From: Brian McGahan (brian@cyscoexpert.com)
Date: Sun Jun 22 2003 - 22:01:50 GMT-3
Daniel,
Technically neither of these answers are correct. A standard
access-list can only be used to check the network portion of a prefix,
not the mask.
access-list 1 permit 172.16.30.0 will match:
172.16.30.0/24
172.16.30.0/25
172.16.30.0/26
172.16.30.0/27
172.16.30.0/28
172.16.30.0/29
172.16.30.0/30
172.16.30.0/31
172.16.30.0/32
access-list 1 permit 192.168.2.64 will match:
192.168.2.64/26
192.168.2.64/27
192.168.2.64/28
192.168.2.64/29
192.168.2.64/30
192.168.2.64/31
192.168.2.64/32
As far a standard access-lists go, you could think of the above
two answers as the least incorrect answers. The following two answers
are even more incorrect:
access-list 1 permit 172.16.30.0 0.0.0.255 will match
172.16.30.x/24
172.16.30.x/25
172.16.30.x/26
172.16.30.x/27
172.16.30.x/28
172.16.30.x/29
172.16.30.x/30
172.16.30.x/31
172.16.30.x/32
where "x" is any number.
access-list 1 permit 192.168.2.64 0.0.0.63 will match
192.168.2.y/26
192.168.2.y/27
192.168.2.y/28
192.168.2.y/29
192.168.2.y/30
192.168.2.y/31
192.168.2.y/32
where 64 <= y <= 127
If you want to be 100% accurate, use a prefix-list. In the case of BGP,
you can also use an extended access-list. If you want to match the
following networks:
172.16.30.0 / 24
192.168.2.64 / 26
Your syntax should be either
Ip prefix-list X permit 172.16.30.0/24
Ip prefix-list X permit 192.168.2.64/26
Or
Access-list 100 permit ip host 172.16.30.0 host 255.255.255.0
Access-list 100 permit ip host 192.168.2.64 host 255.255.255.192
Access-lists should really only be used to filter traffic.
Whenever you are dealing with actual routes, use a prefix-list. The
prefix-list can be applied in 3 ways, as a distribute-list, matched in a
route-map, or directly to a BGP neighbor.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Daniel Cisco Group Study
> Sent: Sunday, June 22, 2003 7:38 PM
> To: ccielab@groupstudy.com
> Subject: Simple ACL question
>
> Simple question:
>
> I need to create an ACL to filter / redistribute / (whatever) the two
> routes:
>
> 172.16.30.0 / 24
> 192.168.2.64 / 26
>
> I've always used the "lazy", or what I call the efficient method:
>
> access-list 1 permit 172.16.30.0
> access-list 1 permit 192.168.2.64
>
> It has always worked for me no problem.
>
>
> However, every "authority" always specifies the masks:
>
> access-list 1 permit 172.16.30.0 0.0.0.255
> access-list 1 permit 192.168.2.64 0.0.0.63
>
> In my mind, these masks are simply killing electrons, and taking up my
> time.... I know how to use them, but why bother?
>
>
> The big questions:
>
> (1) Am I wrong in saying that these masks are unnecessary?
>
> (2) In the lab, do we play it safe, and specify the "useless" masks?
>
> (3) Has anyone (knowingly) got away with the first method in the lab?
> (without breaking NDA)
>
>
> I don't mind having to specify the masks, but I'd love to know WHY I
> should (apart from losing marks if I don't)........
>
> Daniel
>
>
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> www.mimesweeper.com
> **********************************************************************
>
>
>
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:06 GMT-3