From: Mike Williams (ccie2be@swbell.net)
Date: Mon Jun 23 2003 - 01:40:44 GMT-3
I agree. Although using extended access lists is considered the "old"
way to filter specific subnet masks, and the new way is prefix-lists,
there are circumstances where you *could* use prefix-lists but it would
be noticably longer than just using one or two extended access-lists to
accomplish the same task. A good example is the odd/even, or specific
bit patterns in the network address while also taking into account the
mask length.
Mike W.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian McGahan
Sent: Sunday, June 22, 2003 8:56 PM
To: sshafi@qualcomm.com; 'Daniel Cisco Group Study';
ccielab@groupstudy.com
Subject: RE: Simple ACL question
Shahid,
You can't, at least not in a general case that would apply to
all prefixes. You *could* match each prefix individually and permit or
deny them, but you'd be better off just using an access-list.
HTH
Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com
CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866-CyscoXP
Outside US: 847.674.3392
Fax: 847.674.2625
> -----Original Message-----
> From: Shahid Shafi [mailto:sshafi@qualcomm.com]
> Sent: Sunday, June 22, 2003 8:07 PM
> To: 'Brian McGahan'; 'Daniel Cisco Group Study';
ccielab@groupstudy.com
> Subject: RE: Simple ACL question
>
> Brian,
>
> Sorry for a dumb question but how prefix list can filter odd/even
routes?
>
> Thanks,
> Shahid
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian McGahan
> Sent: Sunday, June 22, 2003 6:02 PM
> To: 'Daniel Cisco Group Study'; ccielab@groupstudy.com
> Subject: RE: Simple ACL question
>
>
> Daniel,
>
> Technically neither of these answers are correct. A standard
> access-list can only be used to check the network portion of a prefix,
> not the mask.
>
> access-list 1 permit 172.16.30.0 will match:
>
> 172.16.30.0/24
> 172.16.30.0/25
> 172.16.30.0/26
> 172.16.30.0/27
> 172.16.30.0/28
> 172.16.30.0/29
> 172.16.30.0/30
> 172.16.30.0/31
> 172.16.30.0/32
>
> access-list 1 permit 192.168.2.64 will match:
>
> 192.168.2.64/26
> 192.168.2.64/27
> 192.168.2.64/28
> 192.168.2.64/29
> 192.168.2.64/30
> 192.168.2.64/31
> 192.168.2.64/32
>
> As far a standard access-lists go, you could think of the above
two
> answers as the least incorrect answers. The following two answers are
> even more incorrect:
>
> access-list 1 permit 172.16.30.0 0.0.0.255 will match
>
> 172.16.30.x/24
> 172.16.30.x/25
> 172.16.30.x/26
> 172.16.30.x/27
> 172.16.30.x/28
> 172.16.30.x/29
> 172.16.30.x/30
> 172.16.30.x/31
> 172.16.30.x/32
>
> where "x" is any number.
>
> access-list 1 permit 192.168.2.64 0.0.0.63 will match
>
> 192.168.2.y/26
> 192.168.2.y/27
> 192.168.2.y/28
> 192.168.2.y/29
> 192.168.2.y/30
> 192.168.2.y/31
> 192.168.2.y/32
>
> where 64 <= y <= 127
>
>
> If you want to be 100% accurate, use a prefix-list. In the case of
BGP,
> you can also use an extended access-list. If you want to match the
> following networks:
>
> 172.16.30.0 / 24
> 192.168.2.64 / 26
>
> Your syntax should be either
>
> Ip prefix-list X permit 172.16.30.0/24
> Ip prefix-list X permit 192.168.2.64/26
>
> Or
>
> Access-list 100 permit ip host 172.16.30.0 host 255.255.255.0
> Access-list 100 permit ip host 192.168.2.64 host 255.255.255.192
>
>
> Access-lists should really only be used to filter traffic.
Whenever
> you are dealing with actual routes, use a prefix-list. The
> prefix-list can be applied in 3 ways, as a distribute-list, matched in
a
> route-map, or directly to a BGP neighbor.
>
>
> HTH
>
> Brian McGahan, CCIE #8593
> Director of Design and Implementation
> brian@cyscoexpert.com
>
> CyscoExpert Corporation
> Internetwork Consulting & Training
> Toll Free: 866-CyscoXP
> Outside US: 847.674.3392
> Fax: 847.674.2625
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Daniel Cisco Group Study
> > Sent: Sunday, June 22, 2003 7:38 PM
> > To: ccielab@groupstudy.com
> > Subject: Simple ACL question
> >
> > Simple question:
> >
> > I need to create an ACL to filter / redistribute / (whatever) the
two
> > routes:
> >
> > 172.16.30.0 / 24
> > 192.168.2.64 / 26
> >
> > I've always used the "lazy", or what I call the efficient method:
> >
> > access-list 1 permit 172.16.30.0
> > access-list 1 permit 192.168.2.64
> >
> > It has always worked for me no problem.
> >
> >
> > However, every "authority" always specifies the masks:
> >
> > access-list 1 permit 172.16.30.0 0.0.0.255
> > access-list 1 permit 192.168.2.64 0.0.0.63
> >
> > In my mind, these masks are simply killing electrons, and taking up
my
> > time.... I know how to use them, but why bother?
> >
> >
> > The big questions:
> >
> > (1) Am I wrong in saying that these masks are unnecessary?
> >
> > (2) In the lab, do we play it safe, and specify the "useless" masks?
> >
> > (3) Has anyone (knowingly) got away with the first method in the
lab?
> > (without breaking NDA)
> >
> >
> > I don't mind having to specify the masks, but I'd love to know WHY I
> > should (apart from losing marks if I don't)........
> >
> > Daniel
> >
> >
> >
> >
> >
**********************************************************************
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please
notify
> > the system manager.
> > This footnote also confirms that this email message has been swept
by
> > MIMEsweeper for the presence of computer viruses.
> > www.mimesweeper.com
> >
**********************************************************************
> >
> >
> >
>
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:06 GMT-3