But if you use "access-list 100 permit 172.16.0.0 0.0.255.255
255.255.252.0
0.0.0.0", that may be 172.16.0.0/22, 172.16.4.0/22, 172.16.8.0/22 and so
on.

Your example "access-list 100 permit 172.16.0.0 0.0.0.255 255.255.252.0
0.0.0.0" will match nothing as there will be no case that 172.16.0.0/24
with subnet mask /22

Anyway, all three format can be used.

Thx,
BBD (Big Black Dog)

                      "SHARMA,MOHIT

                      (HP-Germany,ex1)" To:
ccielab@groupstudy.com

                      <mohit.sharma@hp. cc:

                      com> Subject: Extended ACL
with distribute list
                      Sent by:

                      nobody@groupstudy

                      .com

                      06/18/2003 05:01

                      AM

                      Please respond to

                      "SHARMA,MOHIT

                      (HP-Germany,ex1)"

HI All,

Going thru the PArkhurst BGP book, found an example for the acl while
using
BGP distribute list-
According to the book to match the aggregate 172.16.0.0 255.255.252.0,
you
use-

access-list 100 permit 172.16.0.0 0.0.3.255 255.255.252.0 0.0.0.0

IS this really right????????

Can I also use -

access-list 100 permit 172.16.0.0 0.0.0.255 255.255.252.0 0.0.0.0

Why do I need a 0.0.3.255 and not a complete 0.0.0.0 to match the
network??

Also will these work as well-

access-list 100 permit host 172.16.0.0 host 255.255.252.0

or

prefix-list seq 5 permit 172.16.0.0/22.

PLease do help.

Thanks as always.

Smiles,

Mohit.__________________________________________________________________
__

****** _/ ****** | Mohit Sharma
***** _/ ***** | Network Operations Engineer
**** _/_/_/ _/_/_/ **** | HP Operations
**** _/ _/ _/ _/ **** |
**** _/ _/ _/_/_/ **** |
***** _/ ***** |
****** ******* | email: mohit_sharma@hp.com
                              |
 i n v e n t |

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:00 GMT-3